How To Create Derived Roles in SAP

 How To Create Derived Roles in SAP

We have seen how to create Single roles, Composite roles and assigning the roles to user master records. In this blog we will see how to create derived roles and assigning these roles to users in SAP. 

Difference in the derived roles and deriving roles are the organizational values. The menus and authorizations are same in both the roles. The relation is also called as parent child relationship or master role and derived role.

Derived roles are useful when the organization has spread across the globe. System Administrators can create one master role and can derive several roles based on the company codes.

Procedure for creating Derived Roles:

1. Go to SAP menu-->Administration-->User Maintenance-->Role Maintenance or execute transaction code PFCG
Enter the derived role name and click on create single role tab.

2. Provide short description and long text like manager approvals and ticket number.

3. Enter the derive from role (Parent Role) name.

4. Go to Authorization Tab and enter the profile name manually or choose proposed value. Then click on the change Authorization Data.

5. Enter the organizational levels and click on Save icon.

6. Click on the generate icon to generate the role.

7. Go to the User tab and assign the users manually or select from the list.

8. Click on Save icon to save the role.

Watch demo video on how to create derived role in SAP.













Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE...
Read more

SAP Security: Creating New User Account using Transaction Code SU01

Image
Creating  New User Account U sing Transaction Code SU01 SAP User Administration functions include User Creation, Change, Display, Delete, Copy, Lock/Unlock, Password reset. The topic is about creating new user account in SAP system. I have explained two methods. This is relevant for SAP Security Consultants or SAP User Administrators who want to perform user administration activities in SAP system. The User Administrator must follow the company policies and approval process before creating user account. Prerequisites for creating New User Account User Administrator/SAP Security Consultant should have the roles with the below authorizations in it. 1. Authorization Object S_USER_GRP for creating user and assign to user group. 2. Authorization Object S_USER_PRO for assigning authorization profiles to user. 3. Authorization Object S_USER_AUTH for creating and modifying authorizations. 4. Authorization Object S_USER_AGR for assigning roles to user. 5. Authorization Object S_USER_TCD for...
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c...
Read more