cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PPM 5.0 Security Guide - Access Control Lists

Go to solution
Former Member

on ‎08-26-2015 10:52 AM

0 Kudos

Hi All,

We are implementing PPM5.0 currently and we are having trouble with the initial security configuration. Needless to say, the official security guide is vague at best.

The guide mentions the use of Access Control Lists (ACL) to control who has authorization to change a particular project definition or collaboration. Is there a WIKI anywhere on how to do this?

I've also read elsewhere that we should completely restrict the use of the authorisation object ACO_SUPER in the AS and mainly grant access using the ACL's. Is this a good approach to take?

All help greatly appreciated.

Regards,

Colin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎08-26-2015 4:43 PM
0 Kudos

Hi Colin,

You might find the discussion below useful. I have explained my opinion why ACO_SUPER should not be used, but feel free to get back if any questions.

http://scn.sap.com/thread/3452522

Regards,

Lashan

Show replies
Show replies
Former Member
‎08-28-2015 11:15 AM
0 Kudos

Thanks Lashan,

I have read that and it's very useful. I can't seem to locate the Access Control Lists within the admin console. Can you point me in the right direction please?

Regards,

Colin

Former Member
‎08-28-2015 3:40 PM
0 Kudos

The ACL's are located in authorization tab of the object (i.e. portfolio, item, project, etc). In the portfolio management area it is under the miscellaneous tab of the object (assuming you using the standard UI). In the project you will find the authorization tab at the project definition level as well as for all project elements such as phases and tasks.

So there is no "admin console" per se, the administrator (user with "admin" ACL authorization) of each object will manage the authorization. Generally, using a combination of inheritance (from Portfolio to Bucket to Item AND Project to project elements) and DFM (Portfolio Item to/from Project), you would set things up such that manually editing of ACL's are done by exception only when you want to override inherited or synchronized authorization.

Former Member
‎08-28-2015 4:51 PM
0 Kudos

Thanks again Lashan,

That's spot on. One last questions for you: in order to restrict access to the main tabs in the NWBC screens (Portfolio Management, My Portfolio Objects etc.), do we just need to copy the SAP std role SAP_BPR_PPM and remove the WebDynpros we are trying to restrict by?

Regards,

Colin

Former Member
‎08-28-2015 5:22 PM
0 Kudos

Happy it helped. Yes, you are correct... you'd want create your own custom "NWBC navigation roles" based on SAP_BPR_PPM. The standard role is really only meant to be an all inclusive example.

Answers (0)

Ask a Question