Authorization inheritance in cFolders

Hi !
Is there any way of over-riding the inheritence of authorization in cFolders? In cFolders a lower level element automatically inherits the authorization matrix of the higher level element and I want to prevent this from happening.
Lets say for example I have a folder A with 15 documents inside it. A user User 1 has got read authorization in folder A and so by default he has read authorization in all the documents in the folder. Now suppose I want to restrict his view to only 8 documents out of 15 I'll have to manually set the authorization to none in the rest of the documents. However if a new document gets created in thefolder then the default authorization for that document is read for user 1 as it inherits the authorization matrix of folder A. I want to prevent it from happening.
Any ideas?
Regards,
Debaranjan Hazarika.

Hi Lashan,
1- the definition of auth. object CXF_APPL is following:
This authorization object is for the cFolders application. If a user has authorization for this authorization object, he or she can make administrative settings.
You can use the following field values (for APPL_AREA):
- 'Network_Definition': Setting up the network, for example, absolute URL or FTP server settings
- 'Content_Definition': Setting up cFolders content, for example, adding generic objects; choosing scenarios to use
- 'Layout_Definition': Setting up the cFolders layout, for example, style sheets
The permitted activites are: 02 Change and 03 Display.
2- The definition of CFX_USER is as follows:
This authorization object is for the cFolders application. This authorization object must be assigned to the user who wants to use cFolders.
The user needs the following field value to use cFolders:
USER_TYPE = User (no other values exist)
I hope this answers your question.
Regards,
Silvia

Similar Messages

  • Authorization objects in cFolders

    Hi Folks,
    I would like more clarity on the following authorization object in cFolders.
    CFX_APPL - what's the purpose of this object and what are the allowed values for the field APPL_AREA? What is meant by the term "Application area in cFolders" which is the SAP description for this object?
    CFX_USER - this auth object has a single field USER_TYPE. Standard SAP roles have the values 'user', are there any other allowed values here and what is their behavior.
    Thanks for any help.
    Cheers,
    Lashan

    Hi Lashan,
    1- the definition of auth. object CXF_APPL is following:
    This authorization object is for the cFolders application. If a user has authorization for this authorization object, he or she can make administrative settings.
    You can use the following field values (for APPL_AREA):
    - 'Network_Definition': Setting up the network, for example, absolute URL or FTP server settings
    - 'Content_Definition': Setting up cFolders content, for example, adding generic objects; choosing scenarios to use
    - 'Layout_Definition': Setting up the cFolders layout, for example, style sheets
    The permitted activites are: 02 Change and 03 Display.
    2- The definition of CFX_USER is as follows:
    This authorization object is for the cFolders application. This authorization object must be assigned to the user who wants to use cFolders.
    The user needs the following field value to use cFolders:
    USER_TYPE = User (no other values exist)
    I hope this answers your question.
    Regards,
    Silvia

  • Page 0 Authorization Inheritance

    According to the text displayed on Page 0, it says "Page 0 components will be rendered on every page." I would think that this would include the authorization (so it could be inherited), but I created an authorization scheme called IsRegisteredMember, and set the Authorization on page 0 to use this scheme. Then on page 1, the authorization is set to "-No Page Authorization Required-". Then when I try to access Page 1, I would think that since page 0 is being executed also, that the authorization on page 0 would be executed too, but instead, the No Page Auth from page 1 is instead run and the user is allowed to access the page.
    Is this a bug?
    I was trying to use page 0 so that I didn't have to set the authorization on every page of my application. I was hoping that each page would inherit its authorization from page 0.
    Can someone explain?
    Thanks,
    Kris

    Hi ,
    You can always make your Authorization scheme query to run for certain page by adding APP_PAGE_ID as a condition to the query. Like
    IF  :APP_PAGE_ID != '101'  THEN
              --logic to check for security
         end if;
    Or you can put it in the existing where clause as
    WHERE :APP_PAGE_ID != '101'Thanks,
    Manish

