Difference between Single & Derived Role

Former Member · ‎08-18-2009

Hello,

What is the difference between single role and Derived Role?

I have little bit knowledge on these single & Derived roles.

My requirement is i have to created a single role for Creation of Material Master (T-Codes: MM01, MM02, MM03, MMSC)

when i am giving the authoriztions it asks for the Organizational levels.

How can i assign these org levels in that single role? These org levels are to be assigned into the derived role which is derived from master role.

If i maintain Full authorizations in single role if by mistake if it is assigned to user id he will have the full auth and it would be a big problem.

So, without maintaining the Org Levels in Single role how can i proceed?

How to resolve this?

Regards,

Kumar Rayudu

Bernhard_SAP · ‎08-18-2009

Hi Kumar,

please refer to the documentation about derived roles:

http://help.sap.com/saphelp_nw70/helpdata/en/1c/c38028816c11d396bc0000e82de14a/frameset.htm

So create a single role with the required transactions in the menue. Maintain the authoriaztions as required. Leave the org.-level fields empty (button 'Org.level').

Then create the derived roles, enter the first created single role in the filed 'derive from role' on the description tab.

menu and authorizations will be copied to that new role. You need only to maintain the org.level fields for that role. Proceed with further derived roles.

b.rgds, Bernhard

Former Member · ‎08-18-2009

Hi Bernhard,

I have just tested in my IDES server and i created a single role with required authorizations and i have not maintained the organization levels in that single role.

Is this is the correct procedure to leave the Org Levels blank?

So i have created a Derived role imparting from Single role and i have maintained the Auth & Org Levels also. It works fine but i have one query there are many org levels like CCode, Plant, Sales Org, Dis Channel etc., and at what level we have to create the derived role.

For Eg: If i have Two Company codes and different plants then what is best practice for creating a Derived role? should be created at plant level or company code?

Regards,

Kumar Rayudu

Former Member · ‎08-18-2009

Hi,

To be more clear about the organization Level maintainance, you can not maintain organization level from the parent role/single role if in the parent role there is already some org level. e.g. when you will make changes in the paren role, and derive it all the changes of the role will be distributed in the derived roles except the org level IF there is any specific organization level.

If no org level was maintained in the derived role previously, then it will be changed and will be same as the parent role. But the common practice is, do not maintain any org level in the parent/template role.

Regards,

Sandip MAiti

arpan_paik · ‎08-19-2009

Hi Kumar,

Here you need gather some information from MM guys. However in a organization level structure Company code comes first then Plant. So the bottom line is one company code can contain multiple plants. So you need to segregate the derived roles based on company code with suitable naming convention.

Let say you need to create 2 role with company code 1000 but segregate based on plant AAAA, BBBB. So basic understanding is that both the plant must be falling under Company code 1000. To see these kind of organization structure you can use transaction SPRO. However if you don't have much knowledge on functional side then consult with MM guys in this specific case.

Arpan

Former Member · ‎08-19-2009

Hi Kumar,

As far as the Material Master transactions(MM01/02/03) are involved they can also be restricted on the Material Views (Purchase, Storage, Sales, Basic, MRP) and Material Types apart from the Organizational fields (Company Code, Plant). So you need to check the type of restriction you require when creating the roles.

Kindly let me know if you require restriction on Material Types and Material Views?

The above details will further help in deciding the type of Roles to be created.

Former Member · ‎08-18-2009

Hi Kumar,

If you want to restrict the user with their organisational levels.

You can use the Parent - Child relationship role.

In the master parent role assign all the tcodes for all organisational levels.

Then derive that role using the child role using the tab "derive from Role" in the description of the child role.

In the child role you can maintain the organisational level restricion and assign to the user.

Hope this solve.

Regards,

Raja. G

Former Member · ‎08-19-2009

Hi

Derived roles

Derived roles refer to roles that already exist. The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards. Organizational level definitions are not passed on. They must be created anew in the inheriting role. User assignments are not passed on either.

Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

The menus passed on cannot be changed in the derived roles. Menu maintenance takes place exclusively in the role that passes on its values. Any changes immediately affect all inheriting roles.

You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normal role. Once a relationship is removed, it cannot be established again.

shitika