on 12-12-2013 9:00 AM
Hi All,
I have requirement like only some users should only be able to delete the originals attached to a DIR.Can you guide which role/activity we need to decativate to amke this functionality work.
One way which comes in my mind is don't give change authorization to those users but that will not work as they are resposible for changing status.
Thus I only want a role/authorization/Object/activity which will help me to stop deleting the originals.
Regards
Amulya
Hi,
Object - C_DRAD_OBJ
This authorization object makes it possible to restrict the maintenance of an object link. This object controls which document info record the user is allowed to edit. The settings is made up of a combination of activity, object, and status.
The following table contains the fields and values of the authorization object.
Fields | Possible | Meaning | Value |
---|---|---|---|
ACTVT | 01 | Create | |
(Activity) | 02 | Change | |
03 | Display | ||
06 | Delete | ||
DOKOB | |||
(Object) | Enter the database table here for the | ||
objects (for example: MARA, DRAW). | |||
STATUS | Enter the appropriate status | ||
here. |
Regards,
Arun kaul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amulya,
You have option to control deleting document by Role if you remove object from role this is posble..
regards
Arun Kaul
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tilak,
Thanks for sharing the links.My query is I want to restrict some X users from deleting originals attached to a file.
Now usign ACL for each DIR is difficult , so do we have any way i.e we can restrict all the drawing based on Document Types etc.
Thanks for your co-operation.
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amulya,
You don't have to create a ACL authorization for each DIR. Just create authorization at folder level and it will inherited to DIR created inside that folder. Any changes at folder level will effect immediately to all DIR for which Auth is created. For more details check :
ACL authorizations in DMS - Product Lifecycle Management - SCN Wiki
Yes, there is an option, we can restrict users based on Doc types, Doc Status etc..
Below is the link where you will find all the Authorization Objects available in DMS.
Authorization Objects in DMS - Product Lifecycle Management - SCN Wiki
/Tilak Raj
Hi Tilak,
I tried restricting it at Folder Level, but under that DIR's remain unaffected one reason may be those DIR are actually not under Folder i.e. Folder Created via SAP GUI. Correct me if I am wrong.
Also another link which you shared we tried each and everything via roles but for Deletion of Originals no activity is triggered.
Please suggest.
Regards
Amulya
Hi Amulya,
If you are using EasyDMS autumatically Document Structure is created (FOlder>SubFolder>Documents...). If you are creating DIRs in SAP GUI, you have to assign it into Document Structure by using t-codes CV12.
FOr Deletion of Originals, provide users only Display access.Because in the standard the users can always delete originals if they have change authorization for the document info record and there is no specific object just for handling the original files.At the moment I can only recommend you to create your own authorization check with the help of BADI DOCUMENT_AUTH01.
/Tilak
Hi Tilak,
Agree with you but here we are not using Dcument Structure Concept.
Also agree that with change we get delete authorization i.e only the issue because if we remove change status user will not be even allowed to change the status of DIR.
We have already implemented the mentioned Badi but with that as well we were sucessful to restrict deletion in SAP GUI only but not in Easy DMS.
Also authorizations are getting inherited but only when I assign Admin authorization manually to each folder or DIR.
Any other way to restrict the same in EASY DMS.
Regards
Amulya
Hi Amulya,
I suggest you to have 2 different document statuses.
Ex.
1. Doc Status: Draft, Give authorization only to users who can do changes in DIR.
2. Doc Status: Released, Give authorization to all.
Now if user want to make any changes, they can reassign the status to Draft and make the changes to DIR, set Release Status and save it again.
Hope this will meet your requirements.
/Tilak
Hi Tilak,
Your solution is very impressive. But in lock status user will not be even allowed to edit/add new original.
Any other way please.
Also I don't know why my Write Permission in ACL is not getting inherited in EASY DMS, on the other side READ permission is working fine even if I have use the same in main folder.
Please suggest if we have any other way for the same.
Regards
Amulya
Hi Tilak,
I checked ReadFile Entry as well.When I am giving READFILE permission to a particular user for a particular DIR it works fine i.e not allowing to delete original, but when I am assigning the same to a particular folder it is not working.
What strange is it is stopping user to delete a document but is is not stopping user to delete a original when we asign the same to Folder, in case of assignment on a a particular DIR it works fine.
Please suggest.
Regards
Amulya
Hi Tilak,
Finally I was able to delete the Admin Auth by deleting the entries from SAP table.
Now when I am trying to assign particular activity to any folder for suppose
User ID - X
Activity Assigned - Write
I have assigned above to a Folder, but still X user is able to delete originals attach to DIR in that particular Folder.But when I assign the same to a particular DIR, user is not able to delete the original.
My Aim is to restrict some users from deleting originals from all the DIR's.
Please guide.
Regards
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amulya,
Request you to first search for your queries before posting it. There are many similar threads available. Please check below links:
Authorizations in SAP Easy Document Management - SAP Easy Document Management - SAP Library
If you still find difficulty, please revert.
/Tilak
Hi Tilak,
I agree with you, but I myself has assigined my ID as ADMIN for a particular DIR.Now I want to remove myself as admin for that DIR.So how can I do that?
Regards
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tilak,
Thanks for your reply.
I have SAP ALL Role assigned to me but still I am not able to delete Admin in SAP Easy DMS it says this change is not permitted it it is a authorization issue it should give an authorization error but it says "This Change is Not Permitted".
Also what is happening is suppose I am the admin of a particular document/folder in Easy DMS and if don't add any user/role and give them access they are not even to see that particular document.
Can you please suggest.
