DIR Authorization

Hi gurus
I have a problem about authorization in DMS. I have a DIR and it's authorized for a user, no one can change it except him. Then he need to send DIR by distribution and he want that only the users who receive this DIR can view/change it. The authorization is just created when he use distribution for this DIR, otherwise everyone can't change it but him. For example:
User A create a DIR and only him can change it (I user Authorization Group for authorization)
And he send this DIR to User B,C. After that they (user B,C) can change this DIR.
I have a solution, I maintain a new Authorization Group and when he send this DIR, he will change Authorization Group to another such as "ungrp". With "ungrp" I allow everyone can change this DIR. By this solution I can solve a part of problem: He can change the authorization at the moment when he sends DIR. But everyone can change DIR after that - not only the DIR receivers.
If you have a better idea or experience this problem, give me your opinion please.
Best regards
An NLP

ACL are document specific, unlike doc type authorization which s applicable to all documents of the specified doc type ...
e.g for a particular document you want to restrict users from editing it, then you can assign read activity for that user...
for your problem:
check user profile..is ACO_SUPER assigned?..then acl will not have any effect...
priority is given to ACO_SUPER then doc type authorization & then to acls....
you can have 2 layers of access control..first by doc type and then by ACL
give doc type controls to relevant users, who will be reciving the document and set acl
I hope you have checked all doc type authorizations correctly...
execute su53 and then check where the authorization fails......

Similar Messages

"Inherit" DIR authorizations from linked material

Hello All,
we would like to control DIR authorizations dependent on material master authorizations.
Example: User has "read"-authorization for material master (via authorization group of material master) means he has automatically "read"-authorizations for all linked documents.
Background: we want to control access to product (material) information and product documentation (linked documents such as data sheet, drawing...) at one place, e.g. the material master authorization group.
Any suggestions how to achieve this?
Thanks for all answers!
Best regards
Wolfgang Henkel

Only way to do this is through ABAP. Its not available as standard functionality. The only area of SAP that offers this is HR ArchiveLink which inherits the authorisations via infotype.

DIR Authorization by Organizational Level

Hi fellows!
I would like to know if it is possible restrict access of DIR by organizational levels?
Example: I need that if User A from plant 1234, creates a DIR type AAA number 0001, the User B from plant 4567 shouldn't have to access this DIR type AAA number 0001. I want that the users only can access the DIRs created by the plant which they have access.
In the master roles of DMS I didn't find any object to help me in this scenario. I dont want to use the ACL to restrict the access of the documents. I want that this restriction has to be done by authorizations rules as in other areas.
Can someone help me with some idea or case about this?
Best Regards!
Daniel
Edited by: D Quintal on Nov 25, 2010 5:43 PM

Hi Daniel,
Its quite possible to achieve your requirement.
There is a field called 'Authorization group' in a DIR if you have observed.This enables you to restrict authorization at Document level in addition to authorizations at Document Type and Status level.Suggest you create Authorization Groups like Plant1234,Plant4567 and so on with the help of your ABAPer.Now assign the required users to these Authorization groups.
Once implemented,whenever a DIR is created and specific Authorization group is assigned, only those users part of this Authorization group will be able to process/access this DIR.Hope this addresses your requirement.
For details on implementing Authorization group in DMS,refer link,
http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
Regards,
Pradeepkumar Haragoldavar

Have OAM authenticate/authorize users against diff dir servers

Hi folks,
Is there a way to have OAM authenticate/authorize users against diff dir server under single OAM instance?
We have standalone OAM 10_1_4_3_0 w OHS11g installed on linux and connected to a particular directory server (sun ldap). We also have an OAM-protected app which authenticate/authorizes users against the same dir server. Can we somehow configure rules/policies/etc, so that users accessing app B will be authenticated/authorized against dir server B; users accessing app C will be authenticated/authorized against dir server c; etc, without having multiple OAM instances?
Any help is greatly appreciated
Thank you, Roman

