You can find detail information on the authorization concept with SAP Solution Manager 7.2 in the
Authorization Concept Security Guide
.

This blog describes the most important roles and authorization objects for Process Management / Solution Documentation in SAP Solution Manager 7.2. The Solution Documentation authorization objects and roles used in SAP Solution Manager 7.1 were changed and replaced with new authorization roles and new authorization objects.
Most important authorization objects for Process Management/Solution Documentation in SolMan 7.2

The most important authorization objects (responsible for an access to solution documentation elements, objects and assignments) of the Process Management/Solution Documentation scenarios are:

  • SM_SDOC(Solution Documentation) – authorizations for the solution documentation activities (creation of solution/branch/structure/content etc.)
  • SM_SDOCADM (Solution Administration) – authorizations for the solution administration activities (creation of the solution landscape, logical component groups, documentation types etc.)
  • SM_GAL_GO (Authorization Object for Graphical Component Global Objects)

All objects are contained in the authorization roles SAP_SM_SL_*.

Authorization objects related to Solution Manager documents:

  • S_SMDDOC(Solution Manager Document Authorization) – this object restricts the activities that can be done on a document level.
  • S_SMDATT(Solution Manager Document Attribute Authorization Object) – this object restricts the usage of attributes for documents.

Both objects are contained in the authorization roles SAP_SM_KW_*.

Most important single roles for Process Management/Solution Documentation in SolMan 7.2

The SAP_SM_SL_* roles contain all relevant authorizations for process documentation.

The most important single roles to work with the Process Management/Solution Documentation applications are:

  • SAP_SM_SL_ADMIN (Process Management Administration) – This role provides full authorizations for Solution Administration (transaction SOLADM/SLAN).
  • SAP_SM_SL_EDIT (Solution Documentation Edit) – This role allows to edit the solution process documentation (auth. object SM_SDOC) with BPMN (display) and display the solution administration information.
  • AP_SM_SL_DISPLAY (Solution Documentation Display) – This role provides you only display authorizations for the Solution Landscape and process documentation in SAP Solution Manager 7.2.
  • SAP_SM_KW_* – Those roles contain authorization objects relevant for Solution Manager documents:
  • SAP_SM_FIORI_LP_EMBEDDED (Embedded Use of the Fiori Launchpad in SAP Solution Manager) – This role allows you to access the Process Management/Solution Documentation functionalities via the Fiori Launchpad tiles.
  • SAP_SMWORK_IMPL – This role is relevant for work center UI navigation. It will make possible to see the tiles in the Fiori Launchpad based on the assigned authorization groups.
  • SAP_SUPPDESK_CREATE – This role is used for the key users in the Service Desk scenario in the SAP Solution Manager system. You may need this role if you allow for creations of messages form the Solution Documentation application.
  • SAP_SM_TREX_ADMIN – Configuration User Role for TREX ADMIN (SOLMAN_SETUP Transaction).

Composite roles for Process Management/Solution Documentation

SAP delivers the following composite roles for Process Management/Solution Documentation for the different end user functions:

  • SAP_SOL_CONFIG_COMP for execution of Process Management in SOLMAN_SETUP (the configuration user)
  • SAP_SOL_PM_COMP for Project Management functions
  • SAP_SOL_AC_COMP for execution of Application Consultant functions: Application Consultants plan the functional requirements for a project with the Project Manager and then carry out the required configuration tasks in the system.
  • SAP_SOL_TC_COMP for execution of Technical Consultant functions – Technical Consultants plan the technical requirements for a project with the Project Manager and the manager of the technical team and then carry out the required technical tasks in the system.
  • SAP_SOL_BC_COMP for execution of Basis / Development Consultant functions – Development Consultants work with the project manager and the application consultant on the planning and organization of the authorization concept. They also perform developmental tasks and customer-specific developments.
  • SAP_SOL_RO_COMP for a display user – This type of user can only display information.
  • SAP_SOL_RE_COMP for read only user – This type of user can read documents (according to the document status).
To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Ashishkumar Banker

    Hello Ewa Goslawska-Goedecke,

    Thanks for this information.
    We are also looking for Folder Base Authorization to restrict user for accessing certain node and Documents. If you can help to generate folder and assign document and authorization. Or any alternative solution. Also do we have “Site” specific authorization and view?

    Thanks,
    Ashish

    (0) 
  2. Pikakala Sebastian

    Hi,

     

    I have a question.

     

    I only want to restrict one attribute of the  document i manually uploaded, can you suggest which is the field activity??

    The attribute is the “Document Status”, by default it has the values “In Progress, Copy Editing, Review and Released”, i have to restrict the user to not Release the Document.

    Regards,

    Sebastian

     

    (0) 
  3. Pikakala Sebastian

    Hi Ashish,

    Thanks and I am fully aware of this Authorization object.

    Here is my requirement.

    UserA, has the authorizations object S_SMDDOC and Document Status 0RELEASED, 0REVIEW.

    Now my requirement is he should not have the access to change the document status from REVIEW to Released

    Regards, Sebastian

    (0) 
  4. Pikakala Sebastian

    I was able to get what i wanted,

    Case1: UserA, should have the authorizations object S_SMDDOC and Document Status 0RELEASED, 0REVIEW.

    Added the object S_SMDDOC twice

    Case 2. User should not have the access to change the document status from REVIEW to Released

    This can be achieved by the object S_SMDATT

    Hope this will be useful for someone else.

    Regards, Sebastian

    (0) 

Leave a Reply