1. Create a master role first and then create derived roles by selecting the master role. This propagates authorizations from the master role to derived roles.
2. To delete the inheritance relationship between a master and derived role, remove the master role selection from the derived role. The derived role then becomes independent and can no longer inherit authorizations from the master role.
3. Authorizations can be pushed from a master role to all derived roles using the push button after making changes to authorizations in the master role.
Derived master roles Configuration screenshots in SAP Security
1. Master And Derived Roles
Always first create the Master role and then add Derived role
Create the Master Role :
Enter PFCG in the Sap Easy Access Screen
Enter the Master Role Name and click on create role
5. Go to Utilities and click on Technical names on
Click on the role and expand
Here all the Open fields should be Zero and there can be Un maintained Org levels
7. Do not Assign Users from the User tab in Master Role .Always assign them from the
derived roles
Derived Role Creation:
Enter the Role Name in PFCG and click on Create and enter the Master role in the Derive
from Role
12. Go to User Tab and enter the Username and click on user Comparison.
13. The same way follow the above steps and create some more derived roles
By entering the Master role in the derive from ro0le in description screen
Now after creating the derived roles enter the Master Role in the PFCG screen and
Click on change icon
Go to Authorizations tab and click on Change Authorization data
Click on the push button next to Generate icon to push the Authorization information to
all the derived roles
14.
15. Now go to the derived roles and check the authorization information maintained
16. Scenario 2:
Deletion of Master role from the derived role
Enter the Role in PFCG and Click on Delete Inheritance relationship
17.
18. Now the derived role acts as a single role and it cannot be added to the Master role again