Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Master Derived roles. Transaction not getting restricted by company code in derived role

Go to solution
Former Member

‎05-03-2012 9:54 PM

0 Kudos

I recently added MRRL and MRM2,MRM1 into a master role *_FI_WW_*_CLERK add generated the master and derived roles

Now when i go to child role "*_FI_US*_CLERK_10000 " . i can execute the tcode MRM1 not only for company code 10000 but also for another company code.

Now i have check the Master  level has * for company code and the derived roles are restricting the company code and in the org level i have mentioned the company code eg for this role ""*_FI_US*_CLERK_10000 " company code mentioned is ""10000 " and similarly  for another child role "FI_*_CLERK_42200" the company code mentioned is "42200".

But when i execute MRRL i can pick any company code and execute even though the user has only "*_FI_US*_CLERK_10000 " role and should be able to execute only for company code 10000.

I am new to this Master derived role . can someone help. i can sen word document explaining the issue if some sdn member wish to see more detail

thanks

andy

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎05-04-2012 12:36 AM

0 Kudos

Hi Andy,

  As Shivraj mentioned master roles should not have any values in org level tab, yes that is correct. You only need to maintain the org level values in derived role directly in ORG level tab.

Also do not make any changes at field level in derived role for any org values. It should be added only in org value tab.

So please remove all org values from master role and maintain these into derived roles directly. After that generate master and derived roles both again.

Hope it will resolve your issue.

Thanks,

Varun Jain

8 REPLIES 8

Go to solution
shivraj_singh2
Active Participant

‎05-03-2012 10:51 PM

0 Kudos

Andy,

In Master-Derived roles scenario, Organizational Levels are usually left blank in the Master role and populated only in the Derived roles. So Authorization tab shows up RED in PFCG. Also Master Role is not assigned to any user, only Derived roles are assigned.

So first step I can suggest is to get rid of any values in the Org Level Tab in Master Role and maintain it only in Derived Role.

Regards,

Shivraj

Go to solution
Former Member

‎05-04-2012 12:36 AM

0 Kudos

Hi Andy,

  As Shivraj mentioned master roles should not have any values in org level tab, yes that is correct. You only need to maintain the org level values in derived role directly in ORG level tab.

Also do not make any changes at field level in derived role for any org values. It should be added only in org value tab.

So please remove all org values from master role and maintain these into derived roles directly. After that generate master and derived roles both again.

Hope it will resolve your issue.

Thanks,

Varun Jain

Go to solution
Former Member
In response to Former Member

‎05-04-2012 9:04 AM

0 Kudos

Hi,

Sorry, this is wrong. Master are supposed to have "*" for all org levels and specific values of org levels are to be entered at the derived role level. Both Master-derived role's profiles should be generated at all times.

As for the original issue, please run a trace on a test user with your derived role assigned, I suspect your transaction code-MRRL is not coded to be restricted by company code. You can also debug the tcode's source code with the help of a developer if you are not sure with the trace results.

Thanks

Sandipan

Go to solution
Former Member
In response to Former Member

‎05-04-2012 3:24 PM

0 Kudos

Thanks Guys for reply. I am attaching a doc to show the issue . As sandipan has mentioned my master role has * for org level and company code are maintained in child role. This is old role which is working as suppose to be , issue is that i added new t code and they are not getting restricted

Go to solution
Former Member
In response to Former Member

‎05-04-2012 3:38 PM

0 Kudos

I can send document for if you guys want to see the document  if its ok with you guys. Please send me your email id.

These are the transaction i am testing "MRRL,MRM1,MRM2

Thanks

Go to solution
Frank_Buchholz
Product and Topic Expert
Product and Topic Expert
In response to Former Member

‎05-04-2012 4:24 PM

0 Kudos

Master roles are supposed to have no values and especially not a "*" for any org levels. (PFCG should show red traffic lights!) You do not assign master roles to users, therefore it's irrelevant if you generate the profile or not.

Derived roles are supposedand to have specific values of org levels. As you assign derived roles to users you have to generate the profile.

Kind regards

Frank Buchholz

SAP Active Global Support - Security Services

Go to solution
Former Member
In response to Former Member

‎05-04-2012 7:25 PM

0 Kudos

These are the value in my  Master role

Master Role "WW_AP_CLERK"  has these org value

========================================

Company code    *

Purchasing group    *

Purchasing organization    *

Business area    *

Credit control area    *

Account type    *

Controlling area    1000

Plant    *

=====================================

I generated this and all the derived role .

Derived Role  org level. eg of derived role

*_AP_CLERK_2080

====================================

Company code    2080

Purchasing group    *

Purchasing organization    2080

Business area    *

Credit control area    2080

Account type    *

Controlling area    1000

Plant    2080

          2090

========================================

User DON'T have Master role but ONLY Derived role.

1. If i got to su24 for tcode MRRL i see that  Auth. Object "F_BKPF_BUK"  has check indicator  as YES  but auth object "F_SKA1_BUK" has check indicator as "NO"

As i mentioned the role is working for rest of the transaction and restricting by company code  but for these MRRL /MRM1/MRM2 . it not restricting. These are new tcode i added in the role.

Any information if these special setting for these tcode in order to restrict by company code.

Go to solution
Former Member
In response to Former Member

‎05-18-2012 3:15 PM

0 Kudos

Thanks ALL for your time to reply my message

==============================================================

Solution for this issue is that all these 3 tcode donot have condition in their program to restrict by company code so even though the company code are correct in org level in role but for these tcode those company code condition are not getting checked.

751590 - MRRL: Authorization check

For MRRL, since the ERS procedure is an automated process which is

executed to a great extent as a background process, authorizations are

to be implemented on the level of the job administration or the

execution of the report and the transaction.

A check on authorization objects of purchasing is not provided for

evaluated receipt settlement in the R/3 standard system. When you branch from the transaction to the purchase order, the system checks the

objects in the purchasing application.

If you want to implement a customer-specific authorization check, you

can use the user exits called from function module

"MRM_INVOICE_VERIFICATION_ERS" (enhancement MRMH0001):

--

EXIT_SAPLMRMH_001: Customer Exit: ERS - Change Header Field

EXIT_SAPLMRMH_002: Customer Exit: ERS - Change Item Fields

--

===========================================================

from application side is not possible to restrict access to MRM1 and

MRM2 transactions.