Introduction:

Many organization use master derived concept for their security structure. It is quite a powerful tool provided by SAP to manage role with lesser amount of time spent. However in support process when authorization get normalized the often it could be found that few non-org level field values are there which are different for various market. In those situations it is likely that normal profile generation from master role will not work. In other terms we have to manage these roles individually. This blog is to show way to over come the same so we can keep enjoying benefits of master derived concept with little exception in consideration.

Issue:

I categorized the issue as per below two scenario.

A. One non-org level field is there and the same has different value across the derived roles. But the field value is uniform in any particular derived role. Let’s take example. One master role has below objects which contain field BSART (Purchasing Document Type).

1. M_BANF_BSA
2. M_BEST_BSA
3. M_RAHM_BSA

The master role has 2 child roles. Market1 use MR1 for this field for the entire above mentioned object. Market2 use MR2 for this field for the entire above mentioned object.

B. One non-org level field is there and the same has different value across the derived roles. And the field value is not uniform in any particular derived role. Let’s take above example again. One master role has below objects which contain field BSART (Purchasing Document Type).

1. M_BANF_BSA
2. M_BEST_BSA
3. M_RAHM_BSA

The master role has 2 child roles. Market1 use below values

1. M_BANF_BSA           M1A
2. M_BEST_BSA            M1B
3. M_RAHM_BSA          M1C

Market2 use below values

1. M_BANF_BSA           M2A
2. M_BEST_BSA            M2B
3. M_RAHM_BSA          M2C

For both the issues profile cannot be distributed from master role.

Solution:

A. We simply can promote the non org level field (here in this example BSART) to org level.

B. However for 2^nd case we cannot promote the field to org level as the derived role does not have uniform value across the role. To overcome this situation we have to add these objects manually in master role and inactive earlier status (maintained, standard). The same to be applied for derived roles as well. Doing so when we can adjust derived roles from master role but these manually object value will not be distributed. In other word they will stay intact as org levels in derived roles. But have to maintained directly in child role like org level.

Caution:

If the above process for manually maintained object implemented for a unavoidable scenario then copy data (Ctrl+Shift_7) must NOT be performed. It will fetch data from master role for manual objects as well.