Restricting Access to Subtrees of a Solution in SolMan 7.2: Definition of an Authorization Area
The concept of Authorization Areas
Authorization areas can protect sub trees of the solution structure. An administrator can assign an authorization area to a structure element. Then only users that have an authorization for authorization object Solution Documentation (SM_SDOC) with this authorization area name in the field Authorization Area (SMUDAREA) for this authorization area are allowed to do activities for this structure element and its children.
Authorization role SAP_SM_SL_ADMIN – copy to customer name space before making changes.
Authorization areas are defined solution specific. An authorization area has a 30 character long technical name and a description.
The default authorization area does not need to be defined. The solution documentation root element and all elements without assignment have the implicit authorization area assignment ‘Default’ by definition. When no authorization areas have been assigned to the elements of a solution yet, every element has authorization area ‘Default’.
The definition of Authorization Areas
You can define an authorization area in transaction SM34, View Vluster SMUD_AUTHG:
Select the solution you want to create the authorization area for:
Create the authorization group you want to assign the authorization area to:
Select the entry with the new authorization group:
Choose the “New Entries” button to add a new entry in the detail screen of the view. Enter an authorization area ID or select it in the value help provided. Select the button “Select Structure Element”:
In the search help you can preselect by element type and by description:
The usage of Authorization Areas
The authorization group with assigned authorization area can be now used in the authorization object SM_SDOC.
Now, you can modify the authorization object SM_SDOC by assigning the authorization area MOD_CREATE_SALES to the authorization filed SMUDAREA:
The user will only be able to access the sub tree elements defined in the authorization area and authorization groups, in our case DEFAULT (a reduced visibility of the solution content):
Other folders and tree/subtree structures will not be visible to this user. The picture below shows a full visibility of the solution content:
The assignment of a structure element to an authorization area is valid for all branches of a solution in which the assigned elements exists.
The authorization area explicitly assigned to a structure element is valid for the whole subtree rooted by the element excluding all nested subtrees rooted by elements with own authorization area assignments.
Non-structure elements always inherit the authorization area from their structure parents. The authorization area determination is branch specific since the inheritance hierarchy is branch specific: If an element is moved it may inherit a new authorization area from the new parent, so in this case the authorization area of an element may differ in different branches.