Hi all,
this is a general question related to SAP's authorization concept (hope it goes into this forum). I basically understand how authorizations, authorization objects/-profiles and user master records work together. However, what I don't understand is how authorization is done when the 'thing' (trying to avoid the term 'object' here) a user may or may not do something with is
1) individually different and/or
2) changes during runtime.
Say a customer logs in and may only see the purchase orders he is creating or has already created, i.e. the 'thing' (here: purchase order) we want to restrict access to (so users have to be authorized) is dynamic data and various per user (so no groups of users or roles as such make sense).
So, is there a way to construct authorizations dynamically? Would one at all use authorization objects or create a custom authorization concept (with some table look-ups) here?
Regards,
Sebastian
3 Answers
-
Best Answer
Former MemberPosted on Jan 06, 2005 at 10:41 AMThat's not how the SAP authorization concept is designed to work.
In general, an application performs authorisation by asking:
- Am I allowed to perform a certain activity
- On this type of object (eg. "purchase order", "thing")
- Where the object has a certain classification
That last bit is the key. We don't authorise users to perform activities on specific instances of a "thing", rather we allow users to perform activities on those "things" that have common attributes, such as belonging to a particular company code, having a certain authorisation group, etc.
If the thing is individually different, then you probably need to specify a unique authorisation group. Though this supposes the thing supports authorisation groups and is also not very friendly as authorisation groups tend to be free entry fields.
Regards,
Scott
Message was edited by: Scott Barden
Add a comment
-
Posted on Jan 06, 2005 at 01:52 PM
Hi Sebastian,
that's the point: how to identify a future key value, which has to be protected? By key number is quite stupid... (but don't mention this to your customer!).
Maybe release strategy is an option: a document (PO) is created, but won't be processed until several steps of confirmation are executed (perhaps depending on total value...).
I would go on with clarifying, if some<i>things</i> have to be protected, how <i>some</i>thing is defined - this should help to get a better requirement.
Christian
Add a comment
-
Posted on Jan 06, 2005 at 12:11 PM
Hi Sebastian,
I guess, important question is classification of the things. Users aren't allowed to do something, there has to be a specific description (is allowed to create POs and change only 'own' ones).
As long this is clear, your problem is to define this classification in SAP (e.g. changes depend on field EKKO-ERNAM). Maybe sometimes additional tables have to be read (there might be no field ERNAM, but in change documents CDHDR-USERNAME can be found).
Surely that aren't standard checks (otherwise you would have finished your concept already).
One solution can be:
Creation of additional authorization objects (e.g. with ERNAM)
Insertion of additional authorization checks (hopefully in user-exits, otherwise modifications / own transactions)
Maintenance of many authorizations:
action ernam
01 *
02 KAMP <- for each user different - lot of work
03 TRAINEE01
03 TRAINEE02
03 BATCH
...
Hope you got the picture.
Concentrate first on defining the classification, then try to describe the maintenance work for the definition of 'what is allowes'. There will be users, which have more (but not necessarily * ) authority. If you can show, their ideas will lead to very complex (and huge) maintenance efforts - independent of any technical solution (adding some checks in PO is not so difficult), you might can get easier requirements.
Regards,
Christian
Add a comment
Add a comment