Master and Derived Role

Former Member · ‎09-18-2016

Hi,

We have created one Role as a Master and one as Derived.

We are maintaining one authorization on Master which get overwritten on Derived !

The Field M_MSEG_LGO has to Maintain Different Value in Master and Derived has to maintain different Value.

MM_Master_Role

M_MSEG_LGO

>ACTVT = 01

>BWART = 261

>LGORT = *

>WERKS = 1002

MM_Derived_Role

M_MSEG_LGO

>ACTVT = 01

>BWART = 261

>LGORT = *

>WERKS = 1001 (Changed Value)

But Whenever we update the Master Role the Values for Derived Role get Changed !

Derived Role Updates only TCODE from Master Or Entire Authorization Values ?

- Swapz

Sriram2009 · ‎09-18-2016

Hi Swapz

Refer the link Parent &#038; Derived Roles &#171; Sap Security Pages

BR

SS

Former Member · ‎09-19-2016

Thank you Sriram for your shared Link it is Useful, in that there is clearly mentioned, Values of Organization fields wont get derived from Master Role (Parent Role).

In My Case Plant Value is get Changed !

- Swaz

Sriram2009 · ‎09-19-2016

In your case parent role should have full access (*), Child role can derived from the parent role with organisation level control.

BR

SS

Former Member · ‎09-19-2016

If you maintain a plant value in a master role then it will override the value in the child role. Only if you leave the parent role org level blank will it respect the child role value.

former_member237472 · ‎09-23-2016

Hi,

Is the ORG value that is incorrectly appearing from the Master role coming in the ORG level or it is appearing in one of the auth. objects which has one of the field as ORG level?

If the case if the latter one then check if someone has manually modified this object in the derived role. If yes, then please note that, if an object that contains one of the field as an ORG level is modified manually in the derived role, that particular instance of that auth. object does not act in sync with the ORG level maintained in the derived role. For example I have object M_MSEG_LGO in master and derived role, and if I modify this object's field WERKS (which is an ORG level) manually in the derived role, it will not be in sync with the values maintained for PLANT in the main ORG level.

To correct this, that particular instance of the auth. object will have to deleted and the data from master role will have to be pushed.

BR,

Anish

Former Member · ‎09-19-2016

HI Swapz,

In your case you need to have 2/more derived roles for the different Plants rather than using the Master role with a specific Plant value.

Best Regards,

Arun.

Bernhard_SAP · ‎09-27-2016

Of course you can maintain values in the inheriting role, as long you do not maintain the values directly but in the org.field popup. This obviously has not been done, but you maintained it directly. Delete it and it will work.

Similar scenario described in SAP kba 2067400.

please check out SAP course ADM940.

b.rgds, Bernhard

former_member653611 · ‎12-15-2019

the main difference between master role and derived role is org levels.if you modify any value in authorization fields of master role that value automatically will pull into the derived role. No need to maintain any org value in master role why because we should maintain org values in every derived role and that values are varies from company to company.

one more difference is we cant add tcodes in derived role. we can just add org levels only.