‚Č° Menu

What is Derived Roles and how to create in SAP Security

Derived Roles

The following SAP Security training tutorials guides you about derived roles and how to create derived roles in SAP step by step. In our previous security training tutorials we have learnt how to create user roles step by step.

What is Derived role

The derived role receives the menu structure and various functions like transactions, reports, web links, etc from role referenced. So we can call it as a parent role. The role only receives menus and functions if no t-codes have been assigned to it. Derived roles are used to maintain security at organization levels and it helps to minimize the administrative maintenance.

Lets Learn how to create derived role in SAP security

Enter transaction code “PFCG” in the SAP command field and enter.

Transaction code PFCG

In next screen, enter role name and click on role tab as shown below.

derived role maintenance

Now we derived role from the existing role, click on derived from role tab to derive the existing role.

derive from role

On importing role window, click start search button and you can provide maximum number of hits.

name of importing file - derive roles

Now select the particular role that we want to derive , here we selected master role. After selecting the role a window opens seeking that you want to enter specific role as the importing role, click on yes.

set importing file - derived role

Update the descriptive name of the derived role and click on save button (Crl+S).

Derived role from importing file

Here you can see menu has been inherited, Click on menu and check what are the menus that has been inherited.

What is Derived Roles and how to create in Security

Now we have to change the authorization data, click on authorization tab and click on change authorization data.

What is Derived Roles and how to create in Security authorization data

Here we can see company code and account type organization level, assign the values and click on save button.

define orgaization levels derived roles

Select generate button and then click on generate option.

generate profiles

Press enter to continue as shown below to assign profile name for generated authorization profile.

assing profile name to generate profile

Click on user tab and update user id in the user field, then click on user comparison.

user comparision

Click on complete comparison as shown below image. Now you can see user comparison in green color.

complete comparision

Finally click on save button and save the configured derived roles details.