OVD will not be able to figure out what directory servers its getting authenticated to. OVD is a virtual directory server which can talk to different data sources and fetch a match according to the request.
For instance, if OVD is configured to AD, SunOne LDAP, OID and Oracle DB. When you call OVD for authentication, it will make a call to all the data sources (AD/OID/LDAP/DB) and gets a match and provides to OAM. If you have 2 Auth modules one with Sun LDAP and other with Oracle DB, OVD will not remember to which data source it should make a call. All it does is dynamically makes calls to all the configured data source and gets a matching results.
To tell you in more detail - Consider App A is configured to authenticate against SunOne LDAP and App B is configured to get authenticate against Oracle DB. When user tries to login to App A; OAM makes a call to OVD and OVD [OVD don't have capability of maintaining the info of users and where they reside] will make a call to both SunOne LDAP and Oracle DB and when SunOne returns a matching record, OVD sends the authentication info to OAM.
For better results, try to maintain the same set of schema across all your data sources.

DIR User Authorization

How to provide user authorization and restrictions for DIR's?

Hi,
Please refer link below
http://wiki.sdn.sap.com/wiki/display/PLM/AuthorizationObjectsin+DMS
It has list of authorization objects for DMS using which you can control access to DIR.
Hope this is useful.
Regards,
Deepak Kori

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Authorization Error while exporting a target group to local file

Dear All,
When we tried to export a created target group to local file, system gave an error message: "Authorization required. See SAP Note: 697572".
In this note, it tells that we should add certain authorization entries into the Java policy file under: \lib\security. It mentioned:
Authorization Target name Action
RuntimePermission modifyThread
PropertyPermission user.dir read
FilePermission <<ALL FILES>> read
FilePermission <<ALL FILES>> write
RuntimePermission shutdownHooks
And what we put into the policy file is as below:
 permission java.util.PropertyPermission "user.dir", "read";
 permission java.util.FilePermission "ALL FILES", "read";
 permission java.util.FilePermission "ALL FILES", "write";
 permission java.util.RuntimePermission "modifyThread";
 permission java.util.RuntimePermission "shutdownHooks";
We are not sure about whether we should put <<ALL FILES>> or ALL FILES, but tried both way and still didn't work.
Could you please share your experience on this?
Thanks!

Tried again and it worked.

ISE Authorization Policy Issues

Hello Team,
I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
I have two vlans in my implementation:
Vlan ID 802 for Authentication (Subnet 10.2.39.0)
Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
Here I have my Switch Port Configuration:
interface GigabitEthernet0/38
switchport access vlan 802
switchport mode access
switchport nonegotiate
switchport voice vlan 120
ip access-group ACL-DEFAULT in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
And Here, I have outputs AuthZ Policy in Action:
Oct 7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
Oct 7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
Oct 7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
Oct 7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
Oct 7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
SWISNGAC8FL02#
Oct 7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
SWISNGAC8FL02#
Oct 7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
Oct 7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
After that, I have:
SWISNGAC8FL02#sh auth sess int g0/38
Interface: GigabitEthernet0/38
MAC Address: 0022.1910.4130
IP Address: 10.2.39.3
User-Name: SNL\enzo.belo
Status: Authz Success
Domain: VOICE
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 50
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A022047000000F6126E9B17
Acct Session ID: 0x000001A7
Handle: 0x710000F7
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
If I do SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
50 0022.1910.4130 STATIC Gi0/38
802 0022.1910.4130 STATIC Gi0/38
And
SWISNGAC8FL02#sh epm session summary
EPM Session Information
Total sessions seen so far : 17
Total active sessions : 1
Interface IP Address MAC Address VLAN Audit Session Id:
GigabitEthernet0/38 10.2.39.3 0022.1910.4130 802 0A022047000000F6126E9B17
My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
I am using ISE Version 1.2.1.198 Patch Info 2
Could you help me in this Case ?
Best Regards,
Daniel Stefani

It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

I have used SAP doc mgmt for years. We copied a client and now when I configure a Class to my DMS DIR and go to CV01n Additional Data NONE of the characteristic entry boxes show up. Additional Data is blank.

