Master roles, child roles and inheritance

In corporate reality, it is often the case that a large number of roles should have identical characteristics in certain parts, e.g. the roles should only differ in organizational units, but otherwise be designed in the same way.

As the person responsible for authorizations, you now have the choice of creating a possibly large number of roles individually by hand or to fall back on the concept of master or template roles and child roles, which accelerates the role construction and makes it less time-consuming.

What does “master role” and “child role” mean?

The concept is similar to the relationship of a mother to her child: The selected master role inherits its authorization objects/transactions to its derived child roles, so that the authorizations defined in the master role only have to be created once.

An inheritance relationship is established between the two roles in the PFCG. This means that subsequent role changes only have to be entered once in the master role – and can be transferred to the derived roles with a single click. This means an enormous time saving, especially with a large number of roles.

How does that work technically?

The inheritance procedure requires 2 steps:

 1. Create the master role

In order for the concept explained above to work, a master role is needed first. An already existing role can be used or a new one – in the normal procedure – can be created. It is advisable to express the distinction between master and child roles in the naming convention as well.

All authorizations that are to be identical for all employees are now entered into the master role.

Important: no organizational levels are maintained in the master role! Leave the fields empty, even if the red triangle makes you uncomfortable. The maintenance of the organizational levels is only done in the derived roles.

 2. Define the child roles

Now create a role in the PFCG, which you ideally name similar to the master role to keep track later.

After you have created the role, you will find the field “Inheritance of transactions – Derive from role: ” in the “Description” tab. Enter the name of the master role and confirm. The data from the master role has now been transferred to the child role.

Now you have to change the authorization data. Here you can now enter the organizational levels. When you generate the role now, the buttons in the permissions will jump to green and your role creation was successful.

Tip: In the table AGR_DEFINE (field ‘PARENT’) you can search for master roles.

Likewise you can – either in a master or child role – click on the button “Inheritance hierarchy” at the top to see an overview of the relationships between the roles.

Have fun!