DIR Authorization by Organizational Level

Hi fellows!
I would like to know if it is possible restrict access of DIR by organizational levels?
Example: I need that if User A from plant 1234, creates a DIR type AAA number 0001, the User B from plant 4567 shouldn't have to access this DIR type AAA number 0001. I want that the users only can access the DIRs created by the plant which they have access.
In the master roles of DMS I didn't find any object to help me in this scenario. I dont want to use the ACL to restrict the access of the documents. I want that this restriction has to be done by authorizations rules as in other areas.
Can someone help me with some idea or case about this?
Best Regards!
Daniel
Edited by: D Quintal on Nov 25, 2010 5:43 PM

Hi Daniel,
Its quite possible to achieve your requirement.
There is a field called 'Authorization group' in a DIR if you have observed.This enables you to restrict authorization at Document level in addition to authorizations at Document Type and Status level.Suggest you create Authorization Groups like Plant1234,Plant4567 and so on with the help of your ABAPer.Now assign the required users to these Authorization groups.
Once implemented,whenever a DIR is created and specific Authorization group is assigned, only those users part of this Authorization group will be able to process/access this DIR.Hope this addresses your requirement.
For details on implementing Authorization group in DMS,refer link,
http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
Regards,
Pradeepkumar Haragoldavar

Similar Messages

  • Authorizations....Sales organization level

    Hi all
    I want to create the authorizations for the sales organization level. I have made the Sales Organization Object authorization relevant. After that i created an authorization object based on the Sales org object. I created a roles and created a profile based on the authorization object which i created. i assigned the role to the user.
    Now when i execute my query in web it is saying that
    'No Authorization (Or Everything is Filtered Out)'
    On the top of the query execution it is giving me a message as
    'You do not have authorizations for component 0CRM_OPMO_Q001'
    Now i would like to know, when we create profile in the role, do we need to add any other authorization objects apart from the one which we created. If so, what options do i need to give.
    And second when we create a test user for the authorizations testing, what roles we need to give him, one would be the one which we generated. And what are the other roles the user will have.
    Please help
    answers would be rewarded
    regards
    vijaykumar

    If sounds like you have another authorization object
    "checked" on the infocube/ODS.
    To check this, you have two options.
    (1)RSSMQ, with the user id. Execute the query, then back up (using the green arrow). One page on the back up operation with give you what authorization objects are checked.
    (2) Go to transaction: RSSM and enter the infoprovider. Uncheck the authorizations you don't want to have verified.
    Also, you on the variable for the authorization object (query) you must enter a value here if you do not have an "*" object.
    Cheers!
    /smw

  • PM Organization Units Authorization on User Level

    Hello experts,
    Is there a way to add authorization for an organization unit (i.e. Planning Plant) on a user (SU01) level and not on a authorization objects (PFCG) level?
    For example,
    I would like to create the following Role (profile):
    ZPM_AUT_EQM_EQUIPMENT_DISPLAY
    This role should be able to display equipment from the Plant Maintenance module.
    However our problem is, we would like to create authorization levels with organizational units for each user:
    For example:
    User jsmith has ZPM_AUT_EQM_EQUIPMENT_DISPLAY assigned but can only display equipment from Planning Plant SL01.
    We know we can create this authorization creating several roles, like:
    ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SL01
    ZPM_AUT_EQM_EQUIPMENT_DISPLAY_SJ01
    ZPM_AUT_EQM_EQUIPMENT_DISPLAY_AG01
    but our idea is not create several roles, but to assign the Planning Plant authorization on a user level and leave just one role so we would only need ZPM_AUT_EQM_EQUIPMENT_DISPLAY.
    Is there a way to do this?
    Thank you in advanced for your replies.
    Best regards,
    Fernando Montenegro

    Hi ,
    Could you share about your solution ? I think I have face the same problem as yours.

  • Organization Units Authorization on user level

    Hello experts,
    Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
    For example,
    I would like to create the following Role (profile):
    ZFI_AP_REPORT_DISPLAY
    This role should be able to display AP report from the Financial module.
    However our problem is, we would like to create authorization levels with organizational units for each user:
    For example:
    User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
    We know we can create this authorization creating several roles, like:
    ZFI_AP_REPORT_DISPLAY_3201
    ZFI_AP_REPORT_DISPLAY _3202
    ZFI_AP_REPORT_DISPLAY_3203
    but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
    Is there a way to do this?
    Thank you in advanced for your replies.
    Christine Tseng

    I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
    Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.

