Skip to Content

Copying Derived Roles : Why org levels not getting maintained?


I would appreciate if anyone could advise better ways of copying derived roles under same master role.

We had a requirement to create some 50 derived roles for finance fund management.

And each derived role to be maintained under respective auth group.

While i copied the particular derived role : i excluded the users / and also excluded any personalisation.

Role got created as we wanted.

But under authorisation tab change :

And when we changed the organisation level on top - and changed the fund center authorisation group.

Said save. Although the org level was maintained, the same value was not getting reflected inside the authorisation

for the auth object : F_FICA_FSG under Fund center authorisation.

Again for : FM_AUTHGRC - fund center authorisation - i had to manually change the value, for each node,

which i maintained on top.   And regenerate the profile.

Why is that so ? Can anyone advise.

This does not happen when you create a new derived role from scratch (not copying from another role).

And when you create any derived role new, whatever you maintain on top in authorisation for org level, automatically it gets reflected for fund center authorisation.

or anything else which we wish to maintain.

But the same maintenance does not seem to happen when we say copy from one role to another.

Am i missing something ?

Can anyone advise.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    May 03, 2012 at 06:40 PM

    I suspect that either your mother role is corrupted or the role you are using as the source for your copies. I tried copying a derived role to see if I could replicate your issue but all is working as designed. Changeing orglevels perfectly reflects through the whole profile.

    What you can do: In PFCG open the role you used to copy from, go to the authorizations tab and then, from the 'utilities' menu open the 'settings' option. Check all boxes in the settings screen and save.

    Nou open the whole object tree and see if there are trashcans to the left of the fields you expect to be organizational. If that is the situation this role isn't filled ptoperly. Click on the trashcan for each organizational field to make the wrongly entered value to disappear. The trashcan itself will also disappear. Now edit the organizational values in the 'organizational levels' screen, save and generate.

    Do the same for the mother role and your newly created copies and you should be back in business.


    Add comment
    10|10000 characters needed characters exceeded

    • Indumathy Narayanan wrote:

      Hi Jurjen.

      Thanks for your detailed suggestion i shall check that again.

      In fact the first thing i thought was may be the role from which i am copying is not ok.

      I suspected like you said and i tried to create a new derived role based on the master role,

      manually inserted the auth object, then clicked on the org level, entered the values, saved it,

      all the values entered were reflecting in the tree, then i generated the profile.

      Now i kept this new derived role for copying other roles.

      And in the new copied derived role, i changed the org level. Only to see, that it is not again reflecting inside in the nodes, though it still reflected the value i saved at the org level. And so again in the newly copied derived role, i manually changed the values wherever fund center auth was reflecting..

      Hello Indu,

      from your last description I think, that the problem lies inside the master role itself.

      You created the new role and inserted the object manually - you did not derive the authorizations

      for that role from the master.....

      Then you copied that role and derived the auths form master, then the problem appeared.

      So: check/repair your master role.

      Easiest way: run report AGR_RESET_ORG_LEVELS for your master role (or to make sure for

      all roles contained in this master/derived relation. then try again to derive the authorizations. Org-values should work now as expected!

      Useful notes from SAP: 727536, 314513

      b.rgds, Bernhard

  • avatar image
    Former Member
    May 04, 2012 at 06:58 AM

    Hello Indu,

    Could you elaborate on the authorization setup of the Master & Derived role?

    As per your previous post, you had tried to replicate the derived role and inserted the authorization objects manually.

    In SAP, whenever you manually enter an object in a role, the fields in the manually entered object  are independent of the Organizational Level. Hence any change in the Org Levels will not reflect in those Objects and will need to be added directly to them.

    If you are manually adding objects in your Copy role, then this would be the reason for the inefeectiveness of the Org. Level.



    Add comment
    10|10000 characters needed characters exceeded

    • Hi Bernhard / Fahim.

      Thanks a lot for your kind responses.

      @Fahim : Thanks for the explanation. I think i got my answers from your explanations.

      When i earlier reviewed the SAP security wherein we were unable to maintain some org levels for MM for some series of new roles to be created last month, for maintaining release codes. And we had to maintain each derived role independently.

      So,  I was a bit confused earlier as to whether it is right to have a master and hundreds of derived roles maintained independently.

      And my answers to the that question from this forum has been that it is ok, to be so. And that in practical life situations, many places, thats how it is. So i accepted that to be a way of life in SAP world, as long as it works correctly.

      Actually the "activity of copy" gives me uneasiness because i come from BI /BO/ETL background. And especially in BO, I have seen that the activity of Copy, actually creates chaos in the internal BO systems with metadata. Thats why i was a bit apprehensive as to whether one could really do a copy of a role and re-create a new derived role. And maintain it independently. I have not yet found my answers as to the internal behaviour of SAP for new role creation / copy of role.

      Though i completely agree SAP is a very powerful and more stable system.

      Am more keen to know as to how exactly the system of SAP treates copy of a role at the backend internally and how it handles it at the back end in the metadata. So that atleast one could understand what really happens in sap, when i do one click on the system and say copy and then say maintain it independently.

      Thanks again for the detailed response - which i was not aware.

      Kind regards


  • avatar image
    Former Member
    May 03, 2012 at 05:33 PM

    Did you try to create new derived by copying existing derived and adjusted org fileds?


    Add comment
    10|10000 characters needed characters exceeded