  • Question about authorizations in SRM + cFolders

    Dear colleagues,
    We are working in a SAP SRM 7.0 prototype.
    Right now we are trying to configure cFolders (installed in the same server as SRM and with RFC working) but we've reached a point where we don't certainlly know what can be going wrong.
    After several tries with different user authorizations we've always had the same result, it's impossible to create or assign a collaboration to a bid when creating it due to an error which just says "Error creating collaboration; check user authorization"
    We have tried with different roles configurations (SAP_CFX_SUPER_USER_ADMIN, all CFX roles, just CFX_*_CREATOR roles...) just nearly everything you can think about, but always get the same error.
    The funny thing about it is that when accessing cFolders through BSP application CFX_RFC_UI this user can create folders and other short of objects, as all works fine.
    Thank you very much for your help.
    Miguel

    Hey Miguel,
    Did you ever find a solution for this issue?  I am having the exact same problem.
    My user has all the roles assigned and is able to create collaborations directly in CFolders, but when I try to create it from SRM RFx, I get the message:  "error creating collaboration; check user authorisation".
    If anybody else has come across the same problem, please help!!
    Thanks and happy new year!
    Monica

  • Not able to change authorization in c-folder for zrole

    Hi Experts,
                      we are implementing two envelope bidding for SRM 7.0,Here For technical Evaluator ,we have to create a saparate workarea in c-folder.The roles assiged to technical Evaluator is SAP_CFX_USER for c-folder.Now while i was creating the workarea for technical evaluator, i t was throwing me the error.Cfolder.NoAuthorization.Owner....To remove this Error i assiged
    a authorization object 'ACO_SUPER'..now i was able to create the folder but the problem is..Technical Evaluator is having administration authorization for Public area.
    And i am not able to change the authorization..I tries using CFX_ACO_API_ACTIVITIES_SET  and by passing 'Read' auth in badi parameter  ct_cfx_auth but it is not chaging..
    I am  totally out of clues what to do?????please suggest..

    Hi,
    Can I know how you were able to change authorizations for the cFolders?
    Ganapathi

  • Problem in cfloder creation

    HI ,
    i am getting error when i am am editing RFX . when i am creating cfolfders i am getiing error. not authrized. but having sap all authorixation.
    what may be the problem
    Regards,
    S.Srinivasulu Reddy.

    Hi please check this
    Setting Up Standard Roles for cFolders
    Use
    To ensure that users have the correct authorizations and access to the appropriate functions,
    every cFolders user must be assigned to a cFolders role.
    The following roles are shipped with cFolders:
    u2022 User
    - Role name: SAP_CFX_USER
    - Provides authorization to run cFolders in the Internet browser
    - Assigned automatically to all users created in the cFolders application
    u2022 Administrator
    - Role name: SAP_CFX_ADMINISTRATOR
    - Provides authorization to administer the cFolders application, plus the
    authorizations of SAP_CFX_USER
    - Must be assigned to the user who is to be the first to access cFolders (see
    Setting Up Administrators for cFolders [Page 15])
    u2022 E-Mail System User
    - Role name: SAP_CFX_EMAIL_SYSTEM_USER
    - Provides authorization to start the e-mail job
    - Assigned automatically in the background
    You must transport these roles into all SAP clients in which you want to use the cFolders
    application.
    Regards
    G.Ganesh Kumar

  • Fails installation (USI 1.5.1)

    During Labview installation, I recieve an error message (NI USI 1.5.1) failed. What is this error and how do I correct it?

    This is error is from the Windows (msi) installer, not from the NI product.  It happens although you have admin privileges and have access to the registers; however, the installer of our product does not have access.
    The workaround is to change access rights manually.
    Before modifying the register, make a backup copy.
    To do modify the register, go within the Start Menu and select > Run > regedit 
    Press Ctrl + F to open the search window and look for the key which is within your error message, in your case
    HKEY_Local_MACHINE/SOFTWARE/Classes\NIUSI.datasourcemanager.1\CLSID
    After you find the key, select the file in the left window and right click privileges >> Authorizations.  In the authorizations window, click on Advanced and select "include authorizations inherited from parents of the object" (or someting similar) and also select "replace all inherited authorizationsthat exist for all members by inherited authorizations issued for this object" (or some sort of wording to that effect).  Then click OK to proceed.
    Close the dialog box for the owning folder and open a window for authorization of the key itself.  Check that the group "SYSTEM" is there and select it to see if it has all authorizations selected (full control selected).
    If SYSTEM is present and full control is selected, then you should be able toproceed with the installation.  If that is not the case, then modify the rights/permissions to the SYSTEM group so that full control is set or create the group SYSTEM with full control.
    You may need to repeat the above steps several times for different keys.  In all cases, the installer should work once the above steps have been made.
     I hope the English translation was accurate enough to make sense.. 

