on 02-09-2009 12:47 PM
Hi
Could anybody explain me the best approach to restrict document change based on user status?
I know that B_USERSTAT is the authorization object to control secutrity.
But I am facing the following situation.
Status Auth key
-
E0001 SDCR_001
E0002 SDCR_002
E0003 SDCR_003
E0004 SDCR_004
I want a user who has SDCR_001 only to allow E0001 actions, but for changing status (SET_STATUS) to E0002, authrization is checked and rejected because the user does not have SDCR_002. (This is technically understandable.....)
For resolving this situation, what settings are most recommended?
BR
Usually "actions" are executing methods/programs which can be restricted. But there is no general way to restrict action like it is done for changing a status.
Would be nice to have authorization keys for action definitions but this is not available without additional coding.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I found SAP note 1097632 which seems related to my problem.
-
You use authorization checks in Change Request Management.
You want only certain users to have authorization to set the status for a Change Request Management transaction.
Solution
Implement the attached correction instructions.
-
My SolMan has corresponding support package. but what does it mean? Anybody knows?
The auth. key you mentioned is only checked for setting the status. So you need auth. key SDCR_001 to set status to E0001.
The availability of actions is based on a status. In document status E0001 there might be an action which will set status to E0002 if executed. When executing the action system will not check if the user got the appropriate right to perfom the action itself but will check if the user got the auth. to do what the action would do (i.e. setting status to E0002).
So lets say you got different actions like:
a) setting status to E0002
b) logon to a system
c) performing a check for critical objects
d) .....
These actions will be available to anyone who opens the document in change mode.
When one of these actions is executed the user needs the authorization to do what the action will do. Which means the user needs auth. to a) set status to E0002 (which will be checked via key SDCR_001), b) logon to a system (which will be restricted via the availability of the corresponding user in the target system), c) performing a check for critical objects (auth. to perform the report which will check for critical objects will be checked).
There is nothing like:
Action // Auth. Key
"Action 1" // XYZ_001
"Action 2" // XYZ_002
"Action 3" // XYZ_003
Hope this helps a bit.
Regards
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI,
USER Authorization
Administrator
SAP_CM_SMAN_ADMINISTRATOR
Change Manager
SAP_CM_SMAN_CHANGE_MANAGER
IT Operator
SAP_CM_SMAN_OPERATOR
Developer
SAP_SOCM_DEVELOPER
Developer Tester Prod. Manager Operator Administrator
Display X X X X X
Create X --- --- --- X
Change --- --- --- --- X
Delete --- --- --- --- X
Run X X X X X
Change status X X X X X
Regards
Sreedhar Reddy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.