Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Parent Child relation

arpan_paik
Active Contributor
0 Kudos

Hi All,

Is there any way that we can built a parent child relation between existing single roles?

Arpan

1 ACCEPTED SOLUTION

Former Member
0 Kudos

If you use an existing role you may loose Tcodes of the child role. The concept of using child roles is that you dont have to add Tcodes to them. So I dont think it would be good idea... Yes if you dont mind loosing the data of the child roles you could try it, but however you would need to enter all the org values again in anycase.

It would be just simpler if you created new child roles and derived into them.

Regards,

Chinmaya

20 REPLIES 20

Former Member
0 Kudos

If you use an existing role you may loose Tcodes of the child role. The concept of using child roles is that you dont have to add Tcodes to them. So I dont think it would be good idea... Yes if you dont mind loosing the data of the child roles you could try it, but however you would need to enter all the org values again in anycase.

It would be just simpler if you created new child roles and derived into them.

Regards,

Chinmaya

0 Kudos

>

> If you use an existing role you may loose Tcodes of the child role.

Even worse, you have to clear out all transactions and authorizations from that role, save it , leave it and re-enter it before PFCG will allow you to choose a parent.

0 Kudos

On the brightside, it will at least only let you do it once..

Starting over will a new role set and then deleting the old ones would be my advise as well.

Cheers,

Julius

0 Kudos

I have a master role that is associated with many manually added auth object. When deriving a role then these will not come. I also can't distribute authorization profile from master role as existing child role to that master role are having some market specific values maintained separately for no org level values (like storage type, movement type etc).

So I have created 1 new role copied from master role so that all the manually added object get copied to this role. Now I want to maintain the new role as a child role to that parent role.

We maintain child role non org level values separately through a less known tool CSI CB which is automatic. This is FYI as you may wonder if maintain child role separately why master derive concept?

Arpan

0 Kudos

Your solution is absolutely non standard with a whole bunch of accidents waiting to happen built into it and I find it sad that a third party tool supports this working method.

Actually there's no good reason to want to link this role afterwards. I think you'd be better off with a proper role administartion which tells you which roles to change once you've adapted one of your so-called parents. Actually trying to make those into real parents brings more hazards for the child roles of having values overwritten accidentially.

Basically I think you've created a mess..... no personal offence meant.

0 Kudos

I agree with you and any armature SAP Security person can say it is a mess. We already discuss with Client on this and this model is going off soon. But currently that is not a problem. Problem is how to built a relation between 2 existing single role.

FYI parent child relation is required as CSI CB derives authorization from master role to derive role by its own mechanism and keep the objects where values are different from master role intact by its own mechanism.

Regarding accidentally deriving authorization via master role will definitely bring disaster with good mail from clients but that is not the issue right now. All I need to know how to built a relation between 2 existing single role. Even is it possible else I need to proceed with adding around 300 objects manually in child role.

Arpan

0 Kudos

> All I need to know how to built a relation between 2 existing single role.

OK here goes (at your own risk!):

1- Create a new single role as a child from your designated parent. No need to tweak anything, just generate. This role is temporary and can be deleted afterwards.

2- Download both the role you want to link and the newly created child role in separate downloads. Advised codepage UTF16LE. The second downlod will also contain the parent but thats irrelevant now.

3- Open both downloads with an ASCII editor and look for lines starting with AGR_DEFINE. In the newly created child role's download you'll find the name of the parent in this line. In the download for the role you want to link enter the parent role name in exactly the same position. make sure you do not add or delete spaces or other characters. These files are fixed record length and if you do not adhere to the original structure you could create unforseable problems.

4- Upload your altered role an check in PFCG if it is linked to the parent. Generate the profile.

5- Delete the newly created temporary child role.

6- Tell the client to revise their authorization concept and ditch the unreliable third party tool.

Good luck!

Jurjen

BTW This does leave you with some mess as child roles shouldn't have their own entries in AGR_TCODES, AGR_HIER and AGR_HIERT.

Edited by: Jurjen Heeck on Dec 21, 2009 1:21 PM

0 Kudos

> I have a master role that is associated with many manually added auth object. When deriving a role then these will not come.

What do you mean by this? If I create a new derived role form a parent with manually entered objects these come into the derived role without a problem. Which steps do you perform exactly?

0 Kudos

Hi Arpan,

I think you should be very carefull of this. It is too complicated to work consistently or reliably to mix so many concepts and tools to maintain different aspects of what is in the end a single role which might go "bang".

If you automate them all this was then it might go "bang, bang, bang, bang, ratatatatatatatatatatata, boom!"..

Cheers,

Julius

0 Kudos

Hi Jurjen,

Master role is having manually added object and you are deriving it to a child role. I guess you never tried it. Try it and you will find the circus. However once you distribute authorization in master role through generate derive derive roles it will come to child roles but as I spoke earlier It can not be done as some non org level values maintained on child roles separately.

