Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Authorization for iObjects

Use Cases:

1. You want to restrict the creation of ITSM documents with specific CIs (Configuration Items = iobjects). E.g. Creating an incident with target CI is only allowed to a Key User who is assigned to a specific organizational unit.

You won't find it via the F4 Search if you don't have the authorization object in your role AND one of the following rules match to your Business Partner settings.

2. It should not be possible for a user to display ITSM documents, that contain a CI which has no relationship to the user. E.g. all incidents for a high security system are not shown to users without this authorization object.

--> until SAP Solution Manager SP12 the following SAP Note is necessary: 1981995


Configuration:

Using authorization object SM_SDK_IBA in transaction PFCG.  It is included in the SAP standard template roles for ITSM.

Attention: The authorization field values are additive.

Field value
Description
Technical Details
No authorization
user sees only systems in BP identification

identification type CRM001

USERS_OWN
user sees only systems in BP identification
AND systems to which the BP is directly assigned
identification type CRM001
BP is assigned to configuration item as party involved
USERS_ORG
user sees only systems in BP identification
AND systems to which the BP is directly assigned
AND systems that are assigned to the BP-organizations the user belongs to
identification type CRM001
BP is assigned to configuration item as party involved.
Relationship to organization is determined via:
  1. via Organizational Modell (PPOMA_CRM)
  2. BP relationship "is the Employee Responsible for" (can be changed via AGS_WORK_CUSTOM parameter IM_RESPONSIBLE_REL_CATEGORY)

BP-organization is assigned to configuration item as party involved
ALL
user can see all Iobject entries