Implementing a Derived Role Strategy

Objective

After completing this lesson, you will be able to implement a derived role strategy.

Derived Role Strategy

In practice, there are a number of requirements to create roles whose content differs only in the authorizations and not in the transactions. For example: two sales and distribution employees with the same work center description, but different plants (1000 and 2000). Here are two useful examples for the use of derived roles.

  1. The menu of the roles is to be identical, but the authorizations for the actions contained in the menu are reassigned in the derived role.

  2. The menu and the authorizations of the derived role are to be identical, but the organizational units are reassigned in the derived role.

The relationships are described in detail on the following pages, and you can see that these roles can be created and maintained very elegantly.

Illustration on Derived Roles.

Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the referenced role.

However, the user assignments are not inherited.

Hint

Enter the name of the role from which all transactions including the menu structure are to be copied in the Derive from Role field on the Description tab page. In this way, each role can become a referencing role.

There are two ways to perform the comparison between the roles:

Comparison from the Imparting Role

"Generate Derived Roles" button

This action usually copies the normal fields (not the organizational levels) to all derived roles and generates the profiles.

Hint

The data for the organizational levels is only transferred when the authorization data for the derived roles is first modified. If organizational levels have already been maintained in the derived role(s), this is not overwritten (see SAP Note 314513).

Comparison from the Derived Role

"Transfer Data" button

This button is usually used for the "initial fill" of the authorizations. This call always copies all general authorization values from the template. If an organizational level in the derived role is not filled, it is also set to the value from the reference role.

Illustration on Menus of Derived Roles.

Unlike composite roles, the derived role has the complete filled menu of the template immediately after the referencing role is entered and the role is saved. The inherited menus cannot be changed in the derived roles.

Hint

The menu is maintained in the imparting role only. Changes have an immediate effect on all inheriting roles.

The inheritance relationship can be canceled, but the previously inheriting role is then handled similarly to a normal role. The cancellation of the relationship cannot be undone.

Practice System Exercise: Maintain Special ABAP Roles

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

This exercise is concerned with advanced role maintenance. The exercises should provide ideas about how composite, reference, and derived roles can simplify your administration work.

Task 1: Create a Composite Role

Create the composite role GR##_MM_WHOUSE.

Hint

Ensure that you use the Create Comp. Role button on the initial screen of Role Maintenance.

Steps

  1. Start the Role Maintenance transaction and create the predefined role. Enter a short description, and save.

    If you look at the tab pages, what do you notice?

    ___________________________________________________________

    ___________________________________________________________

    1. SAP Menu:

      ToolsAdministrationUser MaintenanceRole AdministrationRoles (transaction code PFCG).

    2. Enter the name for the role GR##_MM_WHOUSE in the Role field.

    3. Choose Create Comp. Role.

    4. Enter description Composite role Warehouse in the Description field.

    5. Then chooseSave (Ctrl+S) to save your role.

    6. Check the tab pages, what do you notice?

      The tab page Roles has been added.

      The tab page Authorizations has been removed.

  2. Add single roles to your composite role.

    Your composite role should consist of the roles of the role definition in the sample authorization concept for the work center Warehouse.

    In accordance with the sample authorization concept, these are:

    - GR##_MM_MAT_ANZ

    - GR##_MM_IM_POST

    Enter these in the relevant fields.

    1. Go to the Roles tab page.

    2. Enter the following role names in the Role column:

      - GR##_MM_MAT_ANZ

      - GR##_MM_IM_POST

    3. Then choose Save (Ctrl+S) to save your role.

  3. Read the menus of the inserted roles into your composite role.

    You can choose to make further modifications to the menu of the composite role. (Do not delete any entries. However, you can move or rename them).

    1. Go to the Menu tab page, and choose Import Menu.

    2. Then chooseSave (Ctrl+S) to save your role.

  4. Assign user GR##-MM1 and save your user assignment.

    1. Go to the User tab page

    2. Enter GR##-MM1 in the User ID field.

    3. Then chooseSave (Ctrl+S) to save your role.

  5. Perform a user master comparison.

    1. Choose the User comparison button to enter the roles in the master record of user GR##-MM1.

  6. Complete the maintenance of this role and return to the initial screen of transaction PFCG.

    1. Choose Back (F3) to return to the initial screen of Role Maintenance.

Task 2: Describe the Options for a User Master Comparison

Steps

  1. Where can you perform a user master comparison? List at least two possibilities.

    ______________________________________________,

    ______________________________________________.

    1. With additional steps in transactions: SU01, PFCG, and PFUD or with the report "pfcg_time_dependency".

  2. What does the report pfcg_time_dependency do?

    _______________________________________________

    _______________________________________________

    _______________________________________________

    1. You can schedule an automatic user master comparison at regular intervals with this report. This compares all links and relationships between roles, users, and profiles in the master records (in the background).

