Master and Derived Role Maintenance question

Question: Hello All,

We have a number of derived roles which we are in the process of updating. Wen we update the master role to remove or add T-Codes it the derived roles require updating and generating as well.

Is there a quicker way to update all roles in one shot (ie use mass generate) but then have a report set up to figure out which ones have auth objects that need to be maintained?

Thanks!

Answer:
Hi

Probably missed the point but is this PFCG/enter parent role/auth tab/authorisations/adjust derived/generate derived roles?

Answer:
But if you add new transactions that call in new organisational fields, you may need to maintain all the child roles manually... But in this case you would know as you would be prompted to enter org values. I think the best bet would be to look in table AGR_1251 for all roles that has unmaintained fields. That would only work if you don't have any that are left blank on purpose though...

Answer:
Hi moving500,

Exactly what Henrik says, but by reading your post I'm not sure if you get the idea about derived roles.

There is a way to mass generate. It's the icon just to the right of the "normal" generation.

The only thing you want to maintain in a derived role is the organizational levels (company code, profit center, plant etc.). If you add a t-code that does not check any organizational levels, you just mass generate all the roles and you are done. Indeed you are able to maintain "normal" authorizations in the derived roles, but you do not wanna go there.

I am sorry if this is obvious to you. Then I have misread your post.

Answer:
This sounds like the reason not to use derived roles, that someone once tried to explain to me. But I am stuck on this bit Blaster:

There is a way to mass generate. It's the icon just to the right of the "normal" generation.

Inside PFCG the Icon to the right of the Generate Icon is a trash can for Delete Inactive . I am not sure this is too Helpful! you can't generate from the front screen of a role, so I guess you are on about transaction SUPC - where the icon to the right of the generate (assuming you don't generate automatically) is the direct route into maintaining the auths - a pencil. Where are you ? (Please Excuse me if I am on an older version - 4.7)

I would be using SUPC for this but if each role is reading a tcode change from the parent role then you are going to have to Read and Merge for each one individually - if they are all the same size and shape then SCAT will /might get you through...

minsh
_________________
???

Answer:
Hi minsh,

Yeah I totally agree. Derived roles can be more of an annoyance than a help.

You are right that when entering authorizations in pfcg for "normal" roles, the icon layout is as you say, but when it is a master role, you get the option to generate the master role and the derived roles at the same time.

If this is not the case, then the "derived" roles have been created wrong.

Answer:
Blaster - nice one - all is now clear. Actually looking at a role of the type in question helped immensely - schoolboy error ...

can't get my head round how exactly they are useful - it all looks over complicated to me. But I guess they could be handy if they are "designed in".....