PLM Web UI Security Concerns & ACM
Any manufacturing (Discrete or process) company which has heterogeneous setup, has a strong need to provide its resources a channelized access to its data. i.e., making it accessible to the right people at the right time. For instance, documents that are in one division may not be required not to be edited by others due to various reasons. Marketing and Sales departments need read-only access to the data. Also suppliers and vendors only need access to specific data.
Different geographical regions could be another reason to restrict some of the country (division) specific data. For instance ‘ITAR‘ where there is a need to restrict access to the data for non-US citizens in many companies that are involved in defense related manufacturing.
Projects with highly sensitive data should be accessible to that project team only. Also object instance specific authorization, etc.,similarly there could be so many such scenarios where a company needs a tight security around PLM objects.
To address all above mentioned security scenarios SAP introduced Access Control Management along with SAP PLM 7. ACM is built based on standard PFCG roles and also supports ACL. In ACM, authorizations are controlled using an object called Access control Context (ACC). PFCG roles and user, user-groups are maintained at ACC’s and these are linked with the PLM objects. Hence the users with similar roles get right access to those PLM applications.
A lot of companies are hesitant to implement ACM assuming that it’s too complex and a lot of time and maintenance is involved. This might be true, but the trick to ease it is to start out with simple design and later enhance (extend) it with what you need. This really helps gaining initial understanding needed and then go for a big bang.
ACM can handle transferring ownership of an object from one ACC to a different using Transfer technique. This is mainly used when an object access is needed to be shared to a group until it gets moved to another. An object can be assigned to another ACC without losing the ownership for the source ACC, this is called Loaning technique. This is used for temporarily granting the access to another set of people.
Scenarios like ITAR and sensitive Projects can be addressed with a separate ACC or set of ACCs that provide access to the right people. Since ACC is assigned at an object instance level, authorizations can be handled at object instance level too.
SAP consulting added new features like ‘Mass Maintenance’ with excel upload capabilities, Authorization ‘Reporting’ to ACM which really add value addition to it and help in faster implementation. There are a couple of other features like down-porting ACM to SAP GUI (currently DIR) and more importantly implementing ACM for PPM 5.0. However, these have a price tag associated as they are from SAP consulting team.
Anticipating that SAP adds some more features like above which could help in easily implementing ACM and making them generally available, would address some of the security scenarios in the Product Life-cycle Management.