cancel
Showing results for 
Search instead for 
Did you mean: 

PS Network characteristic authorisation

former_member640579
Participant
0 Kudos

Hi all,

First of all, you can use the following link to see the screenshots from our system for a better understanding of the question:

http://sapqueries.blogspot.gr/2013/11/hi-all-our-requirement-is-to-restrict.html

Our requirement is to restrict some users from entering values for a specific characteristic in a network (not maintaining the characteristic). In the example that I have created I have used authorisation object C_TCLS_MNT according to the document below. I also have configured 2 organisational areas (E, N)

http://wiki.scn.sap.com/wiki/display/PLM/Authorization+Objects

The example I have created in our test system is the following:

class ZPS_CHAR_TEST

Characteristics ZPS_CHAR_TEST and ZPS_CHAR_TEST2.

For the first characteristic the organizational area in the class is seto to E whereas for the second it is N.

In PFCG, in the user role I have added authorisation object C_TCLS_MNT and allowed access ONLY to organisational area E. However when I go to CN22, the system allows the user to enter values for both characteristics?

Am I using the correct authorisation object or should it be something else? What am I doing wrong?

Accepted Solutions (0)

Answers (2)

Answers (2)

ravi_ekambaram
Active Contributor
0 Kudos

Hi Michail,

You also need to assign authorisation object 'C_TCLS_BER' to the user apart from 'C_TCLS_MNT'.

And also ensure that the other characteristics which are not authorised to that person should not be ticked with 'Entry required'.

Regards,

Ravi

former_member640579
Participant
0 Kudos

Hi Ravi,

I have assigned authorization object 'C_TCLS_BER' as well and no characteristics are ticked with "Entry required". And yet the user is still able to maintain values against that characteristic in the network. What am I doing wrong?

Also, how is this supposed to work? User A has authorization whereas User B does not. Does User B see the characteristic as display or does he not see the characteristic at all?

ravi_ekambaram
Active Contributor
0 Kudos

Hi Michail,

If you assign this authorisation object 'C_TCLS_BER' with org. area, then the user will be able to see only those characteristics which are assigned with org. areas.

May be in your case, he would have got * authorisation in the org. area of the above authorisation object through some other roles. You can check these using tcode-SUIM-->Roles-->By Complex selection criteria. Input user name & authorisation object and then input class type and '#' in org. area to get the list of roles which the user is assigned with these above authorisations.

The other question of your's in post - http://scn.sap.com/message/14545817 is for the characteristics in which no users should be able to input the data. But in the above case, one user will be able to update only few characteristics and other few users will be able to update other chars.

Regards,

Ravi

Message was edited by: Ravi E

former_member640579
Participant
0 Kudos

Thanks for your response (and your time). The user has only one role, as it is a user I created to test the scenario. I have also confirmed that via SUIM. These are the authorisation objects of the user profile

ravi_ekambaram
Active Contributor
0 Kudos

Hi Michail,

In the screenshot attached by you, the authorisation object 'C_TCLS_MNT' is not assigned. You have only assigned 'C_TCLS_BER'.

Can you assign and check the same.

Regards,

Ravi

former_member640579
Participant
0 Kudos

That was only because I played around with different combinations of authorization objects. This is the status now and the test user is still able to perform value assignment for both characteristics

former_member640579
Participant
0 Kudos

This is the class:

And this is what the user sees in the network

Shouldn't the user only see One characteristic?

Ritz
Active Contributor
0 Kudos

Michail Papadopoulos,

Try to assign value to chnaracterstic which you are not expecting to appear here , may be you will get some error message in return and it can  give some clue.

Also check /NSU53 to see authorization check , what systems return you as result.

Last but cant help asking , have you check , if the user already have SAP ALL kinda profile attahced?  and which allowing him to do any thing and every thing?

Thanks

Ritesh

Former Member
0 Kudos

Hi Michail,

you can use the authorization trace ST01 to find out which authorization objects are checked when you execute the CN22. This wiki article

http://wiki.scn.sap.com/wiki/x/PQKFAQ

explains it for DMS but the general principle applies to PS as well.

Best regards,

Eric

former_member640579
Participant
0 Kudos

The problem is that I do not have an error message. I want to create an error message when the user is trying to enter values for a characteristic that they have no authorization for. Everyone keeps telling me to use the following path:

"Procedure for restricting the access to maintaining particular characteristic in classification of

assigned object


Create organizational Areas in Customizing. 

Navigation: SPRO -> Cross-Application Components -> Classification system -> Classes ->Maintain Object


Types and class types

Select Table CABN, double click on Organizational Areas; click on New Entries. Add organizational areas A, B for class type 021.


Use Transaction CL02, Go to Basic Data tab.

Specify, for example E, N in Organizational Areas field in Basic Data tab.

Specify Organizational Area E for set of characteristics and N for other set of Characteristics in Char data tab.


Specify Organizational Area E in the authorization object C_TCLS_MNT in Role of required user in Transaction PFCG.


User who is having Organizational Area E in authorization object C_TCLS_MNT can maintain only those 

Characteristics which are having organizational area A in the respective class. "


I am following everything to the letter. What am I doing wrong?