on 05-31-2010 7:56 AM
Hi gurus
I have a problem about authorization in DMS. I have a DIR and it's authorized for a user, no one can change it except him. Then he need to send DIR by distribution and he want that only the users who receive this DIR can view/change it. The authorization is just created when he use distribution for this DIR, otherwise everyone can't change it but him. For example:
User A create a DIR and only him can change it (I user Authorization Group for authorization)
And he send this DIR to User B,C. After that they (user B,C) can change this DIR.
I have a solution, I maintain a new Authorization Group and when he send this DIR, he will change Authorization Group to another such as "ungrp". With "ungrp" I allow everyone can change this DIR. By this solution I can solve a part of problem: He can change the authorization at the moment when he sends DIR. But everyone can change DIR after that - not only the DIR receivers.
If you have a better idea or experience this problem, give me your opinion please.
Best regards
An NLP
use ACL..
update authorization of the document, when distribution starts. set required activity...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi there
Can you give me more detail about ACL ?
I've restricted the users by Doc. Type (Auth. Object is "Doc. Activites") and I created activity "admin" for an user.
But it didn't work, this user cannot access DIR (restricted Doc.Type).
If I don't restrict the users by Doc. Type, everyone can access not only this user.
Please correct me if you have some other solutions.
Regards
An NLP
ACL are document specific, unlike doc type authorization which s applicable to all documents of the specified doc type ...
e.g for a particular document you want to restrict users from editing it, then you can assign read activity for that user...
for your problem:
check user profile..is ACO_SUPER assigned?..then acl will not have any effect...
priority is given to ACO_SUPER then doc type authorization & then to acls....
you can have 2 layers of access control..first by doc type and then by ACL
give doc type controls to relevant users, who will be reciving the document and set acl
I hope you have checked all doc type authorizations correctly...
execute su53 and then check where the authorization fails......
Hi there
thanks for your answer.
I found info about ACO_SUPER but I don't know how to assign it.
To try it, I created a new User and made role for it. It just has a menu for DMS and authorizes for activities of DMS.
When I've tried to change DIR by this user I saw the error "You do not have the necessary authorization for document..."
I wanna know what authorization object assigned to pass this error.
And I think your ideas can help me for solving my problem but I need to know it clearly
Best Regards
An NLP
ACO_SUPER should be given only to administrators or super users
go through
http://help.sap.com/erp2005_ehp_04/helpdata/en/c1/1c24ac43c711d1893e0000e8323c4f/content.htm
http://help.sap.com/erp2005_ehp_04/helpdata/en/48/d848c9b61c31ebe10000000a42189b/content.htm
to understand authorization
Hi Surjitsingh Bawa
I understood ACL Authorization and I think that the Doc. Type and ACL authorization are 2 different side. If the user want to access a DIR, he need to be allowed for both of them. So if I restrict him by Doc. Type Authorization, it's impossible to allow him access DIR by ACL Authorization.
I'll think about another solution for my problem.
Thanks for your help.
Best Regards
An NLP
Hi Surjitsingh Bawa
In my current system, all users can use DMS. With my understanding, ACO_SUPER is given to all users. That means everyone can access DIRs (unless I restrict Doc Type Authorization). And ACL has no effect.
If I don't give authorization object ACO_SUPER to all users, they can't use DMS and have to wait for authorization from administrator or superuser in each DIR.
I've just know about ACL, so please correct me if I'm wrong. If you experienced this case, you can give me your solution.
Regards
An NLP
Hi,
As rightly identified,if you use the authorization object ACO_SUPER to give to all users, it will override the ACLs.
Coming back to your requirement specifically, use authorization object C_DRAW_TCS for user A & B,C respectively which will aid you to grant control over Document Type,Activity and Status(as per the scenario described by you). Provide ACO_SUPER authorization only to the administrators.If both PFCG objects and ACLs are maintained, the system takes both of them into account, but PFCG roles are given preference.
Regards,
Pradeepkumar Haragoldavar
Hi Pradeepkumar Haragoldavar
I thought about that. But ACLs is just used when the user use the distribution. Normally the user can access DIR for changing, creating...ect and be restricted by Document Type (or Doc. Type and Status). If I don't give ACO_SUPER to the users, they can't access DIR. So confused
Regards
An NLP
Hi all
I found a new solution. I use Folder and Inheritance of ACL. I create the folder for each user group and create ACL authorization for them. I don't give ACO_SUPER for the users. When they create a new DIR, they have to assign superior document for this DIR. If an user doesn't belong to a Folder, he can't access DIR in there. With this solution I can use Document Type, Status and ACLs to restrict authorization.
Thanks all for your ideas.
Best Regards
An NLP
Hi,
Whatever you have done is part of authorization and not complete one.
There is object in roles. You may take help from basis person who is creating the roles.
T-code is PFCG.
when you define a role that time you need to define a object for activites like create,change,display etc. irrespetive of authorization group. Means you can maintain for same authorization group or different also.
This will control the activities of pretocular user like approver, reviewer etc.
I hope this will resolve the query.
Regards,
Ravindra
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
110 | |
12 | |
11 | |
6 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.