cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DIR Authorization

Go to solution
Former Member

on ‎05-31-2010 7:56 AM

0 Kudos

Hi gurus

I have a problem about authorization in DMS. I have a DIR and it's authorized for a user, no one can change it except him. Then he need to send DIR by distribution and he want that only the users who receive this DIR can view/change it. The authorization is just created when he use distribution for this DIR, otherwise everyone can't change it but him. For example:

User A create a DIR and only him can change it (I user Authorization Group for authorization)

And he send this DIR to User B,C. After that they (user B,C) can change this DIR.

I have a solution, I maintain a new Authorization Group and when he send this DIR, he will change Authorization Group to another such as "ungrp". With "ungrp" I allow everyone can change this DIR. By this solution I can solve a part of problem: He can change the authorization at the moment when he sends DIR. But everyone can change DIR after that - not only the DIR receivers.

If you have a better idea or experience this problem, give me your opinion please.

Best regards

An NLP

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-31-2010 10:55 AM
0 Kudos

use ACL..

update authorization of the document, when distribution starts. set required activity...

Show replies
Show replies
Former Member
‎06-02-2010 4:44 AM
0 Kudos

Hi there

Can you give me more detail about ACL ?

I've restricted the users by Doc. Type (Auth. Object is "Doc. Activites") and I created activity "admin" for an user.

But it didn't work, this user cannot access DIR (restricted Doc.Type).

If I don't restrict the users by Doc. Type, everyone can access not only this user.

Please correct me if you have some other solutions.

Regards

An NLP

Former Member
‎06-02-2010 5:33 AM
0 Kudos

ACL are document specific, unlike doc type authorization which s applicable to all documents of the specified doc type ...

e.g for a particular document you want to restrict users from editing it, then you can assign read activity for that user...

for your problem:

check user profile..is ACO_SUPER assigned?..then acl will not have any effect...

priority is given to ACO_SUPER then doc type authorization & then to acls....

you can have 2 layers of access control..first by doc type and then by ACL

give doc type controls to relevant users, who will be reciving the document and set acl

I hope you have checked all doc type authorizations correctly...

execute su53 and then check where the authorization fails......

Former Member
‎06-02-2010 11:31 AM
0 Kudos

Hi there

thanks for your answer.

I found info about ACO_SUPER but I don't know how to assign it.

To try it, I created a new User and made role for it. It just has a menu for DMS and authorizes for activities of DMS.

When I've tried to change DIR by this user I saw the error "You do not have the necessary authorization for document..."

I wanna know what authorization object assigned to pass this error.

And I think your ideas can help me for solving my problem but I need to know it clearly

Best Regards

An NLP

Former Member
‎06-02-2010 11:37 AM
0 Kudos

Hi,

Kindly manage in the C_DRAW_TCD object which is for controlling the activities create,change,display etc.

I hope this will resolve the query.

Regards,

Ravindra

Former Member
‎06-02-2010 1:12 PM
0 Kudos

ACO_SUPER should be given only to administrators or super users

go through

http://help.sap.com/erp2005_ehp_04/helpdata/en/c1/1c24ac43c711d1893e0000e8323c4f/content.htm

http://help.sap.com/erp2005_ehp_04/helpdata/en/48/d848c9b61c31ebe10000000a42189b/content.htm

to understand authorization

Former Member
‎06-04-2010 2:58 AM
0 Kudos

Hi Surjitsingh Bawa

I understood ACL Authorization and I think that the Doc. Type and ACL authorization are 2 different side. If the user want to access a DIR, he need to be allowed for both of them. So if I restrict him by Doc. Type Authorization, it's impossible to allow him access DIR by ACL Authorization.

I'll think about another solution for my problem.

Thanks for your help.

Best Regards

An NLP

Former Member
‎06-04-2010 5:22 AM
0 Kudos

Hi NLP...

yes you are right...

thats y i suggested, you allow doc type authorizations..and then restrict using ACLs.....

as it is possible for you to update document acl when the distribution starts...

Regards

Surjit

Former Member
‎06-04-2010 10:55 AM
0 Kudos

Hi Surjitsingh Bawa

In my current system, all users can use DMS. With my understanding, ACO_SUPER is given to all users. That means everyone can access DIRs (unless I restrict Doc Type Authorization). And ACL has no effect.

If I don't give authorization object ACO_SUPER to all users, they can't use DMS and have to wait for authorization from administrator or superuser in each DIR.

I've just know about ACL, so please correct me if I'm wrong. If you experienced this case, you can give me your solution.

Regards

An NLP

Former Member
‎06-04-2010 11:18 AM
0 Kudos

Hi,

As rightly identified,if you use the authorization object ACO_SUPER to give to all users, it will override the ACLs.

Coming back to your requirement specifically, use authorization object C_DRAW_TCS for user A & B,C respectively which will aid you to grant control over Document Type,Activity and Status(as per the scenario described by you). Provide ACO_SUPER authorization only to the administrators.If both PFCG objects and ACLs are maintained, the system takes both of them into account, but PFCG roles are given preference.

Regards,

Pradeepkumar Haragoldavar

Former Member
‎06-06-2010 3:28 PM
0 Kudos

Hi Pradeepkumar Haragoldavar

I thought about that. But ACLs is just used when the user use the distribution. Normally the user can access DIR for changing, creating...ect and be restricted by Document Type (or Doc. Type and Status). If I don't give ACO_SUPER to the users, they can't access DIR. So confused

Regards

An NLP

Former Member
‎06-07-2010 9:05 AM
0 Kudos

Hi all

I found a new solution. I use Folder and Inheritance of ACL. I create the folder for each user group and create ACL authorization for them. I don't give ACO_SUPER for the users. When they create a new DIR, they have to assign superior document for this DIR. If an user doesn't belong to a Folder, he can't access DIR in there. With this solution I can use Document Type, Status and ACLs to restrict authorization.

Thanks all for your ideas.

Best Regards

An NLP

Answers (1)

Answers (1)

Former Member
‎05-31-2010 8:03 AM
0 Kudos

Hi,

Whatever you have done is part of authorization and not complete one.

There is object in roles. You may take help from basis person who is creating the roles.

T-code is PFCG.

when you define a role that time you need to define a object for activites like create,change,display etc. irrespetive of authorization group. Means you can maintain for same authorization group or different also.

This will control the activities of pretocular user like approver, reviewer etc.

I hope this will resolve the query.

Regards,

Ravindra

Show replies
Show replies
Ask a Question