I have used SAP doc mgmt for years. We copied a client and now when I configure a Class to my DMS DIR and go to CV01n Additional Data NONE of the characteristic entry boxes show up. Additional Data is blank.
It appears there must be some high level setting missing in the client. I have checked all authorizations and cannot find a difference between this client and all of the other clients we have. Only this one client does not show the class characteristics in the Additional Data tab.
Any ideas of why this standard function is not working). It does not matter which DIR I config the 017 class to, nothing shows on Additional Data.

Hi,
The issue is resolved. We are working in a sandbox with Class configuration on a DMS issue related to standard class 017. There are no standard settings in SPRO - Cross-Application Components | Maintain Object Types and Class Types | for the object type DRAW that will allow "auto-populating" characteristic values as we do with VC class 300.
For whatever reason DRAW and class 017 are not configured by SAP in the same manner as class 300 for example.
We made a config entry for DRAW Class 017 VBAP. Let's just say the system did not like that.
We are exploring other options.

Document distribution with restriction on Status of the DIR

Hi all
In my business scenario, I need to restrict Document distribution based on Status of the DIR.(i.e) A user should be able to distribute a DIR of a particular status(RL-Release) he cannot the distribute the DIR in status(IP-In process).
I have maintained the following values in the auth. object,
C_DRAW_TCD
ACTVT : Create or generate, Change, Display, Distribute
DOKAR : DRW
C_DRAW_TCS
ACTVT : Display, Distribute
DOKAR : DRW
DOKST : RL
But still I am able to distribute the document in IP status(which I have not specified in the auth. object C_DRAW_TCS)
Is there any change in what i have done or any new object to be added?
Help me in finding out the solution.
Regards
S.Sivakumar

Hi Christoph
I have generated the profile and assigned to the correct user. In ST01, when I tested the autorization checks, all auth. objects checks are fine except C_DRAW_TCS.
For C_DRAW_TCS the auth. check is happening for only "03 Display" activity.It is not happening for the activity "59 Distribute". I have maintained the auth. object for both Display and Distribute. as follows
C_DRAW_TCS
ACTVT : Display, Distribute
DOKAR : DRW
DOKST : RL
But the auth. check is carried out for only display.
C_DRAW_TCS RC=0 DOKAR=DRW;DOKST=RL;ACTVT=03; and it displays Authorization check successful. For distribute the auth. check itself is not carried out.
Help me in sorting out the problem.
Regards
S.Sivakumar

Authorization Group

Dear Friends,
I know I can restrict two user "A" & "B" who create DIR " 1001" & "1002" respectively under same document Type say "DRW". Means they cannot display the DIR created by each other by Authorization Object "C_SIGN_BGR".
I have tried this and works perfect.
But my question is can I maintain these Authorization Groups so that when user enters any wrong Authorization group, it should not allow him to enter in Authorization Group Field.
If I Maintain the setting in SPRO in DMS>Approvals>Define Authorization groups, will my maintained values will be validated with the values I enter in Authorization Group field.
Also I know the developement mentioned under link.
[https://wiki.sdn.sap.com/wiki/display/PLM/F4forAuthorization+group]
But I want to avoid this developement.
Waiting for your reply.
With warm Regards
Mangesh

Hi Mangesh,
To achieve this I suggest you to Update domain BEGRU as mentioned in the link
http://wiki.sdn.sap.com/wiki/display/PLM/UsingAuthorizationGroupfieldin+DMS
values can be maitained in ztable
You can also have search help for BEGRU, by adding search help in DRAW table for BEGRU.
also go through post - Re: Authorization Group in CV01n Document Data tab
Auth object C_DRAW_BGR has field value reference to data element BEGRU
Regards
Surjit