  • CFolders authorizations

    Hi all,
    I've got problems regarding authorizations in competitive scenario (Cfolders rel. 3.10)
    After creating public area I force 'Read' authorizations for bidders to permit the buyer to send them e-mails.
    When the bidders make his collaborative area, he gets all the authorizations in this private area.
    Private area inherits authorizations from public area, so all the bidders can show all private areas. I've tried in several mode to reset authorization, but I've failed.
    Can anyone help me
    Thank you very much
    Leonardo

    Hello,
    The answer is the same as in the previous thread you posted.
    Matthias

  • BW authorizations based on assigned PPM users/roles + inherited roles

    Dear experts,
    We using PPM 5.0 SP7, and we are having trouble defining authorizations for BW reports.
    We would like to use the same authorizations as in PPM business client, so that BI would use/check the authorization from business client.
    This check would include:
    - users or roles gain access from direct assignment to an item
    - users or roles gain access that is inherited in the bucket structure, both structure and classification buckets.
    Users would have access to BW reports, but they could see data only from the same structures/classifications or direct assignments that are given to them in PPM business client.
    Can we utilize the same authorization methods, or do we need to create and maintain this in another place (BW)?
    If needed, how to create similar authorization model to BW?
    Kind regards,
    Antti Forsell

    Hello,
    Please see these docs,
    [Field Based Authorizations in BW BEx Queries|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/4753ed83-0e01-0010-e186-f98413f868cb]
    [An Expert Guide to new SAP BI Security Features|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/659fa0a2-0a01-0010-b39c-8f92b19fbfea]
    [Advanced Features of SAP BW Reporting Authorizations|https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1b439590-0201-0010-ea8e-cba686f21f06]
    Thanks
    Chandran

  • Authorization in WebDAV for cFolders

    Hi
    I have autorization rules set for the collaboration folder structure from none to write to read etc.
    In cFolders application for that user it all applies. But when I get the WebDAV URL in that user login, these authorizations is not applied. i.e. even folders which are set 'none' (not visible in cFolders application) are visible.
    Is this the way WebDAV behaviour is or am I missing something?
    Regadrs
    Senthil

    Hello Senthil,
    you can use WebDAV for two purposes:
    a) maintenance of cFolders settings with special URL
    b) to maintain documents in cFolders via the MS Windows Explorer using the SAP NetWeaver Portal Drive.
    You do not need the Enterprise Portal to be installed to use the WebDAV functionality together with SAP NetWeaver Portal Drive.
    The name SAP NetWeaver Portal drive is a little bit misleading.
    It is called Portal drive, since it is the WebDAV client for the Knowledge Management (KM) of the portal also.
    When using the SAP NetWeaver Portal drive with cFolders no portal is required as the SAP NetWeaver Portal drive acts also as WebDAV client for cFolders. The SAP NetWeaver Portal drive is a 3rd party WebDAV client from a company called XYTHOS (http://www.xythos.com/home/xythos/company/company.html), which can be used by SAP customers for free.
    You can download the Installer for the SAP NetWeaver Portal drive from SAP Service Marketplace under http://service.sap.com/swdc
    -> Download -> SAPSupport Packages and Patches -> Entry by Application Group
    -> SAP NetWeaver -> SAP NetWeaver -> SAP NetWeaver2004s -> Entry by Component -> Frontend -> Portal Drive 4.4
    Documentation:
    Integration of cFolders with a WebDAV Client
    http://help.sap.com/saphelp_ppm400/helpdata/en/1b/8688428b42c553e10000000a1550b0/frameset.htm
    Configuration of SAP NetWeaver Portal Drive for KM (most of the stuff is valid also for cFolders)
    http://help.sap.com/saphelp_nw04s/helpdata/en/42/e6753939033ee5e10000000a1553f7/frameset.htm
    Working with Folders in Windows (Portal Drive) for KM (most of the stuff is valid also for cFolders)
    http://help.sap.com/saphelp_nw04s/helpdata/en/42/c99b91341a6bade10000000a1553f6/frameset.htm
    Important: you must not use the Microsoft WebDAV interface for maintaining documents in cFolders collaborations. It does not fit to cFolders as there are security issues with using Microsoft WebDAV (my network places) together with cFolders
    Regards
    Peter

