Show TOC

Function documentationAuthorization Group

 

The concept of Authorization Groups in DDIC Tables and Views as Basis

The concept of authorization groups in Solution Documentation is known from data dictionary tables and views. In transaction SE54, you can create and assign authorization groups to tables and views to provide the option to protect these objects in generic table and view maintenance tools. The grouping of multiple objects makes it easier for an administrator to maintain authorization profiles. With a single entry, he can allow or forbid the maintenance for example of all service desk configuration tables and views using the authorization group SDCO.

The concept of the Authorization Groups in Solution Documentation

In Solution Documentation, a similar concept is used to allow authorization checks on object or attribute type level without the need of listing hundreds of object or attribute types in a special authorization role. Authorization groups are defined solution-dependent. They have a technical name that is checked in authorization object SM_SDOC in field SMUDAUTHGR.

The Default authorization group is always there. It contains all Solution Documentation object and attribute types that are not assigned to any named authorization group. As soon as you assign an object or attribute type to user-created authorization group (not Default) it is not assigned to the Default authorization group because an object or attribute type can only be assigned to one authorization group. This allows defining authorizations on “all other objects” or on “all other attributes” that you do not want to name explicitly. They are virtually assigned to Default.

Example: You want to create a role for users that are allowed to see all objects but only may maintain test cases. Then you create an authorization group for test cases. You maintain the authorizations so, that you give them Display Authorization for the Authorization Group ‘*’ and Maintenance Authorization for the Authorization Group Test Cases only.

For another role you want to allow users to see and maintain everything but technical objects. Therefore you give them Display and Maintenance Authorization for Authorization Group Default and Test Cases and define a new authorization group Technical Objects which you do not include in the role. So for these users technical objects are invisible. It is not possible to add the same object or attribute to different authorization groups. Authorization groups must always be disjoint. But the technical name of an authorization groups is 30 characters long. So it is possible to give them hierarchical names, for example:

  • OBJ_LIB_TECH_DEV_CLAS for a group containing the classes in the library

  • OBJ_LIB_TECH_DEV_PROG for a group containing the programs in the library

  • OBJ_E2E_TECH_DEV_CLAS for a group containing classes in the E2E area

This would allow you to use OBJ_LIB_TECH_* in authorizations for all technical objects in the library without listing all single groups explicitly.

Activities

Maintenance of Authorization Groups

You maintain authorization groups with view cluster maintenance SM34 for view cluster SMUD_AUTHG. Select the solution for which you want to create authorization groups.

Define Authorization Groups

Select Define Authorization Groups to create a new authorization group by giving it a considerate technical name and description.

Authorization Groups for Attributes

Select Authorization Groups for Objects to assign attribute types to an authorization group. Use the value help or transaction SMUD_MODEL_BROWSER to find the attribute type IDs.

  • To assign a single attribute type at a certain object type only, fill both key fields

  • To assign an attribute type at any object type just fill field Attribute Type

  • To assign any attribute type of an object type just fill field Object Type

Value SPACE in a key field stands for all types. In case an attribute-object-combination matches to more than one entry the above sequence is relevant.

Authorization Groups for Objects

Select Authorization Groups for Objects to assign object types to an authorization group. Use the value help or transaction SMUD_MODEL_BROWSER to find the object type IDs.

  • To assign a single object type at a certain group type only, fill both key fields

  • To assign an object type at any group type just fill field Object Type

  • To assign any object type at a group type just fill field Group Type

Value SPACE in a key field stands for all types. In case an object-group-combination matches to more than one entry the above sequence is relevant.

More Information

For more information about the authorization objects SM_SDOC (Solution Documentation) and SM_SDOCADM (Solution Documentation Solution Administration), check the corresponding authorization documentation in the system.