Function documentationDetermination of Object Access

 

Before giving access to a business object, the authorization checks of the system take the following factors into account:

  • Type of user interface (UI), either the PLM Web UI, or another UI, such as SAP graphical user interface (SAP GUI), Business Application Programming Interface (BAPI), SAP Internet Transaction Server (ITS) HTML GUI

  • Source of authorization, such as SAP ERP Central Component (SAP ECC), or access control management (ACM)

  • Object type, such as material

  • Object instance, such as material 4177

  • Activity, such as Display or Create

  • Status of the object, such as Released

    Note Note

    Authorizations set by object status (for example, you cannot change a document with status Released) are part of the SAP ECC authorizations and have precedence over authorizations defined by ACM.

    End of the note.

Features

Object Access Using the PLM Web UI

When a user tries to access an object using the PLM Web UI, the system checks whether the object is controlled by ACM.

ACM only controls objects that an active context owns.

  • Access to objects not controlled by ACM

    When a user tries to access an object using the PLM Web UI and an active owning context does not own the object, the system checks whether the user is a trusted user. A trusted user is assigned to a role with the Role Maintenance (PFCG) transaction that contains the authorization object Trusted User per Object Type (PLM_TRUSR). This authorization object allows you to grant a user the trusted user privilege per object type. The sample single role Trusted user for all PLM WUI object types (SAP_PLMWUI_TRUSTED_USER_ALL) identifies the user assigned to it as a trusted user for all object types. For more information, see Definition of Sample Context Roles.

    • Access by untrusted users

      If the user is not trusted, the system denies access to the object even if the user has the required authorizations granted by SAP ECC.

      This mechanism ensures that new users, who can only access objects using the PLM Web UI have no access at all as long as you do not assign them to any context roles.

    • Access by trusted user

      If the user is trusted, the system grants access to the object based on the SAP ECC authorizations. This ensures that users who already had access to objects before the PLM Web UI was implemented can still access these objects using the PLM Web UI, provided they obtain an additional role that classifies them as trusted users.

  • Access to objects controlled by ACM

    When a user tries to access an object using the PLM Web UI and an active owning context owns the object, the system checks if you have defined an access control list (ACL) for the object instance.

    • Objects controlled by ACL

      If you have defined an ACL for the object, the system grants access to the objects based on the ACL. For more information, see Access Control List.

    • Objects not controlled by ACL

      If you have not defined an ACL for the object, the system grants access to the objects based on access control contexts (ACCs).

      When a user accesses an object controlled by ACCs, the system determines the authorization by taking into account the user’s context roles in the contexts related to the object, including the owning context and the assigned (lent-to) contexts. The system uses the maximum authorization granted by these contexts for the user. For more information, see Access Control Context.

    For more information, see Display of Authorizations for Objects and Display and Analysis of Access Authorizations for Other Users.

Object Access by Means of a Different UI than the PLM Web UI

When a user tries to access an object by means of a different UI than the PLM Web UI (for example, SAP GUI, BAPI, ITS HTML GUI), the system checks the object type.

  • Access to materials, material BOMs, change numbers, and iPPE objects

    When a user tries to access a material, material BOM, change number, or iPPE object by means of a different UI than the PLM Web UI (for example, SAP GUI, or BAPI), the system checks the authorizations granted by SAP ECC. In this case, it does not check access authorizations granted by ACM even if ACM controls the object.

    You can prevent a user from accessing materials, material BOMs, and change numbers by means of a SAPGUI or a BAPI by removing the transaction codes for these object types from the authorization object S_TCODE from the roles assigned to the user with the Role Maintenance (PFCG) transaction. For more information, see Definition of Sample Context Roles.

  • Access to documents

    When a user tries to access a document through SAPGUI, BAPI, WebDocuments, or SAP Easy Document Management 7.0, the system checks whether ACM controls the document. ACM controls the document if you have selected the Use of ACM checkbox for the document type of the document in Customizing. For more information, see Customizing under Start of the navigation path Cross-Application Components Next navigation step Document Management Next navigation step Control Data Next navigation step Define Document Types End of the navigation path.

    • Accessing documents that ACM controls

      When ACM controls a document, the system checks access authorizations granted by ACM in addition to the authorizations that SAP ECC has granted.

      For documents that ACM, controls the system does not allow the maintenance of ACLs from the software package ACO (available for documents within SAP ECC), which are different from the ACLs used in ACM.

    • Accessing documents that ACM does not control

      When ACM does not control a document, the system takes into account the authorizations that SAP ECC has granted and the ACLs from the software package ACO (available for documents within SAP ECC), which are different from the ACLs that ACM uses.

      You cannot prevent access to documents by removing authorization object S_TCODE from the roles that you assign to the user with the Role Maintenance (PFCG) transaction.

  • Access to recipes

    Recipes used within Recipe Development cannot be accessed through SAPGUI, like some other PLM objects. Therefore all information concerning ACM and SAPGUI in this document are not applicable for recipes used within Recipe Development.

  • Access to specifications

    When a user wants to access a specification through SAPGUI or BAPI, the system checks whether ACM controls specifications (see Customizing under Start of the navigation path Logistics - General Next navigation step Product Lifecycle Management (PLM) Next navigation step PLM Web User Interface Next navigation step PLM Web Applications Next navigation step PLM Authorizations and Access Control Context Next navigation step Specify Object Types for Access Authorization Check End of the navigation path).

    • Accessing specifications that ACM controls

      When ACM controls a specification, the system checks access authorizations granted by ACM in addition to the authorizations that SAP ECC has granted.

    • Accessing specifications that ACM does not control

      When ACM does not control a specification, the system takes into account the authorizations that SAP ECC has granted.

      You cannot prevent access to specifications by removing authorization object S_TCODE from the roles that you assign to the user with the Role Maintenance (PFCG) transaction.