Hello Julius

if you don't mind; can you explain me in details about the building bigger single role ?

I have 9 SORG , 4 Divisions and 6 Distribution Channel

we want to reduce the number of roles and don't want to maintain lot of roles.

How to do restrict ?

Please advise

Regards

Anwer Waseem

Edited by: Anwer Waseem on Jan 9, 2011 2:07 PM

Hi,

May I know what exactly you are looking for in "combining authorization data"

If your concern is to assign all the 3 roles you mentioned in combination evertime, you may try creating a composite role consisting of the 3 single roles.

In case its multiple roles with only some variation in the field values of object V_KONH_VKO, you may try master-derived role concept after converting one or more of the fields of the object to org level fields via PFCG_PRGFIELD_CREATE program. This should be effective to reduce your maintenance effort (to some extent atleast especially when you are doing any non org level updates)

Please ellaborate your requirement so that I try suggesting something concrete and focussed.

Thanks

Sandipan

Specifically regarding derived roles, they can be usefull in isolazed cases depending on the requirement. Same goes for "delta roles". But 99% of the time it is bla bla bla advice simply because it is possible and the consultant didn't stick around long enough to experience the pain-points of support and upgrades (or might be billing you for it...).

I suggest taking a look on the FAQ thread sticky at the top of the forum in the "Authorizations" section. Thete is some very good advice in there already about role design.

Cheers,

Julius

Dear All

Thanks to all of you to spend time and share your expertise on my issue;

This is serious issue in my company and need to control the price maintenance by the SORG,Div and DC

We have 9 SORG, 4 Div and 6 Channel which will create total 216 derived role; definitely we need strong security and we should go on derived role approach.

Earlier, i had taken approach to create little number of roles on base of fields of V_KONH_VKO like as;

Role 1

Activity = 01/02 = separate role / other fields was not maintained ( or matained with not relevant data )

Role 2

Division = 20 (separate role of each division) / other fields was not maintained ( or matained with not relevant data )

Role 3

SORG = 1000 ( separate role for each SORG ) / other fields was not maintained ( or matained with not relevant data )

Role 4

DC = 10 ( separate roles for each DC ) / other fields was not maintained ( or matained with not relevant data )

Then i assigned above 4 roles to users and thinking that authorization data could be combine when attached to users but user ending with missing authorizaton error.

Is there any best approach instead of create the 216 derived roles for the v_konh_vko ORGDIVDC ?

We are using the ECC6 SR3 ! Delta roles are approach of the EP roles ! and cannot be apply in abap !

Please advise

Regards

Earlier, i had taken approach to create little number of roles on base of fields of V_KONH_VKO like as;
Role 1
Activity = 01/02 = separate role / other fields was not maintained ( or matained with not relevant data )
Role 2
Division = 20 (separate role of each division) / other fields was not maintained ( or matained with not relevant data )
Role 3
SORG = 1000 ( separate role for each SORG ) / other fields was not maintained ( or matained with not relevant data )
Role 4
DC = 10 ( separate roles for each DC ) / other fields was not maintained ( or matained with not relevant data )
Then i assigned above 4 roles to users and thinking that authorization data could be combine when attached to users but user ending with missing authorizaton error.

During authorization check, Authorization fields are always checked in an AND relationship for each authorization object instance within role(s). Hence you are wrong in assuming that authorization would be combined in your design where you have maintained Field1, not Field 2/3 in Role A and maintained Field 2, not Field 1/3 in Role B and expected values from Field 1 from Role A to combine with Field 2 from Role B to provide the required access.

In reality, values of Field1Field2Field3 for one or multiple instances (called 'authorization') of authorization objects will be checked in sets within Role A/B. If required values are not found in any of the fields within one authorization instance ,subsequent authorization instances will be checked in the same manner by the program. At the end if required values are found in any one authorization instance, the check is passed otherwise it fails with "No Authorization" error.

If you want to provide access to say ACTVT=02, Division =20, SORG=1000 and DC=10, you will have to provide all the values in ONE single authorization instance so that the authorization check passes when the fields are checked sequentially by the SAP system. Based on this concept, you may need create/redesign your Master-derived roles to suffice your requirement.

Thanks

Sandipan