Show TOC

Procedure documentationDeriving Roles Locate this document in the navigation structure

 

Role derivation allows administrators to derive one or more roles from a single master role. The master role serves as the template for the authorizations and attributes. The derived roles are differentiated from the master role and each other by the organizational values.

You can only use the role type Single Role for master roles; therefore, you can only derive roles using single roles.

Prerequisites

  • You have created and saved the master role in the PFCG back-end system.

  • You have assigned the default back-end system in the Customizing activity Maintain Mapping for Actions and Connector Groups, under   Governance, Risk, and Compliance   Access Control  .

Procedure

  1. On the Derive Role screen, choose the Derive button.

  2. To derive a role without any organizational values:

    1. Select the No Leading Org. Level checkbox.

      The Leading Org. Level and Org. Value Mapping fields are disabled.

      You use this option if you want to only copy the authorization data from the master role, and then use transaction PFCG to change the organizational values.

      Note Note

      You can only derive only one role at a time when using this option because you are not using organizational value maps.

      End of the note.
    2. Choose Next

    3. Go to step 4.

  3. To derive one or more roles using organizational value maps:

    1. Select the Leading Org. Level.

    2. Enter the organizational values.

      To specify only one organizational value, only enter a value in Organizational Value From field.

    3. Under the Org. Value Mapping area, choose Add to select one or more organizational value maps.

    4. Choose Next.

  4. In the Derived Role Name field, enter the name of the role, and then choose Next.

    Note Note

    You can configure naming conventions for derived role names, and other role names, in the Customizing activity Specify Naming Conventions, under   Governance, Risk, and Compliance   Access Control   Role Management  .

    End of the note.
  5. Review the information for the derived roles, and then choose Save.

    The application saves the derived roles. To generate the derived roles, go to the Generate Roles phase.