Skip to Content

Periodic Update to Derived roles

Hi Gurus,

We have master derived roles security concept in place. Our master roles are changed in a separate system (Like Adding or Deleting tcode,object values etc) and then pushed across 5 R/3 development systems (each system for different region). In each development system, we have derived the roles for different countries. However there is monthly release of updated master roles coming in to each of the system and we have to update the derived roles.

The issue now is, we have some Non ORG values maintained in each of the derived roles and these gets over written by * values from parent role when we do copy data. We are looking for any automation we can do to have few of the non org fields (like AUART Sales Document Type, BSART Order Type, FKART Billing Type etc) with the values maintained in Derived roles and dont get over written by * value from parent role.

Since it is a monthly release happening and every month we need to update almost 180(parent roles) * 15 countries = 2700 derived roles its a very lengthy process...

Please advice in case you have any solution to reduce the effort in this case.

With Regards,

Nishad Showkath

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Dec 12, 2013 at 12:14 PM

    Hello,

    As far as I know, the only solution in the SAP system itself is by promoting the non org object value to a org level.

    Authorization object fields can be turned into Organizational Levels by using program PFCG_ORGFIELD_CREATE.

    GOTO ABAP editor (SE38/SA38), then execute the report “PFCG_ORGFIELD_CREATE”.

    But be careful doing this because it will affect all the roles and some authorizations fields are used by different kind of authorizations (Like BRGRU)

    I use a third party tool for doing this complex authorization maintenance, CSI RBM (CSI Role Build and Manage). With this tool I can easily maintain roles and derive them for both org levels as non org levels.

    Best regards,

    Meta Hoetjes

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      I agree with you.

      I am not familiar with CSI as no one I know uses it, but I am yet to see an attempt to tool derived role equivalents which do not directly update AGR_1252 etc themselves and then generate the profiles in batch.

      So yes, one should generally be careful in this area and it is best to license the tools via SAP IMO. That gives you some degree of compatibility and sustainability comfort.

      Cheers,

      Julius

  • Dec 20, 2013 at 03:33 AM

    Hi Meta,

    There are few field like BSART, LGORT, APPLIC, FKART, EDI_MES etc...

    With Regards,

    Nishad Showkath

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      You can assign the keys via roles or via the user (same tab in SU01). UMR keys take preference over roles if found.

      Whether they work depends on whether the application supports the personalization.

      They are widely used for webdynpro applications already, as these are often intended for larger sets of users than what SAPGui screens are (such as FB01).

      It is the proliferation of series of roles which are the problem, not the number of roles themselves.

      Generally for ERP type systems you should be able to get away with about 50 roles max, if you leverage things like SU24 and personalizations. If you have 200 company codes or 5000 cost centers then you can still efficiently make adjustments without the temptation of creating lots of little roles and trying to put humpty dumpty together again via role assignments to the users.

      Cheers,

      Julius