Entering content frame

Function documentation Authorization Concept for Article Hierarchy Maintenance Locate the document in its SAP Library structure

Use

Article hierarchy maintenance has an authorization concept that allows you to pass on authorizations to every node of an article hierarchy.

The authorization applies to all lower-level nodes. Authorization to display it is not limited to a certain number of users. You can, however, limit the number of authorized users, using standard authorizations.

In the authorization concept for the article hierarchy, a distinction is made between the maintenance of node assignments and the maintenance of the article assignment. The authorization concept is intended to issue the users with vertical and horizontal authorization. A vertical authorization means that the user has authorization for all subordinate nodes for a node. A horizontal authorization means that certain users only have authorization for one level of the article hierarchy. This produces an authorization matrix, which enables individual users or user groups to be given authorizations very flexibly.

There are two authorization objects available in the standard system:

        WRF_CDT_V (Article hierarchy: vertical structure, article and attribute maintenance):

The authorization object WRF_CDT_V has the following authorization fields

        ACTVT: Activity (01=Create, 02=Change, 03=Display, 06=Delete, 07=Activate)

        RTHIER_OBJ: Object (01=Node, 02=Article, 03=Attributes)

        RTHIER_ID: Hierarchy ID

        RTNODE: Hierarchy node

With this object, a user has authorization for node, article, and/or attribute maintenance, independently of the authorization field RTHIER_OBJ. If RTHIER_OBJ “01“ (Node) is set, the node authorization applies for the hierarchy node entered in the authorization field RTNODE and for all subordinate nodes. The hierarchy object “Node“ excludes an authorization for the article of the node. If RTHIER_OBJ “02“ (Article) is set, the article authorization applies to all articles for the hierarchy node entered in the authorization field RTNODE. If RTHIER_OBJ “03“ (Attribute) is set, the attribute authorization applies for the hierarchy node entered in the authorization field RTNODE and for all subordinate nodes. For the same hierarchy node entered in the authorization field RTNODE, a combination of hierarchy objects is possible. A combination over different hierarchy nodes is only possible by using different profiles.

        WRF_CDT_H (Article hierarchy: horizontal structure maintenance):

The authorization object WRF_CDT_H has the following authorization fields

        ACTVT: Activity (01=Create, 02=Change, 03=Display, 06=Delete, 07=Activate)

        RTHIER_ID: Hierarchy ID

        RTHIER_LEV: Hierarchy level

With this object, a user has authorization for all nodes in a hierarchy level independent of the transaction. The object excludes authorization for the nodes and articles above and below the node or the level.

In hierarchy maintenance, both authorization objects are called in the copy function and during activation. Authorization for a user is refused if the authorization check for both objects fails.

The combination of the two authorization objects enables combined authorizations to be mapped for a user, that is both horizontal/vertical authorizations and different activities for elements. When combining different activities for the same object, an element cannot be modified in the display of the structure. In structure maintenance, an object can be modified in creation mode. In structure maintenance, an object can be created in change mode. If activity 01 or 02 is assigned to a hierarchy node via the structure object, and only activity 03 is assigned via the other authorization object, the authorization check in the structure display leads to an error, however the check in structure maintenance does not.

This graphic is explained in the accompanying text

Using transaction PFCG, you can edit two authorization objects: one authorization object for horizontal authorization and one for vertical authorization.

 

 

Leaving content frame