Defining a Field Group for an Authorization Role  

Use

You use this procedure to define an authorization field group for an authorization role and then assign authorization rule(s) to the field group.

You define a field group for a higher-level business object to allow controlled access to the business data provided by:

§         Some of its properties

§         Properties of the corresponding lower-level business objects

You define a field group by including at least one business object property. For more information, see SAP Note 571454.

You create a field group for the CITY property of the BOCAPGEN business object to restrict a role (Role A) from accessing related business data. During runtime, an mobile client user assigned to Role A cannot view the city data for any business partner in the Business Partner tile. However, a user assigned with another role can view this data. 

 

Prerequisites

You have decided which access right (read-only or modify) to define for the field group.

The access right you define for a field group must not contradict with the rights defined for the role (via authorization tokens). To ensure this, you must check the tokens assigned to the role. For more information, see Assigning an Authorization Token to an Authorization Role.

Role A contains a token that allows access rights such as read, create, and delete for the BOCAPGEN business object. The token does not allow modification rights on this business object. If you want to create a field group for any property of the BOCAPGEN business object, you must not assign modification rights. If you do so, during runtime, the access right defined for the field group cannot be applied for the role. This is because the rights assigned for a token have precedence over the field group.

 

Procedure

...

       1.      In the navigation bar, choose Role Maintenance Assign ® Field Groups.

The Available Roles tile appears.

       2.      On the Available Roles tile, select a role other than the predefined roles.

You must not select any predefined role.

       3.      On the Assigned Field Groups tile, right-click and choose New.

A row for the new field group appears.

       4.      Select a business object and specify the name, description, and field group type for the new field group.

A hyperlink is created for the name you have specified. You can click on this hyperlink to assign an authorization rule to the field group. For more information, see Assigning an Authorization Rule to a Field Group.

       5.      Choose Data ® Save.

The Child Business Objects tile displays the business object you have selected for the field group, along with its lower-level business objects.

       6.      On the Child Business Objects tile, select a business object.

       7.      On the Business Object Fields tile, right-click and choose New.

The Business Object Attributes dialog box appears.

                            a.      Select the specific properties.

                            b.      Choose Select.

The Business Object Fields tile displays the properties you have selected.

       8.      On the Business Object Fields tile, enter a specific mode for each property you have selected. Use the following table to be aware of the impact of each mode during runtime.

Field Group Type	Property Mode	Impact During Runtime
Read only	Protected	User cannot recognize the data (for example, password display **********)
	Read only	User cannot modify the data
	Hidden	User cannot view the field that is associated with the property
Modify	Normal	User can modify the data
	Protected	User cannot recognize the data (for example, password display **********)
	Read only	User cannot modify the data

In a field group, you must include at least one property with an appropriate property mode.