Creating Derived Roles in SAP Security

Creating Derived Roles in SAP Security

Derived roles :

1.   Derived roles refer to roles that already exist.  The derived roles inherit the menu structure and the functions included (transactions, reports, Web links, and so on) from the role referenced or simply you can call as Parent Role.  A role can only inherit menus and functions if no transaction codes have been assigned to it before.

2.  These are used to define to handle the security at organization levels.

3     These are created for administrative purpose to minimize the maintenance.

4.   Derived roles specify the division or unit for which the security can be provided.

5.    Derived roles are inherited from parent role/ single role/ generic role differed by there organization levels.

6.     Derived roles are also called as child roles.

7.   The higher-level role passes on its authorizations to the derived role as default values which can be changed afterwards.  Organizational level definitions are not passed on. They must be created a new in the inheriting role. User assignments are not passed on either.

8.     Derived roles are an elegant way of maintaining roles that do not differ in their functionality (identical menus and identical transactions) but have different characteristics with regard to the organizational level.

9.   The menus passed on cannot be changed in the derived roles.  Menu maintenance takes place exclusively in the role that passes on its values. Any changes immediately affect all inheriting roles.

10. You can remove the inheritance relationship, but afterwards the inheriting role is treated like any other normal role. Once a relationship is removed, it cannot be established again.

11.   In derived roles, menus are fixed.

12.   These are created in PFCG

13.   In versions earlier than 4.6 c, derived roles are also called as Derived Activity Groups DAGS.