on 11-20-2013 12:45 PM
Hi all,
First of all, you can use the following link to see the screenshots from our system for a better understanding of the question:
http://sapqueries.blogspot.gr/2013/11/hi-all-our-requirement-is-to-restrict.html
Our requirement is to restrict some users from entering values for a specific characteristic in a network (not maintaining the characteristic). In the example that I have created I have used authorisation object C_TCLS_MNT according to the document below. I also have configured 2 organisational areas (E, N)
http://wiki.scn.sap.com/wiki/display/PLM/Authorization+Objects
The example I have created in our test system is the following:
class ZPS_CHAR_TEST
Characteristics ZPS_CHAR_TEST and ZPS_CHAR_TEST2.
For the first characteristic the organizational area in the class is seto to E whereas for the second it is N.
In PFCG, in the user role I have added authorisation object C_TCLS_MNT and allowed access ONLY to organisational area E. However when I go to CN22, the system allows the user to enter values for both characteristics?
Am I using the correct authorisation object or should it be something else? What am I doing wrong?
Hi Michail,
You also need to assign authorisation object 'C_TCLS_BER' to the user apart from 'C_TCLS_MNT'.
And also ensure that the other characteristics which are not authorised to that person should not be ticked with 'Entry required'.
Regards,
Ravi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ravi,
I have assigned authorization object 'C_TCLS_BER' as well and no characteristics are ticked with "Entry required". And yet the user is still able to maintain values against that characteristic in the network. What am I doing wrong?
Also, how is this supposed to work? User A has authorization whereas User B does not. Does User B see the characteristic as display or does he not see the characteristic at all?
Hi Michail,
If you assign this authorisation object 'C_TCLS_BER' with org. area, then the user will be able to see only those characteristics which are assigned with org. areas.
May be in your case, he would have got * authorisation in the org. area of the above authorisation object through some other roles. You can check these using tcode-SUIM-->Roles-->By Complex selection criteria. Input user name & authorisation object and then input class type and '#' in org. area to get the list of roles which the user is assigned with these above authorisations.
The other question of your's in post - http://scn.sap.com/message/14545817 is for the characteristics in which no users should be able to input the data. But in the above case, one user will be able to update only few characteristics and other few users will be able to update other chars.
Regards,
Ravi
Message was edited by: Ravi E
Try to assign value to chnaracterstic which you are not expecting to appear here , may be you will get some error message in return and it can give some clue.
Also check /NSU53 to see authorization check , what systems return you as result.
Last but cant help asking , have you check , if the user already have SAP ALL kinda profile attahced? and which allowing him to do any thing and every thing?
Thanks
Ritesh
Hi Michail,
you can use the authorization trace ST01 to find out which authorization objects are checked when you execute the CN22. This wiki article
http://wiki.scn.sap.com/wiki/x/PQKFAQ
explains it for DMS but the general principle applies to PS as well.
Best regards,
Eric
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The problem is that I do not have an error message. I want to create an error message when the user is trying to enter values for a characteristic that they have no authorization for. Everyone keeps telling me to use the following path:
"Procedure for restricting the access to maintaining particular characteristic in classification of
assigned object
Create organizational Areas in Customizing.
Navigation: SPRO -> Cross-Application Components -> Classification system -> Classes ->Maintain Object
Types and class types
Select Table CABN, double click on Organizational Areas; click on New Entries. Add organizational areas A, B for class type 021.
Use Transaction CL02, Go to Basic Data tab.
Specify, for example E, N in Organizational Areas field in Basic Data tab.
Specify Organizational Area E for set of characteristics and N for other set of Characteristics in Char data tab.
Specify Organizational Area E in the authorization object C_TCLS_MNT in Role of required user in Transaction PFCG.
User who is having Organizational Area E in authorization object C_TCLS_MNT can maintain only those
Characteristics which are having organizational area A in the respective class. "
I am following everything to the letter. What am I doing wrong?
User | Count |
---|---|
91 | |
7 | |
7 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.