Authorization Groups

Hi Experts,
If I have values NPD,R&D etc. for authorization groups. How to maintain these values in SAP DMS? Is there any t-code or spro configuration for maintaining these values? I know it's basis activity.
I hope you understood the question properly, how to set the authorization groups and where to maintain the values for them?
Regards,
Ravindra

Hi,
In DMS auth grp is free field and we can maintain any value for it.
But to control access we must assign these value to auth obj c_DRAW_BGR.
This auth obj will be assigned to role and role to user.
So user who has auth value R&D in his role can enter this auth obj value while creating a dir and at the same time he can access a DIR with this auth obj value created by other user having same auth obj in his role.
Plz note that this auth ob c_Draw_bgr works with other auth obj in DMS.
Regards
Abhijit

EDMS: 'Missing authorization for this functionality' when searching user

Hi,
I've activated ALC authorization for DMS. In EDMS, when trying to add an user to a DIR with search function an error occurres as below.
'Missing authorization for this functionality'
BTW, the user has contains SAP_ALL profile. It can't be any authorization reasons.
Regards,
Yemi

Hi,
authorization checks will not happen if the search help from sap-gui.I
think the problem is releted to missing implementation of "check
function module" from your side. If the search help is linked to a
"master data table" (type A) a check function must be implemented to
check the permission of the user.
This function module is read from table BAPIF4T. Please
check the following link: http://help.sa
p.com/saphelp_nw04/helpdata/en/a5/3eca044ac011d189
4e0000e829fbbd/content.htm
http://wiki.sdn.sap.com/wiki/display/PLM/Object+Link+search+in+EasyDMS
Regards,
Hari

Need to restrict view of DIRs assigned to material, vendor, and customer

Hello,
SAP standard, version ECC 6.0. Different plants in use with requirement for differnt authorizations.
I know that DIRs can be assigned to material master. However, the problem is that it's client level data. Now there is a need to implement DMS with materials, vendors, and customers.
Problem is that company operates in different countries and with different plants. One material/customer/vendor is created and then extended to cover different plants.
Material 1111 has a specification assigned to it, e.g. document type ZSP with DIR 1000001111, this document is at client level.
Person A from plant 1000 can display and maintain it (1000001111) but person B from 2000 must not see this, she has DIR 10000011113 instead (and person A should see this).
If person A has authorizations which are limited by the plant type because of the usage of MM already, do these restrictions apply also to DMS? I haven't found a definite answer for this.
I cannot set a authorization object based on document type and maintaining different uthorization groups is the last option because of the vast number of users.
The same question is for customer. if there is e.g. a contract assigned to customer, can the view be restricted by distribution channel or another field provided by SD (standard solution).
Vendor master is the 3rd major issue. How to limit access to documents?
Help is highly appreciated.
Thanks in advance,
Pia

Hi,
Can you please elaborate what is the object you mean. I have serious problems with system and cannot check it.
Thanks,
Pia

HR authorization for Display the documents in SAP DMS

HI experts,
We want to control display authorization depending on the entry made in object link tab in DMS( DOcument Management System). We developed screen for HR master object link. When user executes cv03n and enters document No. system should check hr master number entered in object link. If the user has authorization for that hr master number in PA (personnel administration), then he should be allowed to display the document. Otherwise it should restrict him to display the DIR.
Now my query is how to achieve it. Can anybody provide me some solutions
I have one solution, whenever user enter document number in cv03n screen, system will first check hr master number entered in object link and it will check the Personnel Area, Employee group and employee subgroup aginst this hr master number. Say for ex: PA:1000, EG:1 and ESG:01 for HR number xyz.
Now system should check in roles assigned agaist user id for these PA, EG and ESG values. If user has got authorization for PA:1000, EG:1 and ESG:01 in HR roles,then he should allowed to display the document.
Now my query is how feasible this approach? is this tough task for abaper? or is there any easier approach than this.
regards
sham

Hi,
Try to use the User Exit: CNEX0002.
Check with your ABAP er for the enhancement.
Hope it helps..
Thanks!!!

DIR Authorization

Similar Messages

Maybe you are looking for