What is the SAP report SUPRN_REGENERATE_DEPENDENT used for?

The report SUPRN_REGENERATE_DEPENDENT is used to synchronize derived roles with their master (imparting) roles in SAP. It propagates authorization changes from the master role to its derived roles and can also regenerate authorization profiles.

How is SUPRN_REGENERATE_DEPENDENT different from adjusting derived roles in PFCG?

Running SUPRN_REGENERATE_DEPENDENT is functionally equivalent to executing the following options in transaction PFCG: Authorizations → Adjust derived → Save derived roles Authorizations → Adjust derived → Generate derived roles The report simply automates this process and allows administrators to perform the adjustment more efficiently.

Does the report change organizational field values in derived roles?

No. The report updates the authorization structure inherited from the master role, while preserving the organizational field values defined in each derived role. This ensures that the business-specific access assigned to derived roles remains intact.

Can SUPRN_REGENERATE_DEPENDENT be used for mass processing?

According to SAP Note 2538834 , corrections were introduced that allow the report to support mass processing of multiple imparting roles. The report automatically identifies derived roles for the selected master roles and processes them accordingly.

What happens if a derived role is already synchronized with the master role?

If the derived role already contains the same authorization data as the master role, the report does not make unnecessary updates. Only roles with differences are adjusted.

Does the report generate authorization profiles?

Yes. The report can regenerate authorization profiles for derived roles. In fact, SAP Note 2538834 changes the default parameter setting to enable profile generation, since administrators typically want both authorization adjustments and profile regeneration performed together.

SAP Report SUPRN_REGENERATE_DEPENDENT - Automatically Adjust Derived Roles in PFCG

SAP authorization design often relies on master and derived roles to maintain consistency while allowing flexibility through organizational values such as company code, plant, or sales organization. This design helps standardize access while enabling the same authorization structure to be reused across different organizational contexts.

However, maintaining synchronization between master roles and their derived roles can become an operational challenge whenever changes are introduced.

One SAP utility that helps address this challenge is the report SUPRN_REGENERATE_DEPENDENT, a lesser-known but highly practical tool for SAP role administrators.

What is the challenge?

When changes are made to a master role, those changes must also be reflected in all its derived roles. In many environments, administrators handle this manually using transaction PFCG, typically by performing the following steps:

Adjust derived roles
Save the role changes
Regenerate authorization profiles

While this approach works when dealing with a small number of roles, it becomes inefficient in larger SAP landscapes where a single master role may have dozens or even hundreds of derived roles.

Manual adjustments increase the risk of:

Missing derived roles that require updates
Inconsistent authorization profiles
Increased administrative effort

At the same time, administrators must ensure that organizational field values in derived roles remain unchanged, since those values are what differentiate each derived role.

The Solution

SAP provides the report SUPRN_REGENERATE_DEPENDENT to automate the synchronization between master roles and their derived roles.

Functionally, executing this report is equivalent to performing the following actions in transaction PFCG for an imparting role:

Authorizations ? Adjust derived ? Generate derived roles (Ctrl + Shift + F4) (when profile generation is active)
Authorizations ? Adjust derived ? Save derived roles (Ctrl + Shift + F5) (when profile generation is inactive)

By executing this report, administrators can:

Automatically propagate authorization changes from master roles to derived roles
Regenerate authorization profiles
Preserve organizational field values in derived roles
Ensure derived roles remain aligned with their imparting role

This allows administrators to maintain consistency across role hierarchies without manually adjusting each derived role in PFCG.

What SAP Note 2538834 Says

SAP Note 2538834 explains the intended behavior and enhancements related to this report.

Originally, the report could only be executed for a single imparting role, meaning mass processing across multiple master roles was not supported.

The correction described in the note enhances the report to support mass processing, allowing administrators to select multiple imparting roles whose derived roles need adjustment.

During execution:

Roles without derived roles are automatically excluded from processing
Derived roles that are already aligned with their master role do not require updates
Authorization data in derived roles is updated only when differences exist

The note also changes the default parameter setting so that profile generation is active by default, reflecting the common operational requirement where administrators typically want both authorization adjustments and profile generation to occur together.

If the processing completes successfully for all selected roles, the system returns a simple status message. If issues occur, the report produces a detailed log identifying which roles were processed successfully and highlighting any failures along with their reasons.

The report also respects system-level controls such as client settings in transaction SCC4. For example, the program cannot run if the client is configured with the “No Changes Allowed” option.

In systems where automatic change recording is enabled, the report allows administrators to specify a transport request. If no request is entered, the system uses the request defined in the executing user's personal settings and creates one automatically if necessary.

These transport rules ensure that derived role adjustments remain consistent with SAP’s customizing transport framework.

Conclusion

Managing master and derived roles efficiently is critical for maintaining a scalable and well-governed SAP authorization model. While transaction PFCG provides the functionality to adjust derived roles manually, this process can become time-consuming in larger environments.

The report SUPRN_REGENERATE_DEPENDENT offers a practical way to automate the synchronization of derived roles with their master roles while preserving organizational values and maintaining authorization consistency.

For SAP Security and GRC teams managing complex role landscapes, this report can significantly reduce administrative effort and improve operational efficiency, demonstrating once again that some of the most useful SAP utilities are often the ones that receive the least attention.

Disclaimer

The views expressed in this article are solely those of the author and are based on practical experience with SAP systems. They do not necessarily represent the official position of SAP, and SAP does not guarantee the accuracy or applicability of the observations described. Readers should refer to official SAP documentation and SAP Notes when evaluating or implementing functionality within their SAP environment.