Continuing with SAP alphabet. Hope we both understand that there are template roles and functional and they differ.
First ones are never assigned to end users and in fact are templates for functional roles. We use them to quickly edit function in one place and derive changes to functional. Functional roles are already typed with exact permissions for personnel areas, employee groups and subgroups, business units and other objects.
If you don’t want to die creating all combinatoric variety of functional roles per each personnel area and employee group, you can use derivation tool. When deriving we define master role (template) with a nice user menu, setup authorization objects with organizational levels. Then with easy we create derived role which references to master role. Derived role inherits menu and all authorization objects from the master role. When we do any change in master role it reflects in slave roles. Also we can do any changes in slave roles without any effect to master. You only can’t change user menu in slave role.
In pictures it looks like this.
Create master role
with one PA30 transaction and default authorizations.
Create slave (derived) role
Pay attention to the name of m the ster role.
We see menu editing is disabled in the slave role.
While authorizations are inherited from the master role.
Test roles derivation
Let’s add P_TCODE in master role and click derivation button.
System automatically adds the same object in the slave role.
Take into consideration there could be more than 1 slave (derived) role for 1 master.