Skip to Content
avatar image
Former Member

Remove bucket modify from users but still allow item create/change

Hi Experts:  we recently upgraded our RPM system to 500_702 and we have found that users are able to edit buckets.  We set our authorization controls at the portfolio level so it is inherited downward.  The access levels are defined to roles not directly to users.  They do not have the ACO_SUPER object assigned.  All checking on the back during a trace fails so it is nothing on the PFCG object level.

What I am looking for is how to turn off bucket level access but still retain the item level access required by the user.  We still want to set the controls at the portfolio level and inherit accordingly. 

These are inherited to all buckets related to that portfolio.  When a users clicks on Portolfio Structure from the options it pulls up a list of buckets.  The user is able to select these and modify.  We want them only to be able to display.  My understanding is if we change the authorizations at the bucket level to read only then that is what is inherited at the item level.  We need them to be able to edit at the item level but not the bucket without performing item level authorizations.

I tried to attach screenshots .jpeg or .png but kept getting content type not allowed.

Appreciate any suggestions.

Thanks

Kathy Brethouwer

Molex Incorporated

Sr. Systems Analyst - Security

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Feb 09, 2013 at 12:14 PM

    Hello Khaty,

    I had a similar requirement as you, in my case related to the decision points and I had to develop it because the standard functionality didnt cover it.

    It is true that SAP has released new functionalities.. You can review the OSS note, it is possible it helps you

    In my case my requerimient was  user with read authorization in the item  can change a decision point... I substitute read authorization by write when the user opens the dp.

    Regards,

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hello,

      Sorry, I meant than ond year ago when I had your similar requirement I didn't find a standard

      Solution .

      But It is true that SAP is delivering new functionalities or solving missing functionalities under OSS.

      If you haven't found nothing I suppose it is because your requirement hasn't been covered

      Sorry!!!

  • avatar image
    Former Member
    Apr 05, 2013 at 01:10 PM

    Hello Kathy

    I am not sure if you still have this requirement, but I have come across a possible standard solution to your issue

    You can keep using the specified roles at Portfolio level. But in order to avoid users from changing Bucket values, you will need to do the following with this proposed option:


    1. Under SPRO - Portfolio Management - Global Customising - Process and Service Settings - Navigation Settings - Define Authorisations for Detail Screen Views/Subviews

    Here you need to create an entry with the following detail:

    - WD Application Name : RPM_BUCKET_DETAILS

    - WD Configuration ID : RPM_BUCKET_DETAILS_CFG

    - Variant ID : RBH_EDIT (SEE Comment on this below)

    - Main View ID : OVERVIEW

    - Subview ID: VI_GEN_INFO

    - ACL Activity : NO AUTH

    Once you have made this setting you will see that the user will no longer be able to Edit a Bucket IF navigating there from the normal menu path. However the access at Initiative and Item level which was assigned at Portfolio/Bucket level for create and change will still be defaulted as per your expectation. You will have to do a similar setting at Portfolio level as well to limit access to update if need be

    2. Your problem now is going to be that the user can still access the Bucket through the Initiative/Item (From within the Initiative and Item user can still click on these links). To solve this you can :

    - Firstly hide the links by updating the webdynpro's using the &SAP-Config-Mode=X method

    - Secondly you should then include the Bucket Name/External ID for both Initiative and Item using config step 'Define Custom Field Configuration'. First check step 'Check SAP Field Configuration ' and you will see that for object type IPO and RIH the field BUCKET ID is not visible. Make them visible through the custom field configuration step. The aim of this is to still provide the user with the external ID of the related bucket, but not to have it as a link

    Step 2 may be solved in a different way as well but I am still investogating

    Lastly - comment on Variant ID : In order to have the ability where some users may change/create Buckets and others not, you will have to create new variant ID's for each of the applicable webdynpro components and then assign these in step 'Define Authorisations for Detail Screen Views/Subviews'' - all other related navigation settings must also be completed. 

    Regards

    C

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Chatsworth,

                           We have a similar issue. We want to add users to a portfolio item with write access. The user can edit the overview view general information subview, but the user cannot edit the overview view financial information subview. We did the following settings.

      Under SPRO - Portfolio Management - Global Customising - Process and Service Settings - Navigation Settings - Define Authorisations for Detail Screen Views/Subviews

      - WD Application Name : RPM_ITEM_DETAILS

      - WD Configuration ID : RPM_ITEM_DETAILS_CFG

      - Variant ID : RBH_EDIT

      - Main View ID : OVERVIEW

      - Subview ID: VI_FIN_OVER

      - ACL Activity : Admin

      After this configuration, we still see that the users with write access can still edit the financial information subview.

      Could you let us know what is missing?

      thanks,

      Ananth

  • avatar image
    Former Member
    Sep 24, 2014 at 08:06 PM

    Hello Kathy;

    Apply the SAP Notes:

    • 2019060 - The authorizations inherited via role are not considered.
    • 1927972 - Portfolio dependent-field configuration not considered based on highest ACL.

    Best regards.

    Mariano

    Add comment
    10|10000 characters needed characters exceeded