Authorization for iObjects

Use Cases:

1. You want to restrict the creation of ITSM documents with specific CIs (Configuration Items = iobjects). E.g. Creating an incident with target CI is only allowed to a Key User who is assigned to a specific organizational unit.

You won't find it via the F4 Search if you don't have the authorization object in your role AND one of the following rules match to your Business Partner settings.

2. It should not be possible for a user to display ITSM documents, that contain a CI which has no relationship to the user. E.g. all incidents for a high security system are not shown to users without this authorization object.

--> until SAP Solution Manager SP12 the following SAP Note is necessary: 1981995

Configuration:

Using authorization object SM_SDK_IBA in transaction PFCG.  It is included in the SAP standard template roles for ITSM.

Attention: The authorization field values are additive.

Field value	Description	Technical Details
No authorization	user sees only systems in BP identification	identification type CRM001
USERS_OWN	user sees only systems in BP identification AND systems to which the BP is directly assigned	identification type CRM001 BP is assigned to configuration item as party involved
USERS_ORG	user sees only systems in BP identification AND systems to which the BP is directly assigned AND systems that are assigned to the BP-organizations the user belongs to	identification type CRM001 BP is assigned to configuration item as party involved. Relationship to organization is determined via: via Organizational Modell (PPOMA_CRM) BP relationship "is the Employee Responsible for" (can be changed via AGS_WORK_CUSTOM parameter IM_RESPONSIBLE_REL_CATEGORY) BP-organization is assigned to configuration item as party involved
ALL	user can see all Iobject entries