  • Authorizations in cProjects 4.0 and cFolders

    Hi all,
    We implemented cProjects 4.0 using EP 7.0. I have used the standard SAP deleivered roles for cprojects in backend system for cprojects and cfolders (Ex: SAP_CPR* and SAP_CFX*). I would like to control on 'project type' as there are two regions that I need to control the projects. One region is not supposed to view the projects of other region and vice-versa. I entered the respective project type for each region in the auth object 'CPRO_PTYPE', and assigned the role to that region. But doing this is not limiting each region to see only their project type. They are able to see projects of other region also..
    Any help on this would be greatly appreciated. Also web links or documents to understand the authorizations in cprojects will be very helpful.
    thanks,
    Sashank Kondru

    Hi,
    maybe the online documentation on cProject can help here. Please go to
    http://help.sap.com and select:
    mySAP ERP
      --- SAP cProject Suite
    There you can find the online documentation on cProject Suite 4.0
    In the documentation you'll find all the necessary information on the auhtorisation objects listed under:
    SAP Project and Portfolio Management Security Guide
      - Authorizations
    I hope this could be helpful for your.
    Best regards,
    Christoph Hopf

  • Inheritance in ACLs Authorization

    Hi Gurus
    I use inheritance in ACLs Authorization . I created a Folder (Doc. Type FOL) and gave ACLs authorization in there  Next I created a new DIR and assigned to this Folder. I mean this Folder is a superior document of new DIR. Have no ACL authorization in new DIR.
    After that, the user is given ACL Authorization can access Folder but he can't access a new DIR.
    For example:
    Folder FOA - get User A activity "Admin"
    Create DIR TEST_DIR with superior document is FOA
    User A can't access DIR with error "you don't have necessary authorization..."
    With my understanding, the ACLs authorization is able to be inherited.
    So why doesn't it work ?
    Give me your idea if you experienced this case.
    Best Regards
    Thanks for advance
    An NLP

    Hi Iring Maeurer 
    When I assign ACLs for the user in DIR "admin". The user can access DIR, that is reason I think the problem is in ACLs authorization.
    I'll check with Tcode su53
    Regards
    An NLP

  • Personnel substitution - temporary inheritance of authorization

    Hello all,
    I'm in need of finding a solution for HR substitution, meaning that the person substituting for a colleague will temporarily inherit his/her authorization.
    The required functionality should be an automated process/program where managers can organize their own substitutions.
    For now I have tested this functionality and it only seems to work when adding relation A008 for the substitute to the respective role. But this may have undesired implications regarding payroll because of the changed IT0001...
    I would like to know if there's a tried and 'standard' procedure/solution for this.
    The client is using CUA with structural authorization and context solution.
    If you need any additional info, let me know!
    points are rewarded!
    Thanks!

    thanks for your reply, David.
    In fact, the situation as desired by the client is as follows : all line managers and HR managers should be able to organize their own substitutes through the portal.
    The easiest way to go about doing so would be to add a (time-delimited) relationship between the substitute and the position to be substituted.  As far as the 'inheritance' of authorization is concerned, this is working. I'm stil not completely sure what the impact is regarding payroll or anything else.
    the structural authorizations are inherited through the top org. unit a user belongs to.
    Ideally, after the substitution the substitute should be authorized to access both org. units : his own and the one he's substituting.
    I hope to have clarified my situation a litlle...

  • Personnel substitution - temporary inheritance of authorization  (D.O.A.)

