What is a derived role?
- SAP Standard to allow for organizational data restriction and reduce role administration tasks
- Parent (Master Role) and Child (Derived Role(s)) concept where the child role will have identical attributes to the parent role
- Parent role will have wide-open access to all organizational level entities
- Child Role will have limited access to a specific organizational unit (i.e. Company Code 1000)
- Simplified maintenance at derived role level as only organizational levels need to be maintained
- Minimizes human error during authorization maintenance using automation and reduced testing efforts
|No Updates Needed Post-Upgrade||Increased number of technical security roles|
|Eliminates Human Error|
|Simplification of Role Administration Tasks|
|Program to mass update values in org level window|
|Decreases level of effort required for testing|
What is an enabler role?
- Non-standard approach to allow for organizational restriction and reduce number of technical roles
- Single, manually created, Authorization Object-only technical role (without t-codes) that provides access to a restricted organizational level unit (i.e. Company Code 1000)
- Authorization objects in Functional Roles need to be “disabled”
- A single common authorization object may be responsible for a particular organizational security check in hundreds of transaction codes. This can be contained in one enabler role.
|Reduced number of technical security roles||All Enabler Roles Updated Post- Upgrade|
|Flexibility in complex / low level data restriction designs/build||No automation to maintain authorization objects within enabler roles|
|Frequency of human error increases|
|More complex org structure = more complex enabler role design|
|Non-standard SAP approach|