Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Remove bucket modify from users but still allow item create/change

former_member674140
Explorer

on ‎2013 Feb 08 10:17 PM

0 Likes
1,247

Hi Experts:  we recently upgraded our RPM system to 500_702 and we have found that users are able to edit buckets.  We set our authorization controls at the portfolio level so it is inherited downward.  The access levels are defined to roles not directly to users.  They do not have the ACO_SUPER object assigned.  All checking on the back during a trace fails so it is nothing on the PFCG object level.

What I am looking for is how to turn off bucket level access but still retain the item level access required by the user.  We still want to set the controls at the portfolio level and inherit accordingly. 

These are inherited to all buckets related to that portfolio.  When a users clicks on Portolfio Structure from the options it pulls up a list of buckets.  The user is able to select these and modify.  We want them only to be able to display.  My understanding is if we change the authorizations at the bucket level to read only then that is what is inherited at the item level.  We need them to be able to edit at the item level but not the bucket without performing item level authorizations.

I tried to attach screenshots .jpeg or .png but kept getting content type not allowed.

Appreciate any suggestions.

Thanks

Kathy Brethouwer

Molex Incorporated

Sr. Systems Analyst - Security

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (3)

Answers (3)

mariano_sabiche
Contributor
‎2014 Sep 24 9:06 PM
0 Likes

Hello Kathy;

Apply the SAP Notes:

  • 2019060 - The authorizations inherited via role are not considered.
  • 1927972 - Portfolio dependent-field configuration not considered based on highest ACL.

Best regards.

Mariano

Show replies
Show replies
Former Member
‎2014 Oct 02 5:39 AM
0 Likes

Hi Mariano, will applying note 2019060 resolve the issue I am facing?

mariano_sabiche
Contributor
‎2014 Oct 02 1:25 PM
0 Likes

Hello Anantharan;

I could fix the issue applying two notes from PPM 5.0 SP11, I'm in SP10.

Best regards,

Mariano

Former Member
‎2014 Oct 02 3:47 PM
0 Likes

Hi Mariano, thanks for this. I will get these applied and check and keep you posted. Thanks much for your response.

REgards,

Ananth

Former Member
‎2014 Oct 07 4:26 PM
0 Likes

Hi Mariano, I still continue to experience the problem even after applying the  notes. This is my requirement.

I have a user with write access in the portfolio item. The user should not be able to edit any fields within fin_info view. Could you guide how to achieve this? I know we can use the settings under 'Portfolio Dependent settings' and based on the portfolio type control the fields based on the authorizations. But would like to understand how to leverage this setting under 'Define Authorisations for Detail Screen Views/Subviews' to achieve this.

regards

mariano_sabiche
Contributor
‎2014 Oct 08 9:19 PM
0 Likes

Hello Anantharam;

The notes applies are for the Buckets an Portfolio Items, but I don't know if it's for the Financial view.

The user that you mention has the authority ACO_SUPER object?

I saw configuration in SAP PPM --> https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1411953

I have never configure this Detail Screen Views/Subviews.

Please let me know if you can solve this issue.

Regards,

Mariano

Former Member
‎2013 Apr 05 2:10 PM
0 Likes

Hello Kathy

I am not sure if you still have this requirement, but I have come across a possible standard solution to your issue

You can keep using the specified roles at Portfolio level. But in order to avoid users from changing Bucket values, you will need to do the following with this proposed option:


1. Under SPRO - Portfolio Management - Global Customising - Process and Service Settings - Navigation Settings - Define Authorisations for Detail Screen Views/Subviews

Here you need to create an entry with the following detail:

- WD Application Name : RPM_BUCKET_DETAILS

- WD Configuration ID : RPM_BUCKET_DETAILS_CFG

- Variant ID : RBH_EDIT (SEE Comment on this below)

- Main View ID : OVERVIEW

- Subview ID: VI_GEN_INFO

- ACL Activity : NO AUTH

Once you have made this setting you will see that the user will no longer be able to Edit a Bucket IF navigating there from the normal menu path. However the access at Initiative and Item level which was assigned at Portfolio/Bucket level for create and change will still be defaulted as per your expectation. You will have to do a similar setting at Portfolio level as well to limit access to update if need be

2. Your problem now is going to be that the user can still access the Bucket through the Initiative/Item (From within the Initiative and Item user can still click on these links). To solve this you can :

- Firstly hide the links by updating the webdynpro's using the &SAP-Config-Mode=X method

- Secondly you should then include the Bucket Name/External ID for both Initiative and Item using config step 'Define Custom Field Configuration'. First check step 'Check SAP Field Configuration ' and you will see that for object type IPO and RIH the field BUCKET ID is not visible. Make them visible through the custom field configuration step. The aim of this is to still provide the user with the external ID of the related bucket, but not to have it as a link

Step 2 may be solved in a different way as well but I am still investogating

Lastly - comment on Variant ID : In order to have the ability where some users may change/create Buckets and others not, you will have to create new variant ID's for each of the applicable webdynpro components and then assign these in step 'Define Authorisations for Detail Screen Views/Subviews'' - all other related navigation settings must also be completed. 

Regards

C

Show replies
Show replies
Former Member
‎2013 Nov 29 5:23 AM
0 Likes

Hi Chatsworth,

                     We have a similar issue. We want to add users to a portfolio item with write access. The user can edit the overview view general information subview, but the user cannot edit the overview view financial information subview. We did the following settings.

Under SPRO - Portfolio Management - Global Customising - Process and Service Settings - Navigation Settings - Define Authorisations for Detail Screen Views/Subviews

- WD Application Name : RPM_ITEM_DETAILS

- WD Configuration ID : RPM_ITEM_DETAILS_CFG

- Variant ID : RBH_EDIT

- Main View ID : OVERVIEW

- Subview ID: VI_FIN_OVER

- ACL Activity : Admin

After this configuration, we still see that the users with write access can still edit the financial information subview.

Could you let us know what is missing?

thanks,

Ananth

former_member209919
Active Contributor
‎2013 Feb 09 12:14 PM
0 Likes

Hello Khaty,

I had a similar requirement as you, in my case related to the decision points and I had to develop it because the standard functionality didnt cover it.

It is true that SAP has released new functionalities.. You can review the OSS note, it is possible it helps you

In my case my requerimient was  user with read authorization in the item  can change a decision point... I substitute read authorization by write when the user opens the dp.

Regards,

Show replies
Show replies
former_member674140
Explorer
‎2013 Feb 18 5:16 PM
0 Likes

Sara, thanks but there are several notes relating to security so could you please be a bit more specific to which note you are referring to?

former_member209919
Active Contributor
‎2013 Feb 18 5:58 PM
0 Likes

Hello,

Sorry, I meant than ond year ago when I had your similar requirement I didn't find a standard

Solution .

But It is true that SAP is delivering new functionalities or solving missing functionalities under OSS.

If you haven't found nothing I suppose it is because your requirement hasn't been covered

Sorry!!!

Ask a Question