In this post we have discussed about the concept of Master-Derived Roles concept in SAP. We have discussed how master and derived roles are created and the necessity and the merits of master-derived roles in SAP.
- Execute tcode PFCG. First we will create a “Master Role”.
- In the Role text field give a role name. Here we have given the role name ZM_MASTER_ROLE.
- Click Role button as shown in the figure below:
- The above Master Role is a single role. For more details on how to create a single role, please visit this link
- The Derived Role can now be created and this role will be derived from the master role “ZM_MASTER_ROLE” as shown in the figure below. Lets name the derived role as ZD_DERIVED_ROLE.
Click on Authorization tab. We get the following dialog windows. Click Yes.
- Click on “Change Authorization Data”.
- Inside pfcg, we get window to maintain org level values. Only organization level values are maintained in derived roles. For more information on Organizational Levels, please follow this LINK
- Other field values (non-org level values) are maintained in master role.
- Master-Derived Role concept is basically used when SAP has been implemented across many sites (large geography) and the object level authorization remains the same across all the sites.
- The only difference remains in the organizational value area.
- The authorization values are maintained in the master role and the roles for different sites are derived from the master role. Org level values for different sites like company code, plant, sales org etc are maintained in the derived roles.
- This makes the maintenance of roles easier since any authorization level change has to be done only in the master role and the various child roles (derived roles) can be generated in one go from the master role.
- Master-derived roles relation can be found in AGR_DEFINE table via se16.