Hierarchy
SAP_BASIS (Software Component) SAP Basis Component⤷
BC-BMT-WFM (Application Component) SAP Business Workflow⤷
SWH (Package) Business Workflow: Objects for Demos,Test,Docu,Performance
IMG Activity
| ID | WF_OOSP | Create Authorization Profile |
| Transaction Code | S_BIE_59000307 | (empty) |
| Created on | 20000411 | |
| Customizing Attributes | WF_OOSP | Create Authorization Profile |
| Customizing Activity | WF_OOSP | Create Authorization Profile |
Document
| Document Class | SIMG | Hypertext: Object Class - Class to which a document belongs. |
| Document Name | WFOOSP |
Use
In this IMG activity you define structural authorizations, which are also checked. The overall authorization is derived from the basic authorization and the restriction from the structural authorization. You can also protect (sub)structures if you make the appropriate entries.
You can define structural authorizations for the following areas:
- Plan versions
- Object types
- Object IDs
The following parameters and functions are also available for defining authorization profiles:
- Evaluation paths
You can enter a particular evaluation path to specify that the user can only access objects along this evaluation path.
If an evaluation path is used, an entry must be made in the field Object ID.
- Status vector
You can use the status vector to specify that the user can only access objects whose relationship infotypes only have a particular status, for example planned or active.
- Display level:
You can use the display level to specify the hierarchy level up to which the user can access a structure.
- Period:
You can use this parameter to specify the profile according to the validity period of the structure. If you choose the entry D (current day), for example, the structural authorization only applies to structures that are valid on the respective current day.
If you do not make an entry (default value <blank>), there is no restriction as to the validity periods of the structures. (See example 4.)
- Function module:
You can enter a function module in this field, which determines the root object dynamically at runtime. In this case, no entry can be made in the field Object ID, but plan version and object type must be specified.
The advantage of using function modules is that user-specific profiles are created using dynamic determination of the root object at runtime with a single authorization profile definition. (See example 5.)
SAP supplies two function modules:
RH_GET_MANAGER_ASSIGNMENT(determine organizational units for manager)- If this function module is used, the organizational unit to which the user is assigned as manager via the position and the relationship A012 (is manager of) is determined as root object.
- This function module works on a date basis, meaning that only the organizational units to which a user is assigned as manager on a selected date or during a selected period are determined as root object.
RH_GET_ORG_ASSIGNMENT(organizational assignment)- If this function module is used, the organizational unit to which the user is assigned organizationally is determined as root object.
In addition, you can define profiles that contain a maintenance authorization. You do this by selecting the processing type maintenance. This means that function codes marked with Maintenance in table T77FC can also be executed.
Requirements
Standard settings
Activities
Create the authorization profile required.
Example
In the following examples only the fields that contain entries are mentioned.
Example 1:
The authorization profile authorizes the user to access plan version "01".
Field Entry
Plan version 01
Example 2:
The authorization profile authorizes the user to access organizational units in plan version "01".
Field Entry
Plan version 01
Object type O (organizational unit)
Example 3:
The authorization profile authorizes the user to access organizational units along the evaluation path "organizational structure" starting from a root object (entry in Object ID) in plan version "01".
Field Entry
Plan version 01
Object type O
Object ID ID of organizational unit
Evaluation path ORGEH (organizational structure)
Example 4:
The authorization profile authorizes the user to access organizational units in the structure valid on the current day in plan version "01".
Field Entry
Plan version 01
Object type O
Period D (current day)
Example 5:
The authorization profile authorizes the user to access objects along the evaluation path "positions along organizational structure" starting from a root object in plan version "01". In this case, the root object is determined using the function module, meaning that no entry can be made in the field Object ID.
The user hence has authorization to access the organizational unit that they manage, and all subordinate objects from the evaluation path SBESX.
Field Entry
Plan version 01
Object type O
Object ID 0 (no restriction)
Evaluation path SBESX (staffing assignment along organizational structure)
Function module RH_GET_MANAGER_ASSIGNMENT
Business Attributes
| ASAP Roadmap ID | 209 | Establish Authorization Management |
| Mandatory / Optional | 2 | Optional activity |
| Critical / Non-Critical | 2 | Non-critical |
| Country-Dependency | A | Valid for all countries |
Maintenance Objects
| Maintenance object type | C | Customizing Object |
| Assigned objects | ||||||
|---|---|---|---|---|---|---|
| Customizing Object | Object Type | Transaction Code | Sub-object | Do not Summarize | Skip Subset Dialog Box | Description for multiple selections |
| T77PQ | C - View cluster | SM30 | Create Authorization Profile |
History
| Last changed by/on | SAP | 20010305 |
| SAP Release Created in | 46D |
