cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Delete Original Authorization

Former Member

on ‎12-12-2013 9:00 AM

0 Kudos

Hi All,

I have requirement like only some users should only be able to delete the originals attached to a DIR.Can you guide which role/activity we need to decativate to amke this functionality work.

One way which comes in my mind is don't give change authorization to those users but that will not work as they are resposible for changing status.

Thus I only want a role/authorization/Object/activity which will help me to stop deleting the originals.

Regards

Amulya

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (10)

Answers (10)

Former Member
‎03-31-2014 12:48 PM
0 Kudos

Hi,

Object -  C_DRAD_OBJ

Definition

This authorization object makes it possible to restrict the maintenance of an object link. This object controls which document info record the user is allowed to edit. The settings is made up of a combination of activity, object, and status.

The following table contains the fields and values of the authorization object.

FieldsPossibleMeaningValue
ACTVT01Create
(Activity)02Change
03Display
06Delete
DOKOB
(Object)Enter the database table here for the
objects (for example: MARA, DRAW).
STATUSEnter the appropriate status
here.

Regards,

Arun kaul

Show replies
Show replies
Former Member
‎03-31-2014 4:54 PM
0 Kudos

Hi Arun,

Thanks, but here I am looking for a way to restrict deletion of original. I agree we can restrict deletion of Object Link. But deletion of original is a bit complex for me.

Thanks again.

Regards

Amulya

Former Member
‎03-31-2014 12:42 PM
0 Kudos

Hi Amulya,


You have option to control deleting document by Role if you remove object from role this is posble..


regards


Arun Kaul

Show replies
Show replies
Former Member
‎03-31-2014 12:10 PM
0 Kudos

Hi Tilak,

Thanks for sharing the links.My query is I want to restrict some X users from deleting originals attached to a file.

Now usign ACL for each DIR is difficult , so do we have any way i.e we can restrict all the drawing based on Document Types etc.

Thanks for your co-operation.

Amulya

Show replies
Show replies
Former Member
‎03-31-2014 12:52 PM
0 Kudos

Hi Amulya,

You don't have to create a ACL authorization for each DIR. Just create authorization at folder level and it will inherited to DIR created inside that folder. Any changes at folder level will effect immediately to all DIR for which Auth is created. For more details check :

ACL authorizations in DMS - Product Lifecycle Management - SCN Wiki

Yes, there is an option, we can restrict users based on Doc types, Doc Status etc..

Below is the link where you will find all the Authorization Objects available in DMS.

Authorization Objects in DMS - Product Lifecycle Management - SCN Wiki

/Tilak Raj

Former Member
‎03-31-2014 4:57 PM
0 Kudos

Hi Tilak,

I tried restricting it at Folder Level, but under that DIR's remain unaffected one reason may be those DIR are actually not under Folder i.e. Folder Created via SAP GUI. Correct me if I am wrong.

Also another link which you shared we tried each and everything via roles but for Deletion of Originals no activity is triggered.

Please suggest.

Regards

Amulya

Former Member
‎04-01-2014 7:23 AM
0 Kudos

Hi Amulya,

If you are using EasyDMS autumatically Document Structure is created (FOlder>SubFolder>Documents...). If you are creating DIRs in SAP GUI, you have to assign it into Document Structure by using t-codes CV12.

FOr Deletion of Originals, provide users only Display access.Because in the standard the users can always delete originals if they have change authorization for the document info record and there is no specific object just for handling the original files.At the moment I can only recommend you to create your own authorization check with the help of BADI DOCUMENT_AUTH01.

/Tilak

Former Member
‎04-01-2014 8:31 AM
0 Kudos


Hi Tilak,

Agree with you but here we are not using Dcument Structure Concept.

Also agree that with change we get delete authorization i.e only the issue because if we remove change status user will not be even allowed to change the status of DIR.

We have already implemented the mentioned Badi but with that as well we were sucessful to restrict deletion in SAP GUI only but not in Easy DMS.

Also authorizations are getting inherited but only when I assign Admin authorization manually to each folder or DIR.

Any other way to restrict the same in EASY DMS.

Regards

Amulya

Former Member
‎04-01-2014 10:30 AM
0 Kudos

Hi Amulya,

Go to SPRO, Change the status type of the the particular status to S: Locked Status. User will not be able to delete the original but can change the status of DIR.

/Tilak Raj

Former Member
‎04-01-2014 10:40 AM
0 Kudos

Hi Tilak,

Thanks for your quick reply.But if we do that all users will be restricted to perform deltetion activity, our requirement is to only restrict some users.


