Authorization for iObjects

Use Cases:

1. You want to restrict the creation of ITSM documents with specific CIs (Configuration Items = iobjects). E.g. Creating an incident with target CI is only allowed to a Key User who is assigned to a specific organizational unit.

You won’t find it via the F4 Search if you don’t have the authorization object in your role AND one of the following rules match to your Business Partner settings.

CI.png

2. It should not be possible for a user to display ITSM documents, that contain a CI which has no relationship to the user. E.g. all incidents for a high security system are not shown to users without this authorization object.

–> until SAP Solution Manager SP12 the following SAP Note is necessary: 1981995

Configuration:

Using authorization object SM_SDK_IBA in transaction PFCG.  It is included in the SAP standard template roles for ITSM.

Attention: The authorization field values are additive.

Field value
Description
Technical Details
No authorization
user sees only systems in BP identification

identification type CRM001

/wp-content/uploads/2014/06/bp_485773.png

USERS_OWN
user sees only systems in BP identification
AND systems to which the BP is directly assigned
identification type CRM001
BP is assigned to configuration item as party involved
/wp-content/uploads/2014/06/party_485799.png
USERS_ORG
user sees only systems in BP identification
AND systems to which the BP is directly assigned
AND systems that are assigned to the BP-organizations the user belongs to
identification type CRM001
BP is assigned to configuration item as party involved.
Relationship to organization is determined via:
  1. via Organizational Modell (PPOMA_CRM)
  2. BP relationship “is the Employee Responsible for” (can be changed via AGS_WORK_CUSTOM parameter IM_RESPONSIBLE_REL_CATEGORY)

/wp-content/uploads/2014/06/org_485800.png

BP-organization is assigned to configuration item as party involved
ALL
user can see all Iobject entries
To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply