on 01-21-2015 10:05 PM
Hi everyone,
We are implementing SAP Work Manager 6.2 on SMP 3.0 SP04. I have a question around SAP Work Manager authorizations - I have read the WM 6.2 installation guide found here https://websmp101.sap-ag.de/~form/handler?_APP=00200682500000002672&_EVENT=DISPLAY&_SCENARIO=0110003...
We will reference the below(very high level and simplified) diagram to better understand the question.
As I understand, the user logs into the WM client using the credentials for the SAP backend system and needs to have access in the backend system to be able to perform operations like work order processing etc.
The issue is that our client does not want all the individual users to get these authorizations to the backend SAP system as this will allow the users to do all kinds of activities in the SAP GUI(although the users will never log in to the SAP GUI and will only use the mobile app, but our client has raised this as a security risk and a show stopper).
I am new to SAP Work Manager and hence the question - Is there any way to get around this? Can we, for example, have a generic(CPIC) user in SMP and assign all back end authorizations to this user? When the request is initiated by the client, the Agentry component within SMP, knows which user it needs to fetch the data for and adds this "Actual user" as a parameter?
I guess my bottom line question is - can we somehow allow mobile users to perform all activities on the work manager mobile application, without giving them access to perform these and any additional activities in the SAP GUI? I would really appreciate any ideas/inputs that you might have.
Cheers,
Abhinav
Abhinav
In the SAP backend system you can create roles and assign authorization objects and assignit to the mobile users based on their business roles. By doing so your only giving required access to Mobile users to perform his/her work. E.G:- if you provide access to Mobile users to create / change work order doesn't mean that same user can logon to SAP GUI and create purchase order or sales orders.
Lets say if mobile user have access to create Notification from mobile device but not in SAP backend then that transaction will fail when changes are submitted to the backend.
May be i'm not completely clear with requirements and what your trying to address. But here are couple of options:-
1) Look at security settings in /syclo/configpanel system/product/syclo class handler security options to see if that meets your requirement.
2) Download SAP roles/authorization into complex table. Based on roles you can write rules to enable / disable certain functionalities in Work Manager apps.
3) if above 2 options doesn't meet your requirement - May be create Z table to maintain some dummy authorization for Mobile operations. like create work order , change WO etc. assign to Mobile users . Download z table content to mobile application and based on rule you can enable / disable certain features on Work manager.
Thanks,
Manju - Technology RIG, SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Manju/Chandra,
Thank you for providing these pointers, I am currently brain storming on some of these with the team. Where can I find more information on "assigning user menu and restricting navigation"?
Cheers,
Abhinav
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I pinged my colleague to answer you.
He has better examples than I. I have full access under my profile.I can't remember what back-end I need to connect to that has the bare minimum profile and role - just to give an example.
Regards,
Mark Pe
SAP Senior Support Engineer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
By default there is no separate User Administration for Work Manager in other words it uses roles/authorizations configured in SAP. You assign roles with assumption that Users will use SAP GUI . Additionally you should also assign S_RFC to Users role. There is nothing preventing users from login to SAP if the user accounts were created as Dialog Users (alternatively you can create then as System/Service User).
There is an option to use USER_AUTH_GLOBAL for authentication to use a generic ID but then you will be able to track changes or Assign Work (push as well).
Have you considered assigning User Menu and restricting navigation?
Thx
Chandra
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.