Regards

Amulya

Former Member
‎04-01-2014 11:12 AM
0 Kudos

Hi Amulya,

I suggest you to have 2 different document statuses.

Ex.

1. Doc Status: Draft, Give authorization only to users who can do changes in DIR.

2. Doc Status: Released, Give authorization to all.

Now if user want to make any changes, they can reassign the status to Draft and make the changes to DIR, set Release Status and save it again.

Hope this will meet your requirements.

/Tilak

Former Member
‎04-04-2014 12:57 PM
0 Kudos

Hi Tilak,

Your solution is very impressive. But in lock status user will not be even allowed to edit/add new original.

Any other way please.

Also I don't know why my Write Permission in ACL is not getting inherited in EASY DMS, on the other side READ permission is working fine even if I have use the same in main folder.

Please suggest if we have any other way for the same.


Regards

Amulya

Former Member
‎04-08-2014 1:07 PM
0 Kudos

This message was moderated.

Former Member
‎04-08-2014 1:20 PM
0 Kudos

Hi Tilak,

1. As per the current Business Process Draft status will not work.

2. We are using 7.1.2.4 Version of Easy DMS.

My query is same from starting.Correct me if I have misunderstood something.

Thanks

Amulya

Former Member
‎04-09-2014 9:47 AM
0 Kudos

Hi Amulya,

1. You can define other status as well (Draft is just an example). So that only authorized users can change the status and make changes.

Did you check with "display original" authorization in ACL?

2. Upgrade it to 7.1.4.8 and check.

/Tilak Raj

Former Member
‎04-09-2014 10:20 AM
0 Kudos


Hi Tilak,

Didn't got your point i.e "Display Original" Authorization in ACL???

On your other suggestion I will upgrade to latest version and will update you.

Thanks & Regards

Amulya

Former Member
‎04-09-2014 10:42 AM
0 Kudos

Hi Amulya,


Check with "ReadFile" authorization in ACL. This enter might be missing in your ACL list. This entry is found above READ authorization.

For more details on missing ACL authorization

/Tilak

Former Member
‎04-09-2014 11:05 AM
0 Kudos

Hi Tilak,

I checked ReadFile Entry as well.When I am giving READFILE permission to a particular user for a particular DIR it works fine i.e not allowing to delete original, but when I am assigning the same to a particular folder it is not working.

What strange is it is stopping user to delete a document but is is not stopping user to delete a original when we asign the same to Folder, in case of assignment on a a particular DIR it works fine.

Please suggest.

Regards

Amulya

Former Member
‎04-09-2014 11:46 AM
0 Kudos

Hi Amulya,

Check the registry key "AutoInheritedAuth" if the value is 1 or 0?


/Tilak Raj



Former Member
‎03-28-2014 3:34 PM
0 Kudos

Hi Tilak,

Finally I was able to delete the Admin Auth by deleting the entries from SAP table.

Now when I am trying to assign particular activity to any folder for suppose

User ID - X

Activity Assigned - Write

I have assigned above to a Folder, but still X user is able to delete originals attach to DIR in that particular Folder.But when I assign the same to a particular DIR, user is not able to delete the original.

My Aim is to restrict some users from deleting originals from all the DIR's.

Please guide.

Regards

Amulya

Show replies
Show replies
Former Member
‎03-31-2014 11:27 AM
0 Kudos

Hi Amulya,

Request you to first search for your queries before posting it. There are many similar threads available. Please check below links:

Authorizations in SAP Easy Document Management - SAP Easy Document Management - SAP Library

If you still find difficulty, please revert.

/Tilak

Former Member
‎03-28-2014 9:34 AM
0 Kudos

Hi Tilak,

I agree with you, but I myself has assigined my ID as ADMIN for a particular DIR.Now I want to remove myself as admin for that DIR.So how can I do that?

Regards

Amulya

Show replies
Show replies
Former Member
‎03-27-2014 8:05 AM
0 Kudos

Hi Tilak,

Thanks for your reply.

I have SAP ALL Role assigned to me but still I am not able to delete Admin in SAP Easy DMS it says this change is not permitted it it is a authorization issue it should give an authorization error but it says "This Change is Not Permitted".

Also what is happening is suppose I am the admin of a particular document/folder in Easy DMS and if don't add any user/role and give them access they are not even to see that particular document.

Can you please suggest.

