Roles and Authorizations for The National Archives

You can enhance the authorizations in Records and Case Management with specific authorization functions for the standard The National Archives (TNA). The authorization functions for TNA comprise

Additional TNA-specific user roles
Definition of access authorization for individual users or user groups in objects using the attribute Custodian
Control of access authorizations for documents and folders according to security categories or authorization levels
Control access authorizations for documents and folders according to structural categories

Integration

The functions described here supplement the standard authorizations of Records and Case Management (see Authorizations).

Prerequisites

To be able to use the authorization enhancement presented here for the TNA standard, you have to activate it for each RMS in Customizing under Records and Case Management Basic Settings Make Basic Settings for RMS ID .

Features

TNA-specific user roles

Technical Name	Description
SAP_PS_RM_PRO_ADMIN	TNA system administrator
SAP_PS_RM_PRO_RECMANAGER	TNA document manager
SAP_PS_RM_PRO_REVIEWER	TNA reviewer
SAP_PS_RM_PRO_USER	TNA end user

The following authorization objects are available for the standard The National Archives:

TNA authorization objects

Technical Name	Description
PS_RMPSPGE	RMPS TNA: Enhanced check of activities Using this authorization object, you can control the authorizations for TNA-specific functions such as the authorization levels of documents and descriptors
PS_RMPSPSP	RMPS TNA: Status-dependent attribute check Using this authorization object, you can control access to documents and incoming post items depending on whether their status is private or declared.

Technical Name

Description

PS_RMPSPGE

RMPS TNA: Enhanced check of activities

Using this authorization object, you can control the authorizations for TNA-specific functions such as the authorization levels of documents and descriptors

PS_RMPSPSP

RMPS TNA: Status-dependent attribute check

Using this authorization object, you can control access to documents and incoming post items depending on whether their status is private or declared.

You define the general access and editing functions for a user profile/user with the authorization roles and objects mentioned above, but there are additional authorization functions available as attributes in object editing. You can use these attributes to control access authorization in object editing in the electronic desk at the level of class, folder and document. The following functions are available:

Authorization levels

You can put an object into a security category using the attribute Authorization Level. The authorization levels 0(open) to 4(strictly confidential) are available in the standard system. You can adjust these levels to your requirements and define your own values in the IMG activity Create Values for Attribute Authorization Level. You define the user authorizations in the field authorization level (SCMG_LVL) of the authorization object PS_RMPSPGE.

Example Example

If the authorization level 3(confidential) is assigned to a user, they have access to all objects of levels 0 to 3. However, they have not access authorization for authorization level 4(strictly confidential).

End of the example.

System change of authorization level

You can have the system change the authorization levels after a period has expired. This is suitable for documents that are only confidential for a limited period.

You define the change of an authorization level to a new attribute value in a rule (see IMG activity Create Rule for Changing Authorization). When you assign a rule (attribute Rule for New Authorization Level) in objects, the system automatically marks the attribute values to be changed in connection with an expiry date (attribute Expiry Date of Authorization Level). You use the program RMPS_SET_SECURE_LEVEL to set up authorization levels for a key date. We recommend that you schedule the program run regularly; ideally every day.

Descriptor

You can use the attribute Descriptor to assign the contents of an object to a category. You can use descriptors that are defined as functional descriptors in the IMG activity Create Descriptors for authorization control. You define the authorizations in the field Descriptor (RMPSP_DESC) of the authorization object PS_RMPSPGE.

Custodian

You can define fast and direct authorization assignment for folders and documents using the attribute Custodian. You can define users or user groups as custodians. They have sole access authorization for these objects. The custodian also has authorization to grant access authorization in the fields Access: User and Access: Group.

You create the selection of users of a user group in the access control list as a general distribution list. You can call up distribution list editing from the electronic desk under Environment Distribution Lists .

Note Note

Note that with the authorization control described here, you can define access for the roles TNA end user and TNA reviewer using a custodian or a user group. The roles TNA document manager and TNA administrator have unrestricted access authorization.

End of the note.

You define the maintenance authorizations for the attribute Custodian for classes and folders in the field SDOK_PROPN of the authorization object PS_RMPSPSP. For cases (TNA: folder), you define maintenance authorization in the field SCMG_FIELD of the authorization object S_SCMG_FLN.

Passing on the authorization control

The attribute values of Authorization Level, Rules for New Authorization Level, Expiry Date of Authorization Level, Descriptor, and Custodian are passed on to lower-level objects, that is, inherited from higher-level objects provided that you defined this in the passing on logic. You can change all values manually. For more information, see Passing on Metadata..