Yes, we know that we can maintain the field values in each child roles individuallyu2014however, the next time you change the master role (adding a tcode, or whatever), it will overwrite the maintained filed values in child roles.

If we do this, there is no point for us to use the deriving function.

I am taking over the role maintenance tasks, and I cannot tell if my predecessor modified these roles (for example, adding an extra org object manually).

I am still looking for what I can do to the issue.

HM

Thank you both!

I think I am getting a conclusion.

If we find an org restriction necessary, we need to maintain those org fields/values individually in each derived role since the manually added org level fields are treated as normal authorization fields.

Of course, we need to delete the parent-child relationship to avoid the overwriting of the org values in child roles.

>Shrinivasan,

I have a specific question for you.

You pointed out that it is incorrect to set * in the org level fields of the master role. If that is true, are we simply leaving those fields blank in the master role? I thought setting * is a standard practice...

I would really appreciate your advice.

Thanks,

HM

Hi

Just curious - do you know if the maintained org levels (at object showing in AGR_1251) were intentional or an error?

If intentional then break the link, if accidental then repair the org level to retain the derived link.

Regards

David

>

> Of course, we need to delete the parent-child relationship to avoid the overwriting of the org values in child roles.
> 

If you do this you then lose the benefits of derived roles. I can't comment on the suitability of them for your solution however it would make sense to just delete the org levels from the parent role. It is not common that the * values are maintained in there. Leaving them out has a number of benefits, an obvious one being that you don't assign the master / parent to users.

Alex,

Thank you for your comments.

First portion:

Yes, I have realized that, and I agree. However, since we already have master roles and child roles in the system, I just thought it may be a quicker solution to maintain those values individually and get rid of the inheritance.

Second portion:

Now I have two votes. Maybe I should rethink the current setting of * in the master role org fields.

You guys are so helpful. Thanks!

HM

Hi Bernhard

. The only difference is at the first adaption of a new child/derived role. With the field empty, you'll get a red status in the chidl role -->forces to maintain the value, with filled
field (for instance with '*') the status is green in the child.

Just had a look at this as I couldn't remember - creating a new derived from scratch using a parent with wildcards still brings up the org level box to complete rather than populating. Copying an existing derived retains the original org levels of the donor derived.

I don't like * values in parents for precisely the reason Alex stated - they get assigned before you know it unless you use a different prefix on the role and ensure the admin team are excluded from it.

Just my own personal preference.

Kind regards

David

>

> Just my own personal preference.

Mine too. It's easy to get in a pickle when you have user admin's randomly assigning stuff that they have found in SUIM.

Hi Arpan

In my previous reply I tried to hint:

If intentional then break the link, if accidental then repair the org level to retain the derived link.

AGR_RESET_ORG_LEVELS

Regards

David

Hi Arpan

I only knew about this program because somebody I worked with was kind enough to share their knowledge and experience.

Manually maintaining org levels at object level even after seeing the big message about 'hey - what are you playing at?!!' does make you wonder about the reasoning behind the entry (if that has actually been confirmed in this thread?).

Cheers

David