  • TEMPLATE FOR ORGANIZATION LEVEL ROLE

    HI.
    I HAVE MYSAP ERP VER 5.1 . BUT I DONT HAVE HR OR IDM IN MY SYSTEM.
    I  CREATED A ROLE FOR TRANSACTION FK01 AND FK02. IN THE AUTHORIZATION OBJECTS PUT VALUES 01 AND 02 FOR ACTIVITIES FIELDS AND ORGANIZATION LEVEL WERE LEFT WITH BLANKS.
    I CREATED OTHER ROLE WITH THE SAME AUTHORIZATION OBJECTS CREATED MANUALLY WITH ORG LEVEL IVALUES IN THE AUTHORIZATION OBJECT AND NO VALUES IN ACTIVITIES FIELD
    THE OBJETIVE IS MERGE BOTH ROLES WITH ADDITIVE EFFECT IN A USER ACCOUNT TO REDUCE THE NUMBER OF DERIVED ROLES.
    BUT THIS DESIGN IS NOT WORKING PROPERLY. I NEED TO NOW WHY?

    Hi,
    As per your query you create a new role and assign to these objects value in the new one.
    Anil

  • Need organization level object

    HI,
    I am want to insert organization level in this S_ALR_87012294 report,
    but in PFCG->Authorization->authorization change show no organization level,
    is there any authorization object for giving organization level.
    Best Regards
    Dilip Pasila

    The note says that you can apply it as a "download" via SNOTE ahead of the Support Pack (level), or apply the whole Support Packs up to that level (which will include the "corrections), or you can install a brand new ERP system on the highest current release and SP stack.... but in all cases the checks are not performed against these objects until you modify the code in a SAP standard include program to activate the check.
    I can understand backward compatibility with existing role concepts, however a "normal" procedure to not perform such new checks is an approach something like the default values of PRGN_CUST are used for, where you can activate the checks via customizing views (for each of the three objects independently) when you need them or discover the gap. Then in some higher release you can switch the defaults to "ON" if the requirement / opportunity is there.
    It also makes it easier to implement, transport and perform cross system comparisons of settings.
    Forcing customers to make a modification to the standard system at each installation to close a security hole is about as elegant a software logistics solution as a frontal lobotomy is to peace of mind...
    I will add this to the [Security Functionality Wishlist in the Wiki|https://wiki.sdn.sap.com/wiki/display/Security/SecurityFunctionalityWishlist-Topics] and suggest you check your systems to see whether your F_BKPF_BE* object security has a hole in the bottom of the bucket.
    For me it is self-explanatory that this should be changed, but the inventors of it wanted to know whether it is just me or possibly a whole mob out there wanting it (and possibly not knowing about it either).
    Cheers,
    Julius

  • Adding the organization level to one Role

    Hi Experts,
                    I have one role in PFCG, this role contains
    some authorizations.
    These role maintain the role.organization level values also.
    now i want to include one organization level  to this role
    for example
                       company code----
    > *
                       purchasing group------> *
                       division----
    > *
      now i want to add "Work center"        
    how can i include? is there any option is there?
    Thanks is advance
    sundar.c

    Thanks for the Doc. This will be my Plan B.
    I am still researching on How to Directly publish to Portal. I was able to do that from Query Designer using Publish to Portal and the report shows up as an iview in a PCD folder in the Portal. The Endusers have only Business Explorer Role and all they can see is the the Busineess Explorer tab of the Portal. So, I need to figure out a way to assign the iview to End user role.
    In one of the threads,
    Prakash Darji suggested
    "The "publish into Role" from WAD saves to BI Roles which doesn't help you in web deployment, so I typically don't use this. I usually "Publish to Portal" and then will add my iView on the portal to a portal role that users are assigned to. This would make these iViews available to users on the portal. "
    I am going to assign points for your suggestion though.

  • Basic Information about Organizational Level & Org. level value.

