Skip to Content
Author's profile photo Jerry Wang

Attachment authorization control via authorization scope

The attachment authorization control could be implemented with the help of authorization scope.

When you create an attachment via the Attachment button provided in attachment assignment block, you could also assign a given authorization scope for it.

Once the scope is maintained and the attachment is saved, it could never be changed any more.


The possible values of authorization scope could be maintained via customizing SPRO->Customer Relationship Management->Transactions->Basic settings->Define Authorization scope for Attachments.

For authorization domain, you should use exactly the same spelling as “ATTACHMENT”, as is defined in constant CL_CRM_SFW_ITSM_SWITCH_CHECK=>gc_auth_domain. And just use SAP predefined class CL_CRM_AUTH_SCOPE_STATIC_CHK.


Then you can maintain the authorization scope values:


In the runtime, the authorization domain “ATTACHMENT” together with the authorization scope of current attachment will be evaluated by the view controller of attachment assignment block view: if authorization check fails for current user, the attachment being evaluated will not appear in the attachment assignment block.


The authorization check is done via check against authorization object CRM_AUTHSC:


if you need to view what authorization is granted to your user, you can execute report RSUSR070, specify Authorization Object as CRM_AUTHSC:


The report result shows that authorization is included in four roles, double click one of them:


click “Authorizations” tab and click display button:


Use search function:


The result indicates that my user in our dev system has authorization to create, display, change and delete on attachments belonging to any authorization domain & scope.


Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Zoe Zhou
      Zoe Zhou


      Hi Jerry,

      Many thanks for the sharing. We are trying to implement this and what you've described here worked pretty well! However when trying to add a new version of attachment(Going to Advanced view, check out the original version, then check in by uploading from local hard drive), there's no way to select the authorization scope again - the new version will be added with no authorization scope. Have you ever encountered that? Any suggestions would be greatly appreciated. Thank you!