Task 3: Display the User Master Record of user GR##-MM1

Display the user master record of user GR##-MM1.

Steps

  1. Start the User Maintenance transaction and answer the following questions.

    If your user GR##-MM1 does not yet have the role ADM940_PLUS, assign the role and perform a user master comparison.

    Which roles is the user assigned?

    _______________________________________________

    _______________________________________________

    _______________________________________________

    _______________________________________________

    _______________________________________________

    Display the authorization profiles. How many profiles are assigned?

    ________________________ authorization profiles

    Why are there fewer profiles than roles?

    _______________________________________________

    1. SAP Menu:

      ToolsAdministrationUser MaintenanceUsers, (transaction code SU01).

    2. Enter the user name GR##-MM1 in the User field.

    3. Choose the Display icon.

    4. Go to the Roles tab page.

      You will find the following roles on the Roles tab page.

      • ADM940_PLUS

      • GR##_BC_PORTALS

      • GR##_MM_IM_POST

      • GR##_MM_MAT_ANZ

      • GR##_MM_WHOUSE

    5. Go to the Profiles tab page.

      Display the authorization profiles. How many profiles are assigned?

      - 4 authorization profiles

      Why are there fewer profiles than roles?

      - Because the composite role does not have its own profile.

    6. Choose Back (F3) to return to the User Maintenance: Initial Screen .

Task 4: Log on to the System as User GR##-MM1 (Optional)

The following exercise is optional.

Log on to the system as user GR##-MM1. Use the password automatically generated in the exercise for the user master record or assign a new initial password in user maintenance.

Change the password when you log on: ______________________

Hint

You can show the transaction codes by choosing ExtrasSettings ("Display technical names").

Steps

  1. Log on to the system as user GR##-MM1.

    1. Start SAP Logon.

    2. Select system T41 and choose Log On.

    3. Enter the user name GR##-MM1 in the User field.

    4. Enter the generated password in the Password field.

      Use the password automatically generated in the exercise for the user master record or assign a new initial password in user maintenance.

    5. Choose Enter.

    6. Enter a new productive password of your choice in the New Password and the Repeat Password fields.

      New password : ______________________

    7. ChooseTransfer (Enter).

    8. ChooseContinue (Enter).

  2. Set up a user-specific favorites list by defining the transactions MM03 and MB1C as favorites.

    1. Copy transactions MM03 and MB1C from the User menu to the Favorites folder. To do so, open all Folders, search for the transactions and use drag-and-drop for each transaction to copy them from the User Menu sub-folder to the Favoritesfolder.

    Hint

    You can show the transaction codes by choosing ExtrasSettings ("Display technical names").

  3. Start transaction MM03, and display the accounting view of material P605-100 in plant 1010.

    Can you also display the accounting view of material P605-100 in plant 1040?

    - No, because you do not have authorization for plant 1040.

    1. Call transaction MM03 from the Favorites list.

    2. Enter the material ID P605-100 in the Material field.

    3. Choose Select view(s).

    4. Choose the Accounting 1 view

    5. Choose Continue (Enter).

    6. Enter 1010 in the field Plant and choose Continue (Enter).

      The accounting view of material P605-100 for plant 1010 is shown.

    7. Choose Back (F3).

    1. Enter the material ID P605-100 in the Material field.

    2. Choose Select view(s).

    3. Choose the Accounting 1 view

    4. Choose Continue (Enter).

    5. Enter 1040 in the field Plant and choose Continue (Enter).

      The Error window indicates that you have no authorization to display data for plant 1010.

    6. Choose Confirm (Enter).

    7. Choose Cancel (F12).

  4. Display the failed authorization check.

    Why are you not able to display material P605-100 in plant 1040?

    _______________________________________________

    _______________________________________________

    _______________________________________________

    1. Start transaction SU53

      Menu path: SystemUtilitiesDisplay Authorization Check (or transaction SU53)

    2. Analyze the result of the authorization check for object M_MATE_WRK.

      The program required the following authorization values: ACTVT = 03 and WERKS = 1040 for the authorization object M_MATE_WRK.

    3. Check the authorizations assigned for object M_MATE_WRK by double-clicking the entry for object M_MATE_WRK in the list.

    4. Select Authorization Object M_MATE_WRK and choose Expand Subtree (F6).

      The result shows that the user master record contains authorization for object M_MATE_WRK ( ACTVT = 03, 08 and WERKS = 1000, 1010, and 1020), but not the required authorizations.

