Master And Derived Roles

Always first create the Master role and then add Derived roleCreate the Master Role :Enter PFCG in the Sap Easy Access Screen

Enter the Master Role Name and click on create role

Go to Menu tab and enter the Tcodes

Go to Authorizations and click on Change Authorization data

Go to Utilities and click on Technical names onClick on the role and expandHere all the Open fields should be Zero and there can be Un maintained Org levels

Click on Save and Generate

Do not Assign Users from the User tab in Master Role .Always assign them from the derived roles

Derived Role Creation:

Enter the Role Name in PFCG and click on Create and enter the Master role in the Derive from Role

Click on Menu and the Role is there

Go to Authorizations tab and click on Change Authorization data.

Maintain the Org level by clicking on the organization level tab and click on save

Click on Save and Generate

Go to User Tab and enter the Username and click on user Comparison.

The same way follow the above steps and create some more derived rolesBy entering the Master role in the derive from ro0le in description screen

Now after creating the derived roles enter the Master Role in the PFCG screen and Click on change iconGo to Authorizations tab and click on Change Authorization dataClick on the push button next to Generate icon to push the Authorization information to all the derived roles

Now go to the derived roles and check the authorization information maintained

Scenario 2:

Deletion of Master role from the derived roleEnter the Role in PFCG and Click on Delete Inheritance relationship

Now the derived role acts as a single role and it cannot be added to the Master role again