    Hello all,
    I'm in need of finding a solution for HR substitution, meaning that the person substituting for a colleague will temporarily inherit his/her authorization.
    The required functionality should be an automated process/program where managers can organize their own substitutions.
    For now I have tested this functionality and it only seems to work when adding relation A008 for the substitute to the respective role. But this may have undesired implications regarding payroll because of the changed IT0001...
    I would like to know if there's a tried and 'standard' procedure/solution for this.
    The client is using CUA with structural authorization and context solution.
    If you need any additional info, let me know!
    points are rewarded!
    Thanks!
    In addition to the above, I would like to ask whether the relation between the role and the position is the best way to go or perhaps I should consider using the job object (C) to avoid the before-mentioned implications with IT0001.
    Any help would be greatly appreciated....
    <b>reply by David Coleman</b>:
    I assume you are concerned with Structural authorisations here. The "evaluation" is controlled by an evaluation path. I think that you can use another releationship (B205 springs to mind for some reason) for the work flow substitution and also add it into the eval path. Hence all workflows and auths would be "inherited" by the subsitute.
    sorry for vague details
    thanks for your reply, David.
    In fact, the situation as desired by the client is as follows : all line managers and HR managers should be able to organize their own substitutes through the portal.
    The easiest way to go about doing so would be to add a (time-delimited) relationship between the substitute and the position to be substituted. As far as the 'inheritance' of authorization is concerned, this is working. I'm stil not completely sure what the impact is regarding payroll or anything else.
    the structural authorizations are inherited through the top org. unit a user belongs to.
    Ideally, after the substitution the substitute should be authorized to access both org. units : his own and the one he's substituting.
    I hope to have clarified my situation a litlle...
    p.s.: I initially posted this in the HCM forum only realizing that this place is more suited for these type of questions. That's also the reasopn why I pasted all posts into this one.  If this is not according to the COC, kindly let me know.

    thanks for your reply, David.
    In fact, the situation as desired by the client is as follows : all line managers and HR managers should be able to organize their own substitutes through the portal.
    The easiest way to go about doing so would be to add a (time-delimited) relationship between the substitute and the position to be substituted.  As far as the 'inheritance' of authorization is concerned, this is working. I'm stil not completely sure what the impact is regarding payroll or anything else.
    the structural authorizations are inherited through the top org. unit a user belongs to.
    Ideally, after the substitution the substitute should be authorized to access both org. units : his own and the one he's substituting.
    I hope to have clarified my situation a litlle...

  • CFolders banner authorization

    Hi All,
    In cFolders for the role 'SAP_CFX_USER', the banner is not getting displayed. Can you tell me what is the authorization object to be added for this banner display.
    thanks,
    rajesh.

    Hi Rajesh,
    Go to Settings>Layout. There are options for Banner Left/Middle/Right. Also check the check-box for the "Activate Banner".
    Hope it will solve your query.
    Regards,
    Nishit Jani
    Award points if it solves your query.

Maybe you are looking for

  • Problem with CFCHART on CF10

    CFCHART is not rendering on our server for some reason. We  cache to disk and are generating a .SWF file. The. SWF is in the chart cache folder ok, and can be viewed separately, however it will not render within a web page. When we view source we see

  • Creating a transformation for delivered datasource 0TCTPRCSVAR_TEXT

    Hi, I am trying to set up my delivered technical content for the BI Administrator cockpit  (all the 0TCT... objects).  Everything is working well except for 4 datasources: 0TCTBWOBJCT_ATTR 0TCTBWOBJCT_TEXT 0TCTPRCSVAR_ATTR 0TCTPRCSVAR_TEXT While all

  • Properites Pane with single group of properties (PROP_SET_SINGLE_GROUP)

    Hi ,   Does anyone know how to find the property group technical name of certain web item for setting the parameter PROP_SET_SINGLE_GROUP of properties pane? Thank you, Jeff

  • How to rename database with secondary indexes.

    Hi, could somebody advise how to run correct next operation: I have database with secondary indexes in a single file and I need to rename that db file. As I understand I have to 1) close and delete all database handles 2) remove from db file all seco

  • "Missing information in order to join" error for Shared Calendars

    I have shared Calendars before with various people and they all work flawlessly. Unforunately, one person who I am trying to share a calendar with got a "Missing information in order to join" error message when she tries to join. I have no idea why t