Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Derived roles are getting overwritten everytime when I update Master Role.

Go to solution
Former Member

‎03-09-2015 11:44 AM

0 Kudos

Hi Experts !

We have created some Master and Derived roles in the past.  According to the requirement we have made some changes directly in the derived roles like some value of objects, activities, etc.. Now we added one t-code in the master role and generated its profile and generated all derived roles also. But changes made directly in derived roles earlier, revoked from all derived roles.

Now can anyone tel me how to add t-code in Master and derived roles so that the changes directly made in derived role should not be removed.

Please help and give your valuable advise.

Regards,

Lokesh Bajaj

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-09-2015 7:33 PM

0 Kudos

Hi Lokesh,

The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.

Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 

You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.

Cheers

6 REPLIES 6

Go to solution
former_member298454
Active Participant

‎03-09-2015 6:45 PM

0 Kudos

Lokesh,

Master and derived role only should vary at Org level.I am not sure why you do specific changes only to derive role,

Give more details about the requirement and see if you get any helpful answers.

Thanks,Krishna

Go to solution
Former Member
In response to former_member298454

‎03-10-2015 1:54 PM

0 Kudos

Dear Krishna,

I am giving you an example. Suppose there is a Master role z_abc_master and one two derived role z_d_abc and z_d_abc1. According to the requirement in z_d_abc we have maintained some document type 1, 2 and 3 and for z_d_abc1 we have maintained document type 4, 5 and 6. But in master role z_abc_master only 1, 2 and 3 document type is maintained. Now if I change something in Master role and generate it then derived roles will take value of document type 1,2 and 3. 4,5 and 6 will be removed.

Simply I want that changes made in Master role will not overwrite the derived roles, but simply add changes in derived roles.

Go to solution
former_member298454
Active Participant
In response to former_member298454

‎03-10-2015 2:32 PM

0 Kudos

Lokesh ,

I understood your query and agree with Alex response.

If there is need to give direct authorizations(non-org level) to derive role then without disturbing master - derive role ,you may create single role which accommodate only extra access (doc type 4,5,6) and use this single role along with derive role for composite role assignments and user assignments .I feel this is feasible if it is couple of derived role changes , not many.

Thanks,Krishna

Go to solution
Former Member
In response to former_member298454

‎03-10-2015 2:43 PM

0 Kudos

Thanks Krishna... This is also a good suggestion for this.

Go to solution
Former Member

‎03-09-2015 7:33 PM

0 Kudos

Hi Lokesh,

The main principle of derived roles is that they inherit all object level access from the parent with the exception of organisational levels.

Using derived roles you cannot achieve your requirement.  If there are any object level differences in the derived roles then you will need to create different master roles or delete the inheritance relationship.  This is a design constraint when using derived roles and if you do use them (some would advise against) then it has to take this functionality into account. 

You can promote most field values to org levels which will not be overwritten but you need to be very careful that it doesn't cause problems elsewhere (e.g. promoting auth group to an org level).  I respectfully suggest that you do not go down this route without consulting someone who has done it before and can evaluate your solution for it's suitability.

Cheers

Go to solution
Former Member
In response to Former Member

‎03-10-2015 7:31 AM

0 Kudos

Thanks Alex for your quick response. I will take care your suggestions.