Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Copying Derived Roles : Why org levels not getting maintained?

Former Member
0 Kudos

Hi.

I would appreciate if anyone could advise better ways of copying derived roles under same master role.

We had a requirement to create some 50 derived roles for finance fund management.

And each derived role to be maintained under respective auth group.

While i copied the particular derived role : i excluded the users / and also excluded any personalisation.

Role got created as we wanted.

But under authorisation tab change :

And when we changed the organisation level on top - and changed the fund center authorisation group.

Said save. Although the org level was maintained, the same value was not getting reflected inside the authorisation

for the auth object : F_FICA_FSG under Fund center authorisation.

Again for : FM_AUTHGRC - fund center authorisation - i had to manually change the value, for each node,

which i maintained on top.   And regenerate the profile.

Why is that so ? Can anyone advise.

This does not happen when you create a new derived role from scratch (not copying from another role).

And when you create any derived role new, whatever you maintain on top in authorisation for org level, automatically it gets reflected for fund center authorisation.

or anything else which we wish to maintain.

But the same maintenance does not seem to happen when we say copy from one role to another.

Am i missing something ?

Can anyone advise.

Thanks

indu

1 ACCEPTED SOLUTION

jurjen_heeck
Active Contributor
0 Kudos

I suspect that either your mother role is corrupted or the role you are using as the source for your copies. I tried copying a derived role to see if I could replicate your issue but all is working as designed. Changeing orglevels perfectly reflects through the whole profile.

What you can do: In PFCG open the role you used to copy from, go to the authorizations tab and then, from the 'utilities' menu open the 'settings' option. Check all boxes in the settings screen and save.

Nou open the whole object tree and see if there are trashcans to the left of the fields you expect to be organizational. If that is the situation this role isn't filled ptoperly. Click on the trashcan for each organizational field to make the wrongly entered value to disappear. The trashcan itself will also disappear. Now edit the organizational values in the 'organizational levels' screen, save and generate.

Do the same for the mother role and your newly created copies and you should be back in business.

Jurjen

6 REPLIES 6

Former Member
0 Kudos

Did you try to create new derived by copying existing derived and adjusted org fileds?

Venkat

jurjen_heeck
Active Contributor
0 Kudos

I suspect that either your mother role is corrupted or the role you are using as the source for your copies. I tried copying a derived role to see if I could replicate your issue but all is working as designed. Changeing orglevels perfectly reflects through the whole profile.

What you can do: In PFCG open the role you used to copy from, go to the authorizations tab and then, from the 'utilities' menu open the 'settings' option. Check all boxes in the settings screen and save.

Nou open the whole object tree and see if there are trashcans to the left of the fields you expect to be organizational. If that is the situation this role isn't filled ptoperly. Click on the trashcan for each organizational field to make the wrongly entered value to disappear. The trashcan itself will also disappear. Now edit the organizational values in the 'organizational levels' screen, save and generate.

Do the same for the mother role and your newly created copies and you should be back in business.

Jurjen

0 Kudos

Hi Jurjen.

Thanks for your detailed suggestion i shall check that again.

In fact the first thing i thought was may be the role from which i am copying is not ok.

I suspected like you said and i tried to create a new derived role based on the master role,

manually inserted the auth object, then clicked on the org level, entered the values, saved it,

all the values entered were reflecting in the tree, then i generated the profile.

Now i kept this new derived role for copying other roles.

And in the new copied derived role, i changed the org level. Only to see, that it is not again reflecting inside in the nodes, though it still reflected the value i saved at the org level. And so again in the newly copied derived role, i manually changed the values wherever fund center auth was reflecting..

Am not sure, but recently I understand that some SAP note was applied and created some system imbalance at the back end, and then it was rolled back. I do not know whether it was due to that, that something else, has stopped working too.

But atleast from the security i generally double check everything, before i sign off and say ok, and then close the requests. But then,thats when i found this problem and corrected it and informed other team members too. We have not had any requirement to create such mass derived roles earlier to say whether the problem existed before or not. But then atleast today we know such problems exists.

Am not really understanding as to why I really see this problem.

But i shall check all that you have stated once again.

As regards you saying that the master role could be corrupted.

I dont suspect any major corruption, because otherwise the existing fund center derived roles which are more than 126 are actually working fine and i have not had any major complaints till now. Although i do not know as to whether it was working fine when those roles were created may be more than 3 years ago. And even the newly created derived roles after i make the changes and when i assigned users, they are also working fine. Just that i see some problem. So, i do not know corruption could be in what sense. But atleast i shall keep a watch on these.

Thanks again.  Really appreciate your suggestions.

Kind regards

indu

0 Kudos

Indumathy Narayanan wrote:

Hi Jurjen.

Thanks for your detailed suggestion i shall check that again.

In fact the first thing i thought was may be the role from which i am copying is not ok.

I suspected like you said and i tried to create a new derived role based on the master role,

manually inserted the auth object, then clicked on the org level, entered the values, saved it,

all the values entered were reflecting in the tree, then i generated the profile.

Now i kept this new derived role for copying other roles.

And in the new copied derived role, i changed the org level. Only to see, that it is not again reflecting inside in the nodes, though it still reflected the value i saved at the org level. And so again in the newly copied derived role, i manually changed the values wherever fund center auth was reflecting..

Hello Indu,

from your last description I think, that the problem lies inside the master role itself.

You created the new role and inserted the object manually - you did not derive the authorizations

for that role from the master.....

Then you copied that role and derived the auths form master, then the problem appeared.

So: check/repair your master role.

Easiest way: run report AGR_RESET_ORG_LEVELS for your master role (or to make sure for

all roles contained in this master/derived relation. then try again to derive the authorizations. Org-values should work now as expected!

Useful notes from SAP: 727536, 314513

b.rgds, Bernhard

Former Member
0 Kudos

Hello Indu,

Could you elaborate on the authorization setup of the Master & Derived role?

As per your previous post, you had tried to replicate the derived role and inserted the authorization objects manually.

In SAP, whenever you manually enter an object in a role, the fields in the manually entered object  are independent of the Organizational Level. Hence any change in the Org Levels will not reflect in those Objects and will need to be added directly to them.

If you are manually adding objects in your Copy role, then this would be the reason for the inefeectiveness of the Org. Level.

Regards,

FP

0 Kudos

Hi Bernhard / Fahim.

Thanks a lot for your kind responses.

@Fahim : Thanks for the explanation. I think i got my answers from your explanations.

When i earlier reviewed the SAP security wherein we were unable to maintain some org levels for MM for some series of new roles to be created last month, for maintaining release codes. And we had to maintain each derived role independently.

So,  I was a bit confused earlier as to whether it is right to have a master and hundreds of derived roles maintained independently.

And my answers to the that question from this forum has been that it is ok, to be so. And that in practical life situations, many places, thats how it is. So i accepted that to be a way of life in SAP world, as long as it works correctly.

Actually the "activity of copy" gives me uneasiness because i come from BI /BO/ETL background. And especially in BO, I have seen that the activity of Copy, actually creates chaos in the internal BO systems with metadata. Thats why i was a bit apprehensive as to whether one could really do a copy of a role and re-create a new derived role. And maintain it independently. I have not yet found my answers as to the internal behaviour of SAP for new role creation / copy of role.

Though i completely agree SAP is a very powerful and more stable system.

Am more keen to know as to how exactly the system of SAP treates copy of a role at the backend internally and how it handles it at the back end in the metadata. So that atleast one could understand what really happens in sap, when i do one click on the system and say copy and then say maintain it independently.

Thanks again for the detailed response - which i was not aware.

Kind regards

indu