  5. Log off as GR##-MM1.

    1. Choose SystemLog Off

    2. Confirm the next system dialog with Yes.

Task 5: Create a Derived Role

Create a derived role GR##_MM_IM_POST1010 with authorizations for a warehouse supervisor in plant 1010.

Steps

  1. Create a derived role GR##_MM_IM_POST1010 . Assign the imparting role GR##_MM_IM_POST and save your role.

    Display the inheritance hierarchy of the roles (choose Ctrl+Shift+F3 or the Inheritance Hierarchy icon).

    1. Start the role maintenance transaction:

      SAP Menu:ToolsAdministrationUser MaintenanceRole AdministrationRoles, (transaction code: PFCG).

    2. Enter the name for the role GR##_MM_IM_POST1010 in the Role field.

    3. Choose Create Single Role.

    4. Enter description Warehouse supervisor in plant 1010 in the Description field.

    5. Enter GR##_MM_IM_POST in the Derive from Role field.

    6. Then chooseSave (Ctrl+S) to save your role.

  2. Display the inheritance hierarchy of the roles.

    1. Menu:RoleInheritance (Ctrl+Shift+F3)

    2. Select role GR##_MM_IM_POST1010 and choose Choose (F2).

  3. Can you add other applications (menu entries, transaction codes, and reports, for example) or delete existing applications?

    _______________________________________________

    1. Go to the Menu tab page.

      No, since the menu of role GR##_MM_IM_POST is inherited from the role GR##_MM_IM_POST1010.

  4. Maintain Authorizations - Define the organizational levels.

    Plant: 1010

    Did the system copy the authorizations of the imparting role?

    _________________________

    1. Go to the the Authorizations tab page.

    2. Choose Change Authorization Data.

    3. Enter the following values in the Define Organizational Levels window:

      - Plant: 1010,

    4. Choose Save (Ctrl+S) to save the authorization values for the organizational levels.

      Did the system copy the authorizations of the imparting role?

      No, they must either be maintained here directly or copied as described in the next exercise task.

    5. Choose Save (Ctrl+S) to save the profile values .

    6. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

  5. Maintain Authorizations - Copy the authorization data from the imparting role.

    1. Choose Copy data (Ctrl+Shift+F7).

    2. Choose Continue (Enter) to save the profile values .

      The authorizations are then copied from the imparting role (reference role).

    3. Choose Save (Ctrl+S) to save the profile values .

    4. Choose Organizational levels to check the value for the organizational level plant.

      The plants 1000, 1010, and 1020 were not copied from the reference since this is an organizational level field which was previously set in the derived role.

    5. Choose Save (CTRL+S) to save the authorization values for the organizational levels.

  6. Maintain Authorizations - Generate the authorization profile for your role.

    1. Choose the Generate icon.

    2. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    3. Choose Back (F3) to return to the Change Roles screen.

    4. Choose Back (F3) to return to the initial screen of the Role Maintenance.

Task 6: Optional: Copy a Role

In this additional exercise, you can create a single role GR##_SD_SALES by copying the predefined work center example ADM940_SD_SALES without user assignment.

Steps

  1. Start the Role Maintenance transaction and create the role GR##_SD_SALES as a copy of the role ADM940_SD_SALES.

    1. While still in the Role Maintenance transaction, enter the name for the role ADM940_SD_SALES in the Role field.

    2. Choose Copy Role (Shift + F11).

    3. Enter GR##_SD_SALES in the to role field.

    4. Choose Copy All (Enter).

    5. Choose Change on the Role Maintenance Screen..

  2. Maintain Authorizations - Generate the authorization profile for your role.

    1. Choose Change Authorization Data on the Authorizations tab.

    2. Choose the Generate icon.

    3. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    4. Choose Back (F3) to return to the Change Roles screen.

  3. Complete the maintenance of this role and return to the initial screen of transaction PFCG.

    1. Choose Back (F3) to return to the initial screen of Role Maintenance.

Task 7: Optional: Create the Missing Three Single Roles of the Sample Authorization Concept

In this additional exercise, you can create the missing three single roles of the sample authorization concept.

After the creation of roles was carried out in detail in the previous exercises, you should now perform these exercises without a detailed solution.

Create the following roles:

RoleTransactions
GR##_FI_ACCREC_MAINTFD01, FD02, FD03
GR##_FI_IP_POSTF-18, F-26, F-28
GR##_SD_CUST_MAINTVD01, VD02, VD03

Restrict the requested organizational levels with the values specified here. The system never queries all the organizational levels listed here for a role. Use the following values for the fields used.

