{"id":675,"date":"2012-01-08T21:24:33","date_gmt":"2012-01-08T21:24:33","guid":{"rendered":"http:\/\/sapsecurityanalyst.com\/WP\/?page_id=675"},"modified":"2021-06-28T05:14:53","modified_gmt":"2021-06-28T05:14:53","slug":"master-derived-roles-concept-in-sap","status":"publish","type":"page","link":"https:\/\/sapsecurityanalyst.com\/WP\/general-disclaimer\/master-derived-roles-concept-in-sap\/","title":{"rendered":"Master-Derived Roles concept in SAP"},"content":{"rendered":"<p><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\">In this post we have discussed about the concept of Master-Derived Roles concept in SAP. \u00a0We have discussed how master and derived roles are created and the necessity and the merits of master-derived roles in SAP.<\/span><\/span><\/p>\n<p><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<\/span><\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\">Execute tcode<\/span> <strong>PFCG. <\/strong><span style=\"color: #4c4c4c;\">First we will create a &#8220;Master Role&#8221;.<\/span><\/span><\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\">In the Role text field give a role name. Here we have given the role name<\/span> <strong>ZM_MASTER_ROLE.\u00a0<\/strong><\/span><\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\"><span style=\"font-family: verdana;\">Click <strong>Role <\/strong>button as shown in the figure below:<\/span><\/span><\/li>\n<\/ul>\n<div><\/div>\n<div><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><\/span><\/div>\n<p style=\"text-align: center;\"><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation.jpg\"><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-676\" title=\"Role creation\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation.jpg\" alt=\"\" width=\"387\" height=\"176\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation.jpg 478w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation-300x136.jpg 300w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation-290x132.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation-150x68.jpg 150w\" sizes=\"(max-width: 387px) 100vw, 387px\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/Role-creation.jpg\"><br \/>\n<\/a><\/p>\n<p>\u00a0<!--more--><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\"> The above Master Role is a single role. For more details on how to create a single role, please visit this <span style=\"color: #e63518;\"><strong><a title=\"Role Creation using PFCG\" href=\"https:\/\/sapsecurityanalyst.com\/WP\/general-disclaimer\/roles\"><span style=\"color: #e63518;\">link<\/span><\/a><\/strong><\/span><\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The Derived Role can now be created and this role will be derived from the master role &#8220;ZM_MASTER_ROLE&#8221; as shown in the figure below. Lets name the derived role as ZD_DERIVED_ROLE.<\/span><\/li>\n<\/ul>\n<div><\/div>\n<div><span style=\"color: #4c4c4c; font-family: verdana;\"><!--more--><\/span><\/div>\n<div><\/div>\n<div><\/div>\n<p><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/derived-role.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-706\" title=\"derived role\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/derived-role.jpg\" alt=\"\" width=\"571\" height=\"400\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/derived-role.jpg 571w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/derived-role-300x210.jpg 300w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/derived-role-290x203.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/derived-role-150x105.jpg 150w\" sizes=\"(max-width: 571px) 100vw, 571px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><!--more--><br \/>\n<span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<span style=\"color: #4c4c4c;\">Click on Authorization tab. We get the following dialog windows. Click Yes.<\/span><\/span><\/p>\n<p><!--more--><\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/set-imparting-role.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-707\" title=\"set imparting role\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/set-imparting-role.jpg\" alt=\"\" width=\"415\" height=\"121\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/set-imparting-role.jpg 415w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/set-imparting-role-300x87.jpg 300w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/set-imparting-role-290x84.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/set-imparting-role-150x43.jpg 150w\" sizes=\"(max-width: 415px) 100vw, 415px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/save-role.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-708\" title=\"save role\" src=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/save-role.jpg\" alt=\"\" width=\"338\" height=\"121\" srcset=\"https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/save-role.jpg 338w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/save-role-300x107.jpg 300w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/save-role-290x103.jpg 290w, https:\/\/sapsecurityanalyst.com\/WP\/wp-content\/uploads\/2012\/01\/save-role-150x53.jpg 150w\" sizes=\"(max-width: 338px) 100vw, 338px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\"> Click on &#8220;Change Authorization Data&#8221;.<\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\">Inside pfcg, we get window to maintain org level values. Only organization level values are maintained in derived roles. For more information on Organizational Levels, please follow this<\/span> <span style=\"color: #e63518;\"><a title=\"Org levels\" href=\"https:\/\/sapsecurityanalyst.com\/WP\/?page_id=496\"><span style=\"color: #e63518;\"><strong>LINK<\/strong><\/span><\/a><\/span><br \/>\n<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\"><span style=\"font-family: verdana;\">Other field values (non-org level values) are maintained in master role.<\/span><\/span><\/li>\n<\/ul>\n<p><script type=\"text\/javascript\">\/\/ < ![CDATA[\ngoogle_ad_client = \"ca-pub-1241348474673689\";\n\/* All content above *\/\ngoogle_ad_slot = \"3293572617\";\ngoogle_ad_width = 468;\ngoogle_ad_height = 15;\n\/\/ ]]><\/script><br \/>\n<script src=\"http:\/\/pagead2.googlesyndication.com\/pagead\/show_ads.js\" type=\"text\/javascript\">\/\/ < ![CDATA[\n\n\n\/\/ ]]><\/script><\/p>\n<ul>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\"> Master-Derived Role concept is basically used when SAP has been implemented across many sites (large geography) and the object level authorization remains the same across all the sites.<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The only difference remains in the organizational value area.<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">The authorization values are maintained in the master role and the roles for different sites are derived from the master role. Org level values for different sites like company code, plant, sales org etc are maintained in the derived roles.<\/span><\/li>\n<li><span style=\"color: #4c4c4c; font-family: verdana;\">This makes the maintenance of roles easier since any authorization level change has to be done only in the master role and the various child roles (derived roles) can be generated in one go from the master role.<\/span><\/li>\n<li><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #0000ff; font-family: verdana;\"><span style=\"color: #4c4c4c;\">Master-derived roles relation can be found in<\/span> <strong>AGR_DEFINE <\/strong>table <span style=\"color: #4c4c4c;\">via se16<\/span>.<\/span><\/span><\/li>\n<\/ul>\n<div><span style=\"color: #0000ff; font-family: verdana;\"><br \/>\n<\/span><\/div>\n<div><\/div>\n<div><span style=\"color: #0000ff; font-family: verdana;\"><!--more--><\/span><\/div>\n<div><\/div>\n<div><\/div>\n<h3><a href=\"https:\/\/sapsecurityanalyst.com\/WP\/home\/su24-concept-in-sap\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #e63518;\"><em>You may want to read about <span style=\"color: #e63518;\">SU24 concepts<\/span><\/em><\/span><\/a><\/h3>\n<div><\/div>\n<div><!--more--><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":38,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/675"}],"collection":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/comments?post=675"}],"version-history":[{"count":34,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/675\/revisions"}],"predecessor-version":[{"id":2577,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/675\/revisions\/2577"}],"up":[{"embeddable":true,"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/pages\/38"}],"wp:attachment":[{"href":"https:\/\/sapsecurityanalyst.com\/WP\/wp-json\/wp\/v2\/media?parent=675"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}