    Hello Experts,
      I am new to the field of SAP and security. I have the following questions:
    1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
    2. What is a derived role and what is its usage?
    I appreciate your help regarding this. If you could point me to some documentation regarding this that will be very helpful.
    Regards, Ben

    Ben,
    I am new to the field of SAP and security. I have the following questions:
    1. What is an organizational level & org. level value? What do they represent? How do they matter in PFCG?
    if you want to restrict on region vice (best use org level & values (plant,company code, sales org)
    In role u will notice them in red color
    2. What is a derived role and what is its usage?
    Derived role inherits menu struture and the function from the parent role. Derived role do not differ in their functionalities(identical menu & trans) but have different characterticts with regard to Org levels.
    Eg1; Master role
    PFCG -> role name -> create->menu->enter tcodes-.Auth tab->export mode->read old status and merge with new data->Pop for org levels (give a full access)->see to that everything is green->generate it.
    http://e-mory.blogspot.com/2007/12/sap-pfcg-create-role.html
    Eg2: Derived role
    pfcg->role name->create->in describtion  tab towards right  enter the master role name->Auth tab->export mode->read old status and merge with new data->you will get a pop for org levels (here you can restrict on plant lvel,purchasing group,company code....)
    ->let say for plant : 1000 ->generated / user comparssion
    Once the role is added to the user. User will be albe to see only those plant related details (1000) (i.e he will have access to only plant 1000)
    suppose if the user enters 2000,he will get a error message saying no access to 2000
    NOTE: Any changes to the role should be done in master role (like adding tcodes)
    .http://www.rssfeeddirectory.org/directory/items/346239.aspx
    https://cw.sdn.sap.com/cw/docs/DOC-12021
    http://help.sap.com/saphelp_wp/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm
    Re: Authorization error after transport
    Thanks,
    Sri

  • Organization level

    Hi gurus
    How can I get that an authorization object appear like an organization level?
    Christian.

    Hi Pole Li
    Thanks for your help, I manged to create program to fetch from Organization level , Is that possible to see the description for Authorization-low and Authorization-high from any tables
    As you wrote ,v  can get description of Org Level from USVART , Like that if we need the same for Authorzation-low and High resp .
    Regards
    Piroz

  • How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level.

    How can I disable POST GOODS RECEIPT button in transactions VL31N/VL32N via Authorization or Role Level, There is a requirement from my client  and i propose two methode
    1- Creation of Ztcode ZVL32N and do changes ABAP program level
    2- Disablement via Authorization/Role level - but how can i find the auth object/ Authorization corresponds to POST GOODS RECEIPT button in VL32N

    I think you can make use of SHD0 - Transaction variant to achieve this. You can make it as grayed out while recording steps in SHD0.

  • "Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run se

    Team,
    I am trying to Install Exchange on my Lab, getting below error
    message.
    The Schema Role is installed on Root Domain and trying to install
    exchange on Child domain.
    1 Root Domain - 1 Child domain. both are located on single site.
    “Setup encountered a problem while validating
    the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter and wait for
    replication to complete.”
    Followed below articles:
    http://support.risualblogs.com/blog/2012/02/21/exchange-2010-sp2-upgrade-issue-exchange-organization-level-objects-have-not-been-created-and-setup-cannot-create-them-because-the-local-computer-is-not-in-the-same-domain-and-site-as-the-sche/
    http://www.petenetlive.com/KB/Article/0000793.htm
    transferred the schema roles to different server on root domain, still no luck.
    can someone please help me.
    regards
    Srinivasa k
    Srinivasa K

    Hi Srinivasa,
    I guess, you didn't completed the initial setup schemaprep and adprep before starting the installation. You can do it as follows:
    1. Open command Prompt as administrator and browse to the root of installation cd and run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
    After finishing this,
    2. Setup.exe /PrepareAD /OrganizationName:"<organization name>" /IAcceptExchangeServerLicenseTerms
    3. To prepare all domains within the forest run Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms. If you want to prepare a specific domain run Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms
    4. Once you complete all of the 3 steps, install the pre-requisities for Exchange 2013
    5. Finally, run the setup program
    Hope this will help you
    Regards from Visit ExchangeOnline |
    Visit WindowsAdmin

  • Restrict Authorization at Material level during production confirmation

    Hi SAP Gurus,
    I would like to ask if its possible to restrict authorization at Material Level during production confirmation.
    Our scenario is we have SFG and FG which are handled by different group of people but it has the same Order Type. Now we want to restrict authorization such as one department can only confirm SFG and the other department can confirm FG only.
    Is it possible to set authorization at material type or production scheduler level. IF not possible, is there other way except creation of new Order Type?
    Thanks,
    Raymond

    Hi Raymond,
    DO you mean I should create a customized table for this?
    Yes
    Are there no standard way?
    As per my knowledge, you can control through production order type, so you need to create seprate order type for this
    Thanks,
    Sankaran