However download and upload seems good idea but I am not that brave heart to take that chance. Let me be shield headed bull and add 300+ object manually. Good time for me.....

However many thanks. But I think SAP should take care this next version

Arpan

0 Kudos

@ Jurjen Heeck - I tried the method.. and it seems to be working pretty good (it was a test server though )

new Child role did had some discripencies which were taken care by parent role-> Generate derived role ....

Cheers !!

Zaheer

0 Kudos

which were taken care by parent role-> Generate derived role ....

This ca not be done...pls go through the earlier conversation and the actual issue....

0 Kudos

> Master role is having manually added object and you are deriving it to a child role. I guess you never tried it. Try it and you will find the circus. However once you distribute authorization in master role through generate derive derive roles it will come to child roles but as I spoke earlier It can not be done as some non org level values maintained on child roles separately.

One option is to promote the field to an org. level, but repending on the field and how the external tool reacts to this you might have more than a just the circus tent to deal with

Just to confirm: You added an object manually to a child role. When adding the same object to the parent role, it wipes out the values you have maintained for the children with the new (single) value you want to distribute as a "common denominator" amongst the roles.

In addition to promoting the field to an org. level, the use of a reference user for such "common denominator" values can be helpfull and protect your derived roles from the parent, the external tool, Jurjen, me and of course from yourself as well.

However take note that you can only assign one reference user to another one at any one ponit in time. So you cannot easily built a multiple of concepts for different application areas using the same approach if the user is expected to have two or more of the application roles.

Please also let us know which field this is?

Cheers,

Julius

0 Kudos

> I have a master role that is associated with many manually added auth object. When deriving a role then these will not come. I also can't distribute authorization profile from master role as existing child role to that master role are having some market specific values maintained separately for no org level values (like storage type, movement type etc).

The only way I have seen this working properly (unless you're able to turn these fields into organizational ones) is to create multiple master roles for the different non organizational field combinations and derive from there. See it as an extra layer in your authorization concept. This does require some more manual effort but leaves you with a far more transparent authorization concept which also adheres to SAP standards.

I do not have a proper solution for the issues raised by the concept chosen at your clients' site and sincerely doubt there is one.

Jurjen

0 Kudos

What do you mean by this? If I create a new derived role form a parent with manually entered objects these come into the derived role without a problem. Which steps do you perform exactly?

This never happens

Please also let us know which field this is?

There are plenty of them like storage location, movement type, cost center, cost element, release code, release group and many more..... for solution I always can say promote them to org level.....But in business your boss will say you a mad to do so....

However this master derived concept is already a painful to us and thinking on new model

I do not have a proper solution for the issues

I also found there are no way to do a relation btwn existing single role....By the way I have already added the objects manually and the 3rd party tool is a trash....you can feel it by hearing from me and I a using that for years......

Thanks for all your attention though we come up with nothing but came to know that it can not be done.....

Arpan

0 Kudos

> However this master derived concept is already a painful to us and thinking on new model ...

If you read the threads here (see the FAQ sticky) then you will also see many warnings about the restraints for using derived roles.

They make you inflexible and require more discipline than what would otherwise be required, or at least make you feel the downside faster...

If you cannot keep your busioness processes identical accross the orgs. and promotion of (a) field(s) to an org. level is not an option or has reached it's limit... then it is not for you.

But you already have them, and if you want to keep them then please reconsider the reference user option for the values of the derived role where they should all be pushed out to the children with the same value.

It should work, but you can only do it once.

Cheers,

Julius

0 Kudos

> >What do you mean by this? If I create a new derived role form a parent with manually entered objects these come into the derived role without a problem. Which steps do you perform exactly?

> This never happens

Here i think we have a misunderstanding. What I did yesterday (on an SAP NetWeaver 2004s [demosystem|http://www.sdn.sap.com/irj/scn/nw-downloads]) to test this was:

1- Create a role with some transactions to serve as the parent role. I've also put in some manual objects. Generated the profile.

2- Create a child role and enter the parent role in the 'derive from role' field. Save

3- Go into the child roles' profile and hit the 'copy data' button on the right, next to the information button. Now all objects and values from the parent roles have replicated into the child, including the manually added ones.

So I'll repeat my question: Which steps do you perform exactly?

0 Kudos

If you would be here I would give a bottle of wine....Many many thanks and it works.......However I just finished with adding 300+ objects manually....

0 Kudos

> If you would be here I would give a bottle of wine....Many many thanks and it works.......

Trust me, you're not the first one to overlook that button. You're in good company

jurjen_heeck
Active Contributor
0 Kudos

> Is there any way that we can built a parent child relation between existing single roles?

Officially, no. Can you please tell us why you want to do that?