You can define authorizations for individual applications within the Recipe Development (PLM-WUI-RCP) component, by means of authorization roles (PFCG roles), authorization objects, and authorization groups.
Caution
You are only allowed to use authorization roles as a demo role with demo users in the test system. If a demo role contains the wildcard "*" (asterisk) for parameters, you must not use the demo role in the productive system, because this grants too many authorizations to users there. After copying this role to a productive system, you must thoroughly check each authorization parameter containing an asterisk before you use it. For productive use, we strongly recommend that you build new roles using the authorization default values from the transaction Maintain the Assignments of Authorization Objects (SU22), rather than using the demo roles as a starting point.
In Recipe Development, you can use access control management (ACM) on the PLM Web user interface for recipes and specifications (see Authorizations and Access Control Context (PLM-WUI-APP-AC)).
Using ACM, you can assign objects (such as recipes or specifications) to access control contexts. For every context, you use context roles and access control lists to define access rights for users or user groups.
For using ACM, the PLM Web User Interface (PLM Web UI) comes delivered with sample composite roles that contain a central context role definition, and the necessary additional single roles that were defined with the Role Maintenance (PFCG) transaction. The following sample composite roles for ACM have been defined for Recipe Development:
SAP_PLMWUI_DEMO_RCP_DEVEL3_RM (see Recipe Developer (for Pilot Implementation))
SAP_PLMWUI_DEMO_RCP_REVIEW3_RM (see Recipe Reviewer (for Pilot Implementation))
These roles contain all necessary authorization roles and authorization objects.
Caution
You can only use these roles as copy template for your own roles; you cannot use them directly in the productive system, since the sample composite roles contain very general authorizations.
The following table lists the single authorization roles required for each of the applications in Recipe Development, which you can use as template for your own roles. If no authorization role is available, the required authorization object is specified.
Note
Sample roles are likewise available for further master data objects in Recipe Development, such as materials, material BOMs, or documents.
Application |
Associated Authorization Roles or Authorization Object |
---|---|
Status Management |
Authorization object PLM_SAMPLM Authorizations for Status Management |
Specification Management on the Web UI |
Authorization Roles:
|
Recipe Development (Display Authorization) |
Authorization Roles:
|
Recipe Development (Change Authorization) |
Authorization Roles:
|
Synchronization Recipe to Manufacturing BOM |
Authorization Role SAP_PLMWUI_RECIPE_H2M Recipe Synchronization Planner |
Simulation |
Authorization Object PLM_RCPMDL Authorization Object for Recipe Simulation |
Migration of Recipes from Recipe Management (PLM-RM) |
Authorization Roles:
|
Mass Change of Recipes |
Authorization Role SAP_PLMWUI_MASS_CHANGE Role for Mass Change |
Labeling |
Authorization Roles:
|
Compliance Check |
Authorization Object C_EHSB_REG Authorization Check for Compliance Check |
Using authorization groups, you can rdefine user groups that are authorized to work with these objects. To be able to use an authorization group for objects, a specification type must be assigned to the authorization group, even if the object itself is not a specification. In Recipe Development, you use the following specification types for this purpose:
For recipes, RECIPE_WUI
For labels, LABEL_WUI
For specifications, the associated specification type, for example SUBSTANCE
You define authorization groups in Customizing for Recipe Development under
. You can also select the specification category there.You can use authorization groups in combination with Access Control Management (ACM). For example, you can use authorization groups for statistical calculations that reflect the general organizational structure of your company, and you can use the access control management to assign authorizations dynamically.
You can use the same or different authorization groups for specifications and recipes. If you use the same authorization groups, you only have to create one authorization group in Customizing and then assign it to both specification categories.
Even if you have sufficient authorization for a recipe, it may be the case that you do not have the necessary authorization for its master data objects. You can display and work on such a recipe in a restricted manner, but you cannot delete it.
The system behaves as follows, depending on which object you do not have authorization for:
If you do not have authorization for the specification of primary output, you cannot call up the recipe.
If you do not have authorization for the change number assigned to the recipe, you can display the recipe but not process it.
If you do not have authorization for the objects used in the formula (specifications, materials, or recipes), the system does not display any data in the Formula, Process or Calculation Results views, and you cannot execute any of the associated functions.
If you do not have authorization for the property specification, the corresponding field in the General Data view is empty, and you cannot execute any of the associated functions (see Property Specification).
If you do not have authorization for a recipe determined during explosion, the system stops the explosion on this level and uses the data of the specification (see Explosion).