Regards

Amulya

Show replies
Show replies
Former Member
‎03-27-2014 9:16 AM
0 Kudos

Hi,

Check if any authorization key is working behind. Also try debugging the process with the help of your abaper, I think you will find the missing object.

Regards

Shishir

Former Member
‎03-28-2014 9:14 AM
0 Kudos

Hi Amulya,

To use ACLs, the document must have initial administrator authorization. When a document is created or versioned, the user who creates the document does not receive administrator authorization by default. The registry value AutoInheritedAuth must be set to 1 to receive administrator authorization by default. The user cannot delete his or her own administrator authorizations.

/Tilak

Former Member
‎03-24-2014 9:51 AM
0 Kudos

Hi Tilak,

I tried that it says it is not permitted.Though I am only the admin still it is not allowing me.

Regards

Amulya

Show replies
Show replies
Former Member
‎03-24-2014 10:16 AM
0 Kudos

Hi Amulya - Check with your BASIS team, might be you don't have authorization to ACL. Also check in SPRO> Cross-Application Components -> Document Management -> Document Browser: Make sure ACL FLAG and EDIT ACL checkboxes are marked.

As for authorization object S_RFC, check below online documentation

http://help.sap.com/saphelp_erp2005/helpdata/de/60/305140c770cd01e10000000a155106/frameset.htm

Former Member
‎03-24-2014 9:22 AM
0 Kudos

Hi Tilak,

Thanks for detailed description.Can you tell me how we can delete admin authorization in SAP EASY DMS i.e which is created via ACL.

Regards

Amulya

Show replies
Show replies
Former Member
‎03-24-2014 9:42 AM
0 Kudos

Hi Amulya - In EasyDMS, when you open the SAP Properties of any DIR for which ACL is active, go to "Authorization"tab . Below you will find the ADD and DELETE buttons.

/Tilak

Former Member
‎02-03-2014 3:38 PM
0 Kudos

Hi Pravin,

Your solution worked perfectly fine in SAP GUI , but issue is it does not worked in Easy DMS.Can you suggest.

Rgds

Amulya

Show replies
Show replies
Former Member
‎02-05-2014 5:47 AM
0 Kudos

Hi Amulya,

Unfortunately I have not worked on SAP EASY DMS but as per my knowledge in EASY DMS it is installed on every user's P.C. or laptop so all user have delete/change/add (copy & paste & drag & dropped) authorization. Hence it may not be possible to control the delete authorization in SAP EASY DMS. However there must be some other option to handle this issue but I don't have any idea about the same.

Thanks

Pravin

Former Member
‎02-05-2014 10:25 AM
0 Kudos

Hi Amulya,

For easyDMS specifically, did you try managing your requirement using ACLs ? IMO, should hold good. Do test and share the results.

Warm regards,

Pradeepkumar Haragoldavar

Former Member
‎02-25-2014 12:27 PM
0 Kudos

Hi Pradeep,

I have not worked on ACL's can you guide how can I proceed witht that.

Thanks

Amulya

Former Member
‎02-26-2014 7:27 AM
0 Kudos

Hi Amulya,

Go to SPRO>Cross Application Components> Document Mgmt> Control Data> Activate Doc Browser and ACLs.

Check flag for ACL FLAG and Edit ACL.

Now logon to EasyDMS, Authorization tab will appear in all doc "SAP PROPERTIES".

Enter the users or create user groups, select the authorization to be given to a particular object.

Object-related authorizations (access control lists (ACLs)) allow assignment of authorizations to carry out certain activities in folders and documents.

These authorizations are inherited top-down (see Inheritance) and can be overridden at lower levels.

Caution

You use the authorization object ACO_SUPER to give certain users, such as system administrators, authorization to override the ACLs.


Note

Linked documents do not inherit the authorizations of the folder to which they are linked. These documents only inherit ACLs that result from their original use, that is, from the folder in which the documents are actually located and not from a folder by means of a link.

Features

You can assign the following authorizations to users, user groups, and roles:

  • Administrator
  • Delete folder
  • Delete document
  • Change
  • Delete subfolder
  • Create document and subfolder
  • Read metadata
  • Read originals
  • No authorizations

These authorizations are described in detail in the following table:

Authorization/Activity

Object

Description

Admin

Document, folder

Allows you to display, change, rename, copy, and delete documents, folders, and linked files. When objects are created, the object owner also defines whether other users are to receive authorizations for these objects.

DeleteFol

Folder

Allows you to delete an entire folder and therefore an entire document structure. The folder must be completely emptied before deletion.