Organizational LevelField Value
Company code1010
Business area1000
Account typeD
Controlling area0001
Division*
Sales organization1010
Distribution channel*

Steps

  1. Create the role GR##_FI_ACCREC_MAINT.

    1. Create the role GR##_FI_ACCREC_MAINT. Enter the role name and a short description.

    2. Fill the menu with the required transaction codes:

      • FD01
      • FD02
      • FD03

    3. Restrict the requested organizational levels with the values specified here:

      Role: GR##_FI_ACCREC_MAINT

      Company code: 1010.

    4. Generate the profile and save the role.

  2. Create the role GR##_FI_IP_POST.

    1. Create the role GR##_FI_IP_POST. Enter the role name and a short description.

    2. Fill the menu with the required transaction codes:

      • F-18
      • F-26
      • F-28

    3. Restrict the requested organizational levels with the values specified here:

      Role GR##_FI_IP_POST

      - Company code: 1010

      - Business area: 1000

      - Account type: D

      - Controlling area: 0001

      - Assign complete Authorization for the org. levels still open using the button Full authorization.

    4. Generate the profile and save the role.

  3. Create the role Role GR##_SD_CUST_MAINT.

    1. Create the role GR##_SD_CUST_MAINT. Enter the role name and a short description.

    2. Fill the menu with the required transaction codes:

      • VD01
      • VD02
      • VD03

    3. Restrict the requested organizational levels with the values specified here:

      Role: GR##_SD_CUST_MAINT

      - Company code: 1010

      - Division: *

      - Sales organization: 1010

      - Distribution channel: *

      Set full authorization for all remaining open authorization fields.

    4. Generate the profile and save the role.

Task 8: Optional: Create Three Composite Roles that Correspond to the Sample Authorization Concept

In this additional exercise, you can create three composite roles, which correspond to the sample authorization concept.

After the creation of roles was carried out in detail in the previous exercises, you should now perform these exercises without a detailed solution

Create the following three composite roles.

Composite roleCorresponds to the work center from the Sample Authorization Concept
GR##_FI_ACCRECAccounts receivable accountant (AccRec)
GR##_SD_SALCLKSales clerk (SClerk)
GR##_SD_SALMGRSales and Distribution manager (SDMan)

These composite roles should contain the following single roles:

Composite RoleContained Roles
GR##_FI_ACCREC

GR##_MM_MAT_ANZ

GR##_FI_ACCREC_MAINT

GR##_FI_IP_POST

GR##_SD_SALCLK

GR##_MM_MAT_ANZ

GR##_SD_CUST_MAINT

GR##_SD_SALES

GR##_SD_SALMGR

GR##_MM_MAT_ANZ

GR##_FI_ACCREC_MAINT

GR##_SD_CUST_MAINT

GR##_SD_SALES

Steps

  1. Create the composite role GR##_FI_ACCREC.

    1. Create the composite role GR##_FI_ACCREC. Enter the role name and a short description.

    2. Go to the Roles tab page and select the corresponding single roles and copy them into your composite role.

      Your composite role should consist of the roles of the role definition in the sample authorization concept:

      • GR##_MM_MAT_ANZ

      • GR##_FI_ACCREC_MAINT

      • GR##_FI_IP_POST

    3. Optionally, you can further customize the menu of the composite role.

      Choose Import Menu on the Menu tab page. You can move and restructure the entries with the mouse. By creating folders with the Create folder button, you can organize your transactions from a functional or process-oriented point of view.

    4. Save the composite role.

  2. Create the composite role GR##_SD_SALCLK.

    1. Create the composite role GR##_SD_SALCLK. Enter the role name and a short description.

    2. Go to the Roles tab page and select the corresponding single roles and copy them into your composite role.

      Your composite role should consist of the roles of the role definition in the sample authorization concept:

      • GR##_MM_MAT_ANZ

      • GR##_SD_CUST_MAINT

      • GR##_SD_SALES

    3. Optionally, you can further customize the menu of the composite role.

      Choose Import Menu on the Menu tab page. You can move and restructure the entries with the mouse. By creating folders with the Create folder button, you can organize your transactions from a functional or process-oriented point of view.

    4. Save the composite role.

  3. Create the composite role GR##_SD_SALMGR.

    1. Create the composite role GR##_SD_SALMGR. Enter the role name and a short description.

    2. Go to the Roles tab page and select the corresponding single roles and copy them into your composite role.

      Your composite role should consist of the roles of the role definition in the sample authorization concept:

      • GR##_MM_MAT_ANZ

      • GR##_FI_ACCREC_MAINT

      • GR##_SD_CUST_MAINT

      • GR##_SD_SALES

    3. Optionally, you can further customize the menu of the composite role.

      Choose Import Menu on the Menu tab page. You can move and restructure the entries with the mouse. By creating folders with the Create folder button, you can organize your transactions from a functional or process-oriented point of view.

    4. Save the composite role.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn