Derived Roles in SAP and Benefits to SAP Security / GRC

Applies to:
SAP R/3 4.6, 4.7, ECC 5.0, ECC 6.0, SAP GRC Access Control 5.X. For more information, visit the Governance, Risk, and Compliance homepage.

Summary
The Article tries to emphasize on the concept of Derived role and how it is beneficial to address the Governance, Risk and Compliance issues. Role Management is a part of Security Administration and with the Derived Role concept it makes the process much easier, where there are many cost centers, sales organisations and different plant locations. The article would be helpful for the Security consultants as well the GRC Experts for reference. Author: Gurugobinda Harichandan Parida

Company: HCL-AXON Created on: 10 February 2009

Author Bio
A Gurugobinda Harichandan Parida is a GRC Consultant, working for HCL-AXON.

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 1

Derived Roles in SAP and Benefits to SAP Security / GRC

Table of Contents
Introduction .........................................................................................................................................................3 What is derived Role?.........................................................................................................................................3
A Sample Master Role for General Ledger: .................................................................................................................5 Creation of a sample child role:....................................................................................................................................5 Sample Derived Role Showing the Organizational levels: ...........................................................................................5

Need of Derived Role .........................................................................................................................................6 Business Benefits of Derived Role: ....................................................................................................................7 Related Content..................................................................................................................................................7 Disclaimer and Liability Notice............................................................................................................................8

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 2

Derived Roles in SAP and Benefits to SAP Security / GRC

Introduction
Corporate Governance, Risk Management and Compliance (GRC) issues are very important buzzword in todays vulnerable business world. Corporate houses, especially in the bigger one, this is more difficult to manage, though it affects all the enterprises irrespective of their size and turnover. From the view point of corporate Governance, risk management and compliance issues; SAP Role Management always plays a pivotal role, which affects the organizational structure as a whole. It is very much essential to segregate the responsibilities and authorizations. In the limelight of Enron crash in 2001, the US Govt. was forced to enact a law with stringent norms, to check irregularities and fraudulent activities. The outcome was the SarbanesOxley Act of 2002, which stresses much on the segregation of duties for better accountability and corporate governance. Management of Role became more complex, difficult, time consuming and norms to be followed were very stringent. Automation of security activities are prime concern for any organisation. To comply with the Governance, Risk and Compliance guidelines, it is very important to manage the roles in such a manner, which do not have SoD violations. Concept of Derived Role is an attempt towards automating the process of Role Management. Though it is not an automated tool, still reduces the time and cost for Role Management significantly. Potential risk level is minimal and so as the approval steps also. You can use an existing role as reference role when creating a child role. The system transfers the transactions in on one role to a new role, one that remains dependent on the first. Derived Role is a Reliable way of creating multiple roles easily and within less time comparatively to the creation of new roles. Especially it is very useful for Organisations having operations in multiple GEOs and many plant locations.

What is derived Role?

As the name states, a Role, which has been derived from a Reference Role is known as derived role. While going through the derived role concept, well come across two terminologies: 1. Template Role or Parent Role 2. Child Role or Derived Role Template Role is also known as Master Role or Reference Role, which is not directly assigned to any user or user groups. Child Role or derived role is one derived from the master role, which inherits the menu structure and functions (Transaction Codes, Reports) of the master role except the organization level and the value of the authorization objects. A role can only inherit menus and functions if no transaction codes have been assigned to it before.

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 3

Derived Roles in SAP and Benefits to SAP Security / GRC

In SAP level, the tables PARENT_AGR and AGR_DEFINE Contains the Derived Roles and the Parent Role-Child Role relationship.

There are different types of Organizational levels in the role that can be maintained when deriving a role from a master role. They are as follows:
Account type ($KOART), Business Area ($GSBER), Company Code ($BUKRS), Controlling Area ($KOKRS), Credit Control Area($KKBER), Distribution Channel ($VTWEG), Division ($SPART), Maintenance Planning Plant ($IWERK), Maintenance Plant ($SWERK), Operating Concern( $ERKRS), Plan Version ($PLVAR), Plant($WERKS), Profit Centre ($PRCTR), Purchasing Group ($EKGRP), Purchasing Organisation ($EKORG), Sales Group ($VKGRP), Sales Office($VKBUR), Sales Organisation ($VKORG), Shipping Point ($VSTEL), Storage Type ($LGTYP), Transportation Planning Point ($TPLST), Valuation Area ($BWKEY), Warehouse Number ($LGNUM), Work Centre ($ARBPL).

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 4

Derived Roles in SAP and Benefits to SAP Security / GRC

A Sample Master Role for General Ledger:

Creation of a sample child role:

Sample Derived Role Showing the Organizational levels:

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 5

Derived Roles in SAP and Benefits to SAP Security / GRC

Need of Derived Role

The Derived Role concept makes the process easy to maintain the roles having operation in different GEOs and multiple plant locations. With Derived Role process, no need to create roles individually for each GEO, plant location and cost centres etc. you need to derive the role from an existing reference role and maintain the organisational levels and minimal change in authorisation values (where ever necessary only). Derived role inherit the menu sturucture of the parent role and the transactions, reports etc. added to it. If no transaction codes assigned to the parent role, it inherits only the menus and the other functions added to the same. The authorisation objects default values of the derived role, which is inherited from the parent role can be changed later on. Derived roles possess identical menu structure and identical transactions and / or reports. The changes can be maintained in the organisational level. If you are removing the inheritance relationship from the parent role, then afterwards, it would not be treated as derived role but a normal role only.

How to Improve Compliance through Derived Role: The derived Role concept made the role maintainance precedure hasselfree, and lessen the risk level involved in the creation of a new role. During the process of new role creation, it is to be thoroughly checked, what are the risks involved in that and what is the level of risk. SoD violations needs to be checked properly. Every time you create a role, the same procedure need to be followed. And in organisations having different plants in different locations etc, the level of risk involved is very high. Maintainance of Role is also a time consuming process. With the derived role, the process is simple, time-efficient and minimizes the level of risk. No need to be worried for risks involved in the deriived roles. Because if the parent role or template role doesnt have any SoD vilations, then the child roles also must not violate the SoD, thus minimizing the risk level and makes the whole procedure simple, time-efficient and hasselfree. With the GRC Access Control, the maintenance of Derived Role is more comfortable, less risk prone and more time-effective. To assess the risk level is easier and hassle free.

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 6

Derived Roles in SAP and Benefits to SAP Security / GRC

Business Benefits of Derived Role:

Derived Role plays a very important role in Role Management activities. Without the derived role the process would more complex and may raise security issues. The Business Benefits of the derived role to GRC is as follows: Derived roles allow modifications according to specified business requirements. Minimal wastage of additional time, which was wasted previously to create similar roles with a little change for example: if there is a scenario where similar authorizations need to be provided in multiple roles, derived roles help in easy maintenance of authorizations and provide better organization level controlling. Less usage of manpower, and thus reduction in efforts to maintain roles. Simplification of the role maintenance process No need to worry about the transactions, reports etc. added to the roles and thus minimization of risk involved in the role maintenance process Very useful for big industries having diversified business and multiple plant locations. Time-efficient Auditors find it easier to identify the Role level potential conflicts if any, based on the organization level controls provided in the derived roles

Related Content
https://www.sdn.sap.com/irj/sdn http://www.sapsecurityonline.com/ http://help.sap.com/saphelp_bw21c/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm For more information, visit the Governance, Risk, and Compliance homepage.

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 7

Derived Roles in SAP and Benefits to SAP Security / GRC

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade. SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document, and anyone using these methods does so at his/her own risk. SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or code sample, including any liability resulting from incompatibility between the content within this document and the materials and services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this document.

SAP COMMUNITY NETWORK 2009 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com 8