Delete

Document

Allows you to delete a document. This authorization does not allow you to delete folders.

WriteFile

Document, folder

Allows you to create, delete, and change originals, and to change the metadata. The document itself cannot be deleted.

Write

Document, folder

Allows you to change metadata of documents and folders. The authorization does not allow you to check in, edit, or delete an original.

DelChild

Folder

Allows you to delete documents from a document structure. This authorization refers to the superior folder below which you want to delete subfolders or documents. You must create a separate authorization for deleting the subfolders and documents.

CreateDoc

Folder

Allows you to control the creation of documents with originals and subfolders. The authorization is linked to the superior folder below which you want to create subfolders and documents.

ReadFile

Document, folder

Allows you to display metadata and originals. The original can be exported, but cannot be changed or deleted.

Read

Document, folder

Allows you to display metadata and the document structure. Changes are not possible.

NoAuth

Document, folder

No authorizations are assigned. NoAuth cancels all other authorizations. The folders or documents are not visible to the user and the user has no authorization for the affected object. Inherited authorizations are overridden by NoAuth.

The authorizations apply to the following actions:

  • Create
  • Copy
  • Move
  • Change
  • Delete
  • Send documents

Check for Access Control Lists (ACLs)

When processing documents and folders in SAP Easy Document Management, the system checks the authorizations related to these objects as follows:

  • The system checks whether an ACL exists in the document.
  • If no ACL has been defined in the document, the system checks the superior folder.
  • If no ACL has been defined there, the system checks the folder above that folder.
  • The system continues checking until it finds an ACL.
  • If no ACL is found, the user does not have authorization.
  • The more comprehensive authorization for a single layer applies as follows:

    User —> User Group —> Role —> HR Object

  • Authorizations assigned to a superior folder are inherited by all subfolders at all levels.

Activities

To use object-related authorizations (ACLs) in SAP Easy Document Management, you do the following steps:

  • Create a PFCG role or use an existing role

    The PFCG role ensures access to document management in the back-end system. The system first checks the PFCG roles of a user. If the user has authorization for document management, the system carries out the check for ACLs as outlined above.

  • Assign a user to the role
  • Create document info records (DIRs) in the backend
  • In SAP Easy Document Management you define the administrator authorizations for a folder or document under (SAP Properties) on the Authorizations tab page using Create Admin Authorization pushbutton. These authorizations allow the user to edit documents and folders and assign authorizations to other users, user groups, and roles.

    Note

    You use the registry entry AutoInheritedAuth to control whether a user automatically receives administrator authorization when he or she creates a DIR or whether this authorization must be explicitly assigned to the user in SAP Easy Document Management using Create Admin Authorization.

  • You define authorizations for other users, user groups, roles, and HR objects in SAP Easy Document Management under (SAP Properties) on the Authorizations tab page for a folder or document, by choosing (Add).

    You can also undo these authorizations by choosing (Delete).

  • If you selected the authorization holder type User Group, you can define new user groups or change or delete existing ones under Authorization Holder in the (SAP Properties).

    Note

    ‘ACO_SUPER’ is the only PFCG object for working with ACLs in SAP Easy Document Management.

    PFCG roles (objects) and ACLs are independent of each other. If both PFCG objects and ACLs are maintained, the system takes both of them into account, but PFCG roles are given preference.

Good Luck.


/TRB

Former Member
‎12-14-2013 9:45 AM
0 Kudos


Hi Amulya,

User's who have change mode authorization in DMS, is having delete authorization of original files by default. This is SAP DMS standard process. You can not control the delete object through authorization roles.

I have developed one logic in User Exit to achive the requirement as mentioned above. Use the include “IF_EX_DOCUMENT_MAIN02Pass the fields DOKAR-Z*, If F_Delete then give the error message "Deletion not allowed"

Users who should have "Delete" authorization, can be mainatained in Z-table like "ZDMS_FILE _DEL".

Maintain the required SAP Users ID in this table alogwith Date as "From Date & To Date" so that there will be more control on deletion. You can enter one day so that specific users will have Deletion authorization on that day only. If he tries to delete the file on next day again exit will get activated & system will give error message.

I have implemented in my project & it is working successfully. Let me know if you have any questions.

Thanks

Pravin.

Show replies
Show replies
Former Member
‎02-03-2014 3:09 PM
0 Kudos

Hi Pravin,

Your solution worked perfectly fine in SAP GUI , but issue is it does not worked in Easy DMS.Can you suggest.

Rgds

Amulya

Ask a Question