Authorizations

You can define authorizations for individual applications within the Recipe Development (PLM-WUI-RCP) component, by means of authorization roles (PFCG roles), authorization objects, and authorization groups.

Caution Caution

You are only allowed to use authorization roles as a demo role with demo users in the test system. If a demo role contains the wildcard "*" (asterisk) for parameters, you must not use the demo role in the productive system, because this grants too many authorizations to users there. After copying this role to a productive system, you must thoroughly check each authorization parameter containing an asterisk before you use it. For productive use, we strongly recommend that you build new roles using the authorization default values from the transaction Maintain the Assignments of Authorization Objects (SU22), rather than using the demo roles as a starting point.

End of the caution.

Integration

In Recipe Development, you can use access control management (ACM) on the PLM Web user interface for recipes and specifications (see Authorizations and Access Control Context (PLM-WUI-APP-AC)).

Using ACM, you can assign objects (such as recipes or specifications) to access control contexts. For every context, you use context roles and access control lists to define access rights for users or user groups.

For using ACM, the PLM Web User Interface (PLM Web UI) comes delivered with sample composite roles that contain a central context role definition, and the necessary additional single roles that were defined with the Role Maintenance (PFCG) transaction. The following sample composite roles for ACM have been defined for Recipe Development:

SAP_PLMWUI_DEMO_RCP_DEVEL3_RM (see Recipe Developer (for Pilot Implementation))
SAP_PLMWUI_DEMO_RCP_REVIEW3_RM (see Recipe Reviewer (for Pilot Implementation))

These roles contain all necessary authorization roles and authorization objects.

Caution Caution

You can only use these roles as copy template for your own roles; you cannot use them directly in the productive system, since the sample composite roles contain very general authorizations.

End of the caution.

Features

Authorization Roles and Authorization Objects

The following table lists the single authorization roles required for each of the applications in Recipe Development, which you can use as template for your own roles. If no authorization role is available, the required authorization object is specified.

Note Note

Sample roles are likewise available for further master data objects in Recipe Development, such as materials, material BOMs, or documents.

End of the note.

Application	Associated Authorization Roles or Authorization Object
Status Management	Authorization object `PLM_SAM`PLM Authorizations for Status Management
Specification Management on the Web UI	Authorization Roles: `SAP_PLMWUI_SPEC_ADD_AUTH` Auxiliary Role for Specification Management `SAP_PLMWUI_SPEC_DISPLAY` Display Specification `SAP_PLMWUI_SPEC_FES_SAMPLE` Access to Specification Fast Entry Screen Variant `SAP_PLMWUI_SPEC_MAINTAIN` Maintain Specification
Recipe Development (Display Authorization)	Authorization Roles: `SAP_PLMWUI_RECIPE_DISPLAY` Recipe Reviewer `SAP_PLMWUI_SPEC_ADD_AUTH` Auxiliary Role for Specification Management `SAP_PLMWUI_SPEC_DISPLAY` Display Specification
Recipe Development (Change Authorization)	Authorization Roles: `SAP_PLMWUI_RECIPE_MAINTAIN` Recipe Developer If you want to assign different authorizations for formula developers and process developers, you can copy this role and change it accordingly (see Different Authorizations for Formula Developers and Process Developers). `SAP_PLMWUI_SPEC_ADD_AUTH` Auxiliary Role for Specification Management `SAP_PLMWUI_SPEC_MAINTAIN` Maintain Specification
Synchronization Recipe to Manufacturing BOM	Authorization Role `SAP_PLMWUI_RECIPE_H2M` Recipe Synchronization Planner
Simulation	Authorization Object `PLM_RCPMDL` Authorization Object for Recipe Simulation
Migration of Recipes from Recipe Management (PLM-RM)	Authorization Roles: `SAP_PLMWUI_RECIPE_MIGR_DISPLAY` Display Migration of Recipe `SAP_PLMWUI_RECIPE_MIGRATION` Recipe Migration
Mass Change of Recipes	Authorization Role `SAP_PLMWUI_MASS_CHANGE` Role for Mass Change
Labeling	Authorization Roles: `SAP_PLMWUI_LABEL_DISPLAY` Label Reviewer `SAP_PLMWUI_LABEL_MAINTAIN` Label Developer
Compliance Check	Authorization Object `C_EHSB_REG` Authorization Check for Compliance Check

Authorization Groups

Using authorization groups, you can rdefine user groups that are authorized to work with these objects. To be able to use an authorization group for objects, a specification type must be assigned to the authorization group, even if the object itself is not a specification. In Recipe Development, you use the following specification types for this purpose:

For recipes, RECIPE_WUI
For labels, LABEL_WUI
For specifications, the associated specification type, for example SUBSTANCE

You define authorization groups in Customizing for Recipe Development under Recipe Specify Authorization Groups . You can also select the specification category there.

You can use authorization groups in combination with Access Control Management (ACM). For example, you can use authorization groups for statistical calculations that reflect the general organizational structure of your company, and you can use the access control management to assign authorizations dynamically.

You can use the same or different authorization groups for specifications and recipes. If you use the same authorization groups, you only have to create one authorization group in Customizing and then assign it to both specification categories.

Authorizations for Recipe-Dependent Master Data

Even if you have sufficient authorization for a recipe, it may be the case that you do not have the necessary authorization for its master data objects. You can display and work on such a recipe in a restricted manner, but you cannot delete it.

The system behaves as follows, depending on which object you do not have authorization for:

If you do not have authorization for the specification of primary output, you cannot call up the recipe.
If you do not have authorization for the change number assigned to the recipe, you can display the recipe but not process it.
If you do not have authorization for the objects used in the formula (specifications, materials, or recipes), the system does not display any data in the Formula, Process or Calculation Results views, and you cannot execute any of the associated functions.
If you do not have authorization for the property specification, the corresponding field in the General Data view is empty, and you cannot execute any of the associated functions (see Property Specification).
If you do not have authorization for a recipe determined during explosion, the system stops the explosion on this level and uses the data of the specification (see Explosion).