What is a derived role?
- SAP Standard to allow for organizational data restriction and reduce role administration tasks
- Parent (Master Role) and Child (Derived Role(s)) concept where the child role will have identical attributes to the parent role
- Parent role will have wide-open access to all organizational level entities
- Child Role will have limited access to a specific organizational unit (i.e. Company Code 1000)
- Simplified maintenance at derived role level as only organizational levels need to be maintained
- Minimizes human error during authorization maintenance using automation and reduced testing efforts
| Pros | Cons |
| No Updates Needed Post-Upgrade | Increased number of technical security roles |
| Eliminates Human Error | |
| Simplification of Role Administration Tasks | |
| Program to mass update values in org level window | |
| Decreases level of effort required for testing |
What is an enabler role?
- Non-standard approach to allow for organizational restriction and reduce number of technical roles
- Single, manually created, Authorization Object-only technical role (without t-codes) that provides access to a restricted organizational level unit (i.e. Company Code 1000)
- Authorization objects in Functional Roles need to be “disabled”
- A single common authorization object may be responsible for a particular organizational security check in hundreds of transaction codes. This can be contained in one enabler role.
| Pros | Cons |
| Reduced number of technical security roles | All Enabler Roles Updated Post- Upgrade |
| Flexibility in complex / low level data restriction designs/build | No automation to maintain authorization objects within enabler roles |
| Frequency of human error increases | |
| More complex org structure = more complex enabler role design | |
| Non-standard SAP approach |
Tracy Juran (Levine) 