cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PLM 7 ACM for CAD files

Go to solution
Former Member

on ‎08-27-2014 8:47 PM

0 Kudos

Hello Experts,

I am testing PLM 7.0 ACM functions on the Document Info Record (DIR)  objects. Steps as below..

1) I am using the NWBC to access and create the ACC id (XYZ_Project1) which is tied to a root context id (XYZ).

2) I added myself as the ACC admin with all the required PLMWEBUI roles +

Super User Role (SAP_PLMWUI_ACC_SUPER_USER) + Trusted users role (SAP_PLMWUI_TRUSTED_USER_ALL)

3) Assigned the ACC Id (XYZ_Project1) to a DIR.

4) Created a Test User (User1) who have the standard ECC DMS roles(Create/Change/Display) for the DIR's.

5) In addition to the above ECC role, I have assigned user1 with the role SAP_PLMWUI_TRUSTED_USER_ALL.

6) In DC10, I have flagged the 'Use ACM" for that document type.

Use case:

Since the USER1 is not assigned to the owning context  id XYZ_Project1, he should not be able to Change/Display DIR.

Result; User1 can still view the DIR even though its controlled by the ACM

NB: I ran the program /PLMB/R_AUTH_UPDATE_RT_FROM_CP to update the roles and ACC id changes I have done (step1..5) to see if that updates the ACM check. But after the above program is expected the results are same. User1 can access the document.

Any thing I am missing here which will block the USER1 to that particular DIR?

Thanks,

Pradeep

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

ravi_ekambaram
Active Contributor
‎08-28-2014 9:24 AM
0 Kudos

Hi Pradeep,

Check whether the user is assigned with authorisation object 'PLM_SPUSR' with object type PLM_DIR in any other roles.

You can use Tcode-SUIM to check the same.

Regards,

Ravi

Show replies
Show replies
Former Member
‎08-29-2014 3:59 PM
0 Kudos

Hi Ravi,

Thanks for your response. The users is assigned to role  SAP_PLMWUI_TRUSTED_USER_ALL with the object type PLM_TRUSR. That's what is the minimum requirement I guess for the users to see the DIR, but prevent the access.

I am doubting that the program /PLMB/R_AUTH_UPDATE_RT_FROM_CP is not updating the ACM in the backend. when I run the job, the duration in SM37 its show is 0, which I assume its not doing its job as intended.

Another question for the ACM to work does the user need to be using NWBC/PLM WEBUI? Will it work as intended in classical SAP GUI transaction (CDESK) too?

Thanks,

Pradeep

ulf_petzel
Advisor
Advisor
‎08-29-2014 4:48 PM
0 Kudos

Hi,

with regards to your question:

Another question for the ACM to work does the user need to be using NWBC/PLM WEBUI? Will it work as intended in classical SAP GUI transaction (CDESK) too?

Yes, it will. This was introduced for CAD Desktop a while ago through Customer Connection. Not sure which EhP level you are working on? 5 or higher should be fine.

Ulf.

Former Member
‎08-29-2014 4:54 PM
0 Kudos

Hello Ulf,

Good to see your reply..

We are on EHP7 version. I activated the ACM field in CDESK, assigned the ACC id (not the root ACC id) to the DIR from there.

But when I log in as the test user having the above mentioned roles, I cannot see the ACC id for that DIR and the test user can process the DIR.

Thanks,

Pradeep

ulf_petzel
Advisor
Advisor
‎08-29-2014 5:05 PM
0 Kudos

Hi,

you are saying you assigned a context but you can not even see its assignment in the CAD Desktop, nor in the PLM Web UI?

Can you provide screen shots?

I am actually not sure if you should assign the role SAP_PLMWUI_TRUSTED_USER_ALL to this user. Isn't this granting all access rights? Why don't you use one of the other roles like SAP_PLMWUI_REVIEWER? Have you checked the authorizations granted there?

See also https://websmp110.sap-ag.de/~sapidb/011000358700000891522011E/PLMWUI_EHP6_ConfigGuide.pdf

Regards, Ulf.

Former Member
‎08-29-2014 5:30 PM
0 Kudos

Hi,

I assigned the context to the DIR and when I login as test user I cannot view the connect id in cdesk.

screen attached: ACM_CDESK_SCREEN.png

Regarding the role SAP_PLMWUI_TRUSTED_USER_ALL, whatever I know reading the manual is that it just gives the display access to PLM objects (see attach) (DIR, Material, BOM etc).

I tested removing the role SAP_PLMWUI_TRUSTED_USER_ALL and the test user when he tries to display the upper level assembly DIR (100146/SWA) it appears with a folder icon without the doc structure even if the upper level DIR is not assigned with the ACC context id.

This situation can limit him not able to display the files which are not ACC controlled just because one or two DIR have ACC assignment.

Thanks,

Pradeep

ulf_petzel
Advisor
Advisor
‎09-01-2014 9:46 AM
0 Kudos

Hi Pradeep,

I think you got it wrong.

You said the current behavior is:

Since the USER1 is not assigned to the owning context  id XYZ_Project1, he should not be able to Change/Display DIR.

Result; User1 can still view the DIR even though its controlled by the ACM

This is not true. You assigned the role SAP_PLMWUI_TRUSTED_USER_ALL, which allows the user to see everything in the system. Which is what you documented in the screenshot.

Not sure why he does not see the owning contexts but I guess this is due to the fact he is not assigned to them in ACM.


Addition: Please use SAP_PLMWUI_TRUSTED_USER_ALL2 in your environment, since it covers all other objects under ACM as well.

Ulf.

Message was edited by: Ulf Petzel

Former Member
‎09-02-2014 4:40 PM
0 Kudos

Hi Ulf,

As per your suggestion I removed the role SAP_PLMWUI_TRUSTED_USER_ALL from the test user authorization. The behavior remains the same i.e: he can download the owing context DIR's as well.

(attach: WO_SAP_PLMWUI_TRUSTED_USER_ALL.png)

Further I went a head and removed the PLM_TRUSR from his authorization. This blocks the complete display of the doc structure in CDESK which does not help either.

attach: WO_PLM_TRUSR.png

The expected behavior is to download all the non ACM DIR's(1000146,100147,1000148) from SAP to CAD and give some sort of message about the ACM DIR's(1000149,1000150) so that the user if he needs those files can request the access to the ACM admin.

Will the above expected behavior can be a standard function or an enhancement?

Thanks,

Pradeep

Former Member
‎09-16-2015 7:08 AM
0 Kudos

Hi Ravi

I'm facing the same situation.

If my testing user is not a PLM_DIR trust user he can not create/change/display a document even when he is assigned in ACC which is tied to the document.

If my testing user is a PLM_DIR trust user, the documents are controlled under ACC on WebUI. But it's not controlled in SAP GUI.

This is the details:

Looking forward for your reply.

Regards

Jimmy

Answers (2)

Answers (2)

Former Member
‎08-27-2015 12:58 PM
0 Kudos

Hi Pradeep

Have you solved you problem yet? I have come with the same problem.

My test user was assigned to an ACC which include auth object PLM DIR with '*'.

I can only create a document when the user is 'PLM DIR'  trust user. And another test user who is not assigned to the ACC can't open document on PLMWUI but he can succefully open the same document on SAP GUI.

Regards

Jimmy

Show replies
Show replies
abhishek_gupta2
Participant
‎09-05-2014 3:53 PM
0 Kudos

Hello Pradeep ,

I agree with Ulf . It seems you have not understood the use of the concept " Trusted user " .

Let me explain you the concept of trusted user here .

Trusted user role was developed to allow those user to access the PLM object irrespective whether it is controlled by ACM or not controlled ACM .

You can create an object with owning context and without owning context in plm web UI .

Solution for your problem would be to remove the user1 assignment to the role SAP_PLMWUI_TRUSTED_USER_ALL. Instead some role say ( SAP_PLMWUI_REVIWER OR SAP_PLMWUI_DISPLAY_ALL )

Hope this solves your problem .

Thanks ,

Abhishek Gupta

Show replies
Show replies
Former Member
‎09-05-2014 4:04 PM
0 Kudos

Thanks Abhishek!

I will test my use case further with your suggestion..

BR-

Pradeep

abhishek_gupta2
Participant
‎09-05-2014 4:12 PM
0 Kudos

Pradeep ,

One important point which I found by going through the chain of discussions .

Please remember that Access Control context is meant only for PLM Web UI . I don't think that it offers similar behaviour in classical GUI transactions .

Thanks ,

Abhishek.

Former Member
‎09-05-2014 4:24 PM
0 Kudos

Oh!

I was under the assumption that the ACM field was provided in CDESK (through the customer connection note) to control the DIR's for CAD in CDESK itself. If it requires the EDESK which is part of the PLMWEBUI to utilize the ACM function then it does not serve my use case for ACM.

We are live on all sites on CDESK and moving them to EDESK just to utilize the ACM will have to be justified..

ULF and other experts can chime in if I am correct.

BR-

Pradeep

abhishek_gupta2
Participant
‎09-05-2014 4:32 PM
0 Kudos

Sounds very intresting !!

I will wait for feedback from Ulf on this .

Former Member
‎09-05-2014 5:07 PM
0 Kudos

Found this SAP note which supports my assumption that PLM 7/ACM function should be supported in classical CDESK too. I may have to look at this note in detail.

1762318  - Roles and authorizations for CAD-PLM 7 integration

Symptom

To use the PLM 7 functions in the CAD desktop, you activated the CDESK Customizing parameter CDESK_ACCESS_CONTROL, CDESK_ENGINEER_REC, CDESK_ENTERPR_SEARCH, or CDESK_PLM_WEB_UI (refer also to SAP Note 1745208).
To use PLM 7 integration in the CAD desktop, you require a combination of SAPGUI authorizations and PLM Web UI authorizations.


Further there is old note :1745208  - PLM CDesk: PLM7 integration in EHP4 to EHP6

Symptom

Various functions from the PLM Web UI (Embedded Search, access control context, engineering records) can be used in the Web UI only, and are not integrated in the CAD desktop.
You use ERP 6.00 with Enhancement Package 4, 5 or 6, and you want to use these functions in the CAD desktop.

Reason and Prerequisites

This integration is delivered only in Enhancement Package 7.

We are currently on EHP7.So that confirms that ACM should work in CDESK with EHP7.

ulf_petzel
Advisor
Advisor
‎09-05-2014 7:06 PM
0 Kudos

Hi,

yes CDESK is the tool of choice here. EDESK should not be used, that is why ACM was enabled on CDESK.

Regards, Ulf.

Ask a Question