Parent Roles/Derived Roles :
The concept of parent and derived roles was introduced by SAP to simplify role administration tasks. Its specially helpful while mapping security for large enterprises spread across multiple geographies or divisions. A child role derived from a parent role will have all attributes (transactions/ authorization object values) same as it parent except the values of the Organizational Level fields (plant, company code, sales organization). Thus maintenance is simplified as only the org levels need be maintained at the derived role level. This also ensures that there is no opportunity to make mistakes during authorization maintenance for the multitude of derived roles and also reduces testing effort for roles.
The most critical success factor for a parent-derived role concept is how well, the different business processes mapped by SAP roles are mirrored across the different divisions in an enterprise. In other words, a parent-derived role concept will not be very beneficial in case an enterprise follows different business process in its different subsidiaries.
Single Roles : Single roles which gives the exact authorizations to the users. If none of the standard roles delivered by SAP meet your needs, and they cannot be adjusted to do so, then please create your Single Role in the T-code : PFCG.
Composite roles can simplify the user administration.
They consist of single roles. Users who are assigned a composite role are automatically assigned the associated single roles during the compare. Composite roles do not themselves contain authorization data. Setting up composite roles are useful for example if some of your staff need authorization for several roles. You can create a composite role and assign it to the users instead of putting each user in each required single role.
Thanks!