Improve Your Authorization Concept by Deriving Roles in Enterprise Role Management

  • by Massimo Manara, SAP Security Consultant, Aglea s.r.l.
  • May 27, 2010
Enterprise Role Management (ERM) helps your role design process with a predefined, customizable design methodology that guides you through role definition, authorization maintenance, risk analysis, role approval, and role generation in your SAP back-end systems. During role maintenance, you can manage massive role derivation and adopt a mapping for speeding up this process.
Key Concept
Enterprise Role Management (ERM) is a component of SAP BusinessObjects Access Control. ERM can enhance the documentation, approval, and mass change of authorization roles. Some alternatives, such as transaction PFCG (profile generator), lack the documentation of an authorization change request, authorization roles documentation, and massive role derivation based on a predefined role-naming convention.

With SAP R/3 4.5x, SAP introduced the concept of the derived role. Since then, a common use of a derived role is to segregate sensible organizational levels. For example, if you have a buyer job role (which is a composite role), you can derive all roles by country. You can obtain some version of the buyer job role localized by country (where each country has different sensible organizational levels). Another example is purchasing groups: If you segregate every buyer by purchasing group, you can do it via a derived role.

Using the Enterprise Role Management (ERM) component of SAP BusinessObjects Access Control, you can create and maintain derived roles in an authorization concept that results in improved governance, quicker maintenance, and better performance.

Create a Derived Role

Use transaction PFCG to create a role (e.g., Z_AP_FI_TEMPLATE) (Figure 1). Define a technical name (e.g., Z_AP_FI_TEMPLATE) and enter a short description or a more detailed description in the Description or Long Text fields, respectively. Afterward, you can insert a transaction code in the Menu tab and close all open objects in the Authorizations tab. All authorization objects should be closed with at least one value. Otherwise the Authorizations tab remains incomplete, with the traffic light a different color than green. Open objects are all the objects for which the SAP system has not defined a value by default.

Massimo Manara

Massimo Manara is an SAP-certified security and compliance consultant at Aglea s.r.l. (, the only Italian company whose core business is SAP security and compliance. He has nearly 10 years of experience in IT security and a bachelor’s degree and master’s degree in security computer science and on SAP projects.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.