Show TOC

 Defining Authorizations

Use

Object-related authorizations (ACLs) allow authorizations for carrying out certain activities in folders and documents to be assigned.

These authorizations are inherited top-down (see Inheritance ) and can be overridden at lower levels.

Caution Caution

You use the authorization object ACO_SUPER to give certain users, such as system administrators, authorization to override the ACLs.

End of the caution.

Note Note

Linked documents do not inherit the authorizations of the folder to which they are linked. These documents only inherit ACLs that result from their original use, that is, from the folder in which the documents are actually located and not from a folder by means of a link .

End of the note.

Features

You can assign the following authorizations to users, user groups, and roles:

  • Administrator

  • Delete folder

  • Delete document

  • Change

  • Delete subfolder

  • Create document and subfolder

  • Read metadata

  • Read originals

  • No authorizations

Authorization/Activity

Object

Description

Admin

Document, folder

This authorization allows you to display, change, rename, copy, and delete documents, folders, and linked files. When objects are created, the object owner also defines whether other users are to receive authorizations for these objects.

DeleteFol

Folder

This authorization allows you to delete an entire folder and therefore an entire document structure. The folder must be completely emptied before deletion.

Delete

Document

This authorization allows you to delete a document. This authorization does not allow you to delete folders.

WriteFile

Document, folder

This authorization allows you to create, delete, and change originals, and to change metadata. The document itself cannot be deleted.

Write

Document, folder

This authorization allows you to change documents and folders. Changing a document means attaching an original to a DIR. The authorization does not allow you to edit an original or delete a file.

DelChild

Folder

This authorization allows you to delete documents from a document structure. This authorization refers to the superior folder below which you want to delete subfolders or documents. If a document is moved from one folder to another, the document is deleted from the source folder.

CreateDoc

Folder

This authorization allows you to control the creation of documents with originals and subfolders. The authorization is linked to the superior folder below which you want to create subfolders and documents.

ReadFile

Document, folder

This authorization allows you to display metadata and originals. The original can be exported but cannot be changed or deleted.

Read

Document, folder

This authorization allows you to display metadata and the document structure. Changes are not possible.

NoAuth

Document, folder

No authorizations are assigned. NoAuth cancels all other authorizations. The folders or documents are not visible to the user and the user has no authorization for the affected object. Inherited authorizations are overridden by NoAuth.

Summarizing Activities

You can summarize the activities supplied with the standard system by means of a modification, as follows: Contact your SAP consultant if you want to do this.

Authorization

Activities

ADMIN

Administrator

Delete folder

Delete document

CHANGE

Change

Delete subfolder

Create document and subfolder

DISPLAY

Read metadata

Read originals

NOAUTH

No authorization

The activities are stored in the system and apply to all applications that use the ACL implementation. You can insert additional, customer-specific activities, which you implement yourself.

The relationships between objects and activities are also specified in the system. You can add more relationships according to your requirements.

  • The authorizations apply to documents only.

  • The authorizations that you create using SAP Easy Document Management are also valid in the SAP system.

The authorizations apply to the following functions:

  • Documents and folders

  • Create

  • Copy

  • Move

  • Change

  • Delete

  • Edit and manage private and public document structures and documents

  • Send documents

For more information, see Inheritance .

Activities

To be able to use object-related authorizations (ACLs) in SAP Easy Document Management , you have to carry out the following steps:

  1. Create a PFCG role or use an existing one

    The PFCG role ensures access to document management. The system first checks the PFCG roles of a user. If the user has authorization for document management, the system carries out the check for ACLs .

  2. Assign user to role

  3. Create document info records in document management

  4. In SAP Easy Document Management you define the administrator authorizations for a folder or document under SAP Properties on the Authorizations tab page with Create Admin Authorization . These authorizations allow the user to edit documents and folders and assign authorizations to other users, user groups, and roles.

    Note Note

    You use the registry entry AutoInheritedAuth to control whether a user automatically receives administrator authorization when he or she creates a DIR or whether this authorization must be explicitly assigned to the user in SAP Easy Document Management using Create Admin Authorization .

    End of the note.
  5. You define authorizations for other users, user groups, roles, and HR objects in SAP Easy Document Management under SAP Properties on the Authorizations tab page for a folder or document, by choosing .

    You can also undo these authorizations by choosing .

    Recommendation Recommendation

    Do not use the authorization holder type "HR Object".

    End of the recommendation.
  6. If you selected the authorization holder type user group , you can define new user groups or change or delete existing ones under Authorization Holder in the SAP Properties .

    Note Note

    ‘ACO_SUPER’ is the only PFCG object for working with ACLs in SAP Easy Document Management.

    PFCG roles (objects) and ACLs are independent of each other. If both PFCG objects and ACLs are maintained, the system takes both of them into account, but PFCG roles are given preference.

    End of the note.