Permission roles derivation (inheritance)
Continuing with SAP alphabet. Hope we both understand that there are template roles and functional and they differ.
First ones are never assigned to end users and in fact are templates for functional roles. We use them to quickly edit function in one place and derive changes to functional. Functional roles are already typed with exact permissions for personnel areas, employee groups and subgroups, business units and other objects.
If you don’t want to die creating all combinatoric variety of functional roles per each personnel area and employee group, you can use derivation tool. When deriving we define master role (template) with a nice user menu, setup authorization objects with organizational levels. Then with easy we create derived role which references to master role. Derived role inherits menu and all authorization objects from the master role. When we do any change in master role it reflects in slave roles. Also we can do any changes in slave roles without any effect to master. You only can’t change user menu in slave role.
In pictures it looks like this.