Regards
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amulya,
To use ACLs, the document must have initial administrator authorization. When a document is created or versioned, the user who creates the document does not receive administrator authorization by default. The registry value AutoInheritedAuth must be set to 1 to receive administrator authorization by default. The user cannot delete his or her own administrator authorizations.
/Tilak
Hi Tilak,
I tried that it says it is not permitted.Though I am only the admin still it is not allowing me.
Regards
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amulya - Check with your BASIS team, might be you don't have authorization to ACL. Also check in SPRO> Cross-Application Components -> Document Management -> Document Browser: Make sure ACL FLAG and EDIT ACL checkboxes are marked.
As for authorization object S_RFC, check below online documentation
http://help.sap.com/saphelp_erp2005/helpdata/de/60/305140c770cd01e10000000a155106/frameset.htm
Hi Tilak,
Thanks for detailed description.Can you tell me how we can delete admin authorization in SAP EASY DMS i.e which is created via ACL.
Regards
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Pravin,
Your solution worked perfectly fine in SAP GUI , but issue is it does not worked in Easy DMS.Can you suggest.
Rgds
Amulya
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Amulya,
Unfortunately I have not worked on SAP EASY DMS but as per my knowledge in EASY DMS it is installed on every user's P.C. or laptop so all user have delete/change/add (copy & paste & drag & dropped) authorization. Hence it may not be possible to control the delete authorization in SAP EASY DMS. However there must be some other option to handle this issue but I don't have any idea about the same.
Thanks
Pravin
Hi Amulya,
Go to SPRO>Cross Application Components> Document Mgmt> Control Data> Activate Doc Browser and ACLs.
Check flag for ACL FLAG and Edit ACL.
Now logon to EasyDMS, Authorization tab will appear in all doc "SAP PROPERTIES".
Enter the users or create user groups, select the authorization to be given to a particular object.
Object-related authorizations (access control lists (ACLs)) allow assignment of authorizations to carry out certain activities in folders and documents.
These authorizations are inherited top-down (see Inheritance) and can be overridden at lower levels.
Caution
You use the authorization object ACO_SUPER to give certain users, such as system administrators, authorization to override the ACLs.
Note
Linked documents do not inherit the authorizations of the folder to which they are linked. These documents only inherit ACLs that result from their original use, that is, from the folder in which the documents are actually located and not from a folder by means of a link.
You can assign the following authorizations to users, user groups, and roles:
These authorizations are described in detail in the following table:
Authorization/Activity | Object | Description |
---|---|---|
Admin | Document, folder | Allows you to display, change, rename, copy, and delete documents, folders, and linked files. When objects are created, the object owner also defines whether other users are to receive authorizations for these objects. |
DeleteFol | Folder | Allows you to delete an entire folder and therefore an entire document structure. The folder must be completely emptied before deletion. |
Delete | Document | Allows you to delete a document. This authorization does not allow you to delete folders. |
WriteFile | Document, folder | Allows you to create, delete, and change originals, and to change the metadata. The document itself cannot be deleted. |
Write | Document, folder | Allows you to change metadata of documents and folders. The authorization does not allow you to check in, edit, or delete an original. |
DelChild | Folder | Allows you to delete documents from a document structure. This authorization refers to the superior folder below which you want to delete subfolders or documents. You must create a separate authorization for deleting the subfolders and documents. |
CreateDoc | Folder | Allows you to control the creation of documents with originals and subfolders. The authorization is linked to the superior folder below which you want to create subfolders and documents. |
ReadFile | Document, folder | Allows you to display metadata and originals. The original can be exported, but cannot be changed or deleted. |
Read | Document, folder | Allows you to display metadata and the document structure. Changes are not possible. |
NoAuth | Document, folder | No authorizations are assigned. NoAuth cancels all other authorizations. The folders or documents are not visible to the user and the user has no authorization for the affected object. Inherited authorizations are overridden by NoAuth. |
The authorizations apply to the following actions:
When processing documents and folders in SAP Easy Document Management, the system checks the authorizations related to these objects as follows:
User —> User Group —> Role —> HR Object
To use object-related authorizations (ACLs) in SAP Easy Document Management, you do the following steps:
The PFCG role ensures access to document management in the back-end system. The system first checks the PFCG roles of a user. If the user has authorization for document management, the system carries out the check for ACLs as outlined above.
Note
You use the registry entry AutoInheritedAuth to control whether a user automatically receives administrator authorization when he or she creates a DIR or whether this authorization must be explicitly assigned to the user in SAP Easy Document Management using Create Admin Authorization.
You can also undo these authorizations by choosing (Delete).
Note
‘ACO_SUPER’ is the only PFCG object for working with ACLs in SAP Easy Document Management.
PFCG roles (objects) and ACLs are independent of each other. If both PFCG objects and ACLs are maintained, the system takes both of them into account, but PFCG roles are given preference.
Good Luck.
/TRB
Hi Amulya,
User's who have change mode authorization in DMS, is having delete authorization of original files by default. This is SAP DMS standard process. You can not control the delete object through authorization roles.
I have developed one logic in User Exit to achive the requirement as mentioned above. Use the include “IF_EX_DOCUMENT_MAIN02” Pass the fields DOKAR-Z*, If F_Delete then give the error message "Deletion not allowed"
Users who should have "Delete" authorization, can be mainatained in Z-table like "ZDMS_FILE _DEL".
Maintain the required SAP Users ID in this table alogwith Date as "From Date & To Date" so that there will be more control on deletion. You can enter one day so that specific users will have Deletion authorization on that day only. If he tries to delete the file on next day again exit will get activated & system will give error message.
I have implemented in my project & it is working successfully. Let me know if you have any questions.
Thanks
Pravin.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
103 | |
12 | |
11 | |
6 | |
6 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.