We will demonstrate the concept of a derived role using a simple example. First, we will create two roles in transaction PFCG:
Master Role: ZTEST_MASTER
Derived Role: ZTEST_DERIVED (inherited from the master role)
Steps:
1. Create the Master Role:
Open transaction PFCG.
Enter the desired master role name in the selection screen.
Click on the Single Role button to proceed.
Go to Menu tab and press Yes on pop up screen
Press Transaction button to assign transaction to your role:
After pressing Assign transactions, you will see all transactions in Menu tab:
Next step is to manage authorizations and organizational levels. Go to Authorizations tab and press Yes
on pop up screen for saving a role.
Then press button for changing authorizations data:
On next screen press button in menu bar. System will open pop up screen in which you need to define organizational levels for master role. In our example our master role will be created for company code 1000 without restrictions on other organizational level fields. At the end press save:
Then generate profile by clicking on button Generate in menu bar. System will open pop up and we need to click Generate again:
System will open next screen and we need to click:
After this pop up press back button in menu bar to go back on PFCG first page and press Save.
2. Create a derived role
Go to tcode PFCG, enter a derived role name and press Single role:
On next screen enter role name and obligatory enter a master role name in field Derive from role:
Save role and go back to initial screen of PFCG transaction. Enter a master role name and press Edit:
Go to authorization tab and press button Change authorization data:
On next screen press button
Generate derived roles. System will open message where we need to click on button from image below:
In left bottom part of screen we will get a message:
This message means that characteristics from master role are inherited to derived role.
Next step is to go to Menu tab where we will see all transactions from master role:
Final step is to assign strict authorizations to our derived role. We need to assign exact organizational levels and other authorization objects which will distinguish one derived role from others.
In order to do that we need to go to Authorization tab and press Change authorization data.
On authorization screen press Organizational levels and give precise organizational levels for created derived role. Then press Save.
On authorization screen press GenerateAfter all generate both roles again to be sure that you successfully finish your task.
SAP transports help move changes—like custom programs, configurations, and user roles—across different systems (DEV → QA → PROD). Here’s a ...
After all generate both roles again to be sure that you successfully finish your task..%20The%20image%20fe.webp)
,%20Quality%20Assurance%20(QA),%20and%20Production%20(PROD).%20The%20diagram%20.webp){kind=spacer}
,%20Quality%20Assurance%20(QA),%20and%20Production%20(PROD).%20The%20diagram%20.webp){kind=spacer}
Posts
No comments:
Post a Comment