  • Storage location on basis of Plant in organization level in MM01

    Hello,
    Here is the scenario.. I select a material in mm01 and click on the 'Organization Level' tab. In this tab(on the basis of view selection, i get Plant and Storage Location) , i give in a Plant, lets say suppose 1000. Now if i press F4 on the Storage location, instead of displaying all the location, can it display the stor.location of the specific plant, i.e 1000. Is this possible and if yes and then how to do it ?
    Help Needed Big time.
    Thanks,
    Shehryar Dahar

    HI,
    yes it is possible.
    use "F4IF_INT_TABLE_VALUE_REQUEST"..
    example
    FORM f_get_str_value .
      SELECT lgort from MARD
        where werks = <your valuewerks>
    into <IT_table>.
      CALL FUNCTION 'F4IF_INT_TABLE_VALUE_REQUEST'
        EXPORTING
          retfield         =  l_c_fieldname
          dynpprog         = sy-cprog
          dynpnr           = sy-dynnr
          dynprofield      = l_c_dynprofld
          window_title     = text-078
          value_org        = 'S'
          callback_program = sy-cprog
        TABLES
          value_tab        = <IT_table>
        EXCEPTIONS
          parameter_error  = 1
          no_values_found  = 2
          OTHERS           = 3.
      IF sy-subrc <> 0.
    MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
            WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
      ENDIF.
    ENDFORM.                
    regards,
    nazeer
    reward if useful

  • "Inherit" DIR authorizations from linked material

    Hello All,
    we would like to control DIR authorizations dependent on material master authorizations.
    Example: User has "read"-authorization for material master (via authorization group of material master) means he has automatically "read"-authorizations for all linked documents.
    Background: we want to control access to product (material) information and product documentation (linked documents such as data sheet, drawing...) at one place, e.g. the material master authorization group.
    Any suggestions how to achieve this?
    Thanks for all answers!
    Best regards
    Wolfgang Henkel

    Only way to do this is through ABAP. Its not available as standard functionality. The only area of SAP that offers this is HR ArchiveLink which inherits the authorisations via infotype.

  • In Material Master creation (MM01) organizational levels tab.

    Hi,
    In the transaction MM01 after selecting the views i choose the organizational levels for selecting the plant and the storage location, But here i am not able to see the plant field, and only storage location filed is there for me to key in the data how do i recover this for the plant option in the organizational level tab.
    I checked this in OMS9 and OMSR but i could not able to identify the modification for the field that i have done earlier.
    Request you help how to make that visible again to the transaction MM01 and MM02.
    Regards,
    Deepak GS

    1. I have entered transaction OMS9
    2. Entered the Field selection group as 2
    3. Below the fields option 3 RM03M-WERK280  (Plant)  i double clicked and checked there is hide option.
    4. I came back selected the T001W - Name1 (Name)     I double clicked that in 34 , 35 , 54 was enabled with hide i changed to opt entry but still it seems to be the same.
    5. I came back again and below in the field selection tab checked for the MM01 and MM02 transaction as well as fert,halb,roh as opt entry
    It did not work.Kindly guide me if there is some other option available for this to revoke the plant option.
    Any help would be really appreciatable.
    Regards,
    Deepak GS

Maybe you are looking for

  • Can i merge multiple jsp files into single jsp file

    i have two jsp pages,and these two jsp pages generate different outputs,then i want merge these jsp pages output and generte new single file.

  • How to tune up VA05

    Dear gurus While executing VA05 Giving material number and date range from 01.04.2010 to 01.04.2010 sales Organization 1000 distribution Channel 10 It takes more then an hour to perform why is that so ? how to tune it up. please help Regards Saad Nis

  • Seemingly random 8-bit audio files

    We're running into several instances of files apparently changing from 16 to 8 bit. We can work on a project with 16 and 24 bit files without any issues. Then, occasionally, when reopening the same project, several files from a project become unplaya

  • Database Normalization and Normal Forms

    Hi All, I want to know what is database normalization and how do we differentiate between differnt normal forms.wat is the difference b/w first,second,third ,fourth and fifth normal forms. How do we recognize that in which normal form a table is in.

  • Ipod to pc

    i just bought a new pc and tried to my ipod classic to it when i did this it said i would lose my music etc and that it would be replaced by what was on the pc. is there anyway i can move the items on my ipod to the itunes so i can keep all my music