<p>about your learning experience to help us improve.</p>

You've completed

cleanFiles/S41200_Document_Management_en-US_learning-sap-com_lsc-prod.zip (MMCP-DROPZONE) - 2024-10-23T13:18:59.000Z

Introducing Authorization Control

<div id="content"><p tabindex="0">The authorization objects are defined in a role and assigned to the end-users. With this role, an end-user can execute specific transactions with defined authorizations.</p><img style="max-width:900px;max-height:none" class="image 1_1_landscape" title="SAP Display Roles interface for the role SAP_BR_BOM_ENGINEER with the description BOM Engineer. The interface includes various tabs such as Description, Menu, Workflow, Authorizations, User, MiniApps, and Personalization, with a hierarchy of menu items displayed on the left and node details on the right." alt="SAP Display Roles interface for the role SAP_BR_BOM_ENGINEER with the description BOM Engineer. The interface includes various tabs such as Description, Menu, Workflow, Authorizations, User, MiniApps, and Personalization, with a hierarchy of menu items displayed on the left and node details on the right." src="/service/media/S41200_26_en-US_media/S41200_26_en-US_images/ZMigrated_mmcpLearningContent_09_Image_01.png" tabindex="0"><div class="imageCaption"></div><p tabindex="0">If you use transaction PFCG to create a new role or change an existing role, first, you define the transactions that are to be used. These transactions will then be visible in the user menu. In the SAP standard menu, if you attempt to call different transactions to those which are assigned to you, the system issues an error message.</p><p tabindex="0">You create an authorization profile within the authorization control. This is now based on the selected transactions. Therefore, if you select transactions of the document management, you are now provided with the necessary authorization objects.</p><div class="kalturaVideoLessonWrapper"><div aria-label="null" class="kalturaVideoLessonContainer" data-testid="video" id="1_lv3duc74"></div></div></div>

Authorization Control

<div id="content"><div class="parentsection"><div class="section"><div tabindex="0"><h3>Introduction</h3></div><p tabindex="0">Up to now, you and your team have worked in the SAP system with the authorizations assigned to you. However, you have now been approached by colleagues from other areas of the company who also want to have access to the documents they have created.</p><p tabindex="0">Therefore, you are now considering defining a new role with restricted authorizations.</p></div></div><div class="parentsection"><div class="section"><div tabindex="0"><h3>Task 1: Define a role and authorization</h3></div><p tabindex="0"><i>Watch the following video, which first shows you a role definition and the definition of authorizations.</i></p><div class="kalturaVideoLessonWrapper"><div aria-label="This video shows you a role definition and the definition of authorizations." class="kalturaVideoLessonContainer" data-testid="video" id="1_b3wbb3f6"></div></div></div></div><div class="parentsection"><div class="section"><div tabindex="0"><h3>Task 2: Test authorization</h3></div><p tabindex="0"><i>Watch the following video, which shows the use of the defined role and authorizations.</i></p><div class="kalturaVideoLessonWrapper"><div aria-label="This video shows you the use of the defined role and authorizations for a different user." class="kalturaVideoLessonContainer" data-testid="video" id="1_5kyzekfa"></div></div></div></div></div>

Work with Authorization Control

Implementing Document Management in SAP S/4HANA Cloud Private Edition

Learn how to protect document info records using authorization objects in SAP document management. Set values based on document type or status for secure access control.<br><br># This description was auto-generated #

ZMigrated_mmcpLearningContent_09_Image_02_Ani.mp4

The authorization objects allow you to protect access to document info records. In the authorization concept, for document management, values can be set dependent on the document type or document status. Most common is the use of the authorization object C__DRAW__TCS, which combines the document type with the document status. Another interesting one is C underscore draw underscore APPL, which gives you the opportunity to define the access depending on the application. As an example, only engineering department members can work with the CAD files. All other SAP users get only the authorization to display the JPG files, which were converted out of the CAD files.

<div><div><div>Learn how to define new roles, assign transactions, and set authorizations for employees in this comprehensive video tutorial. Follow step-by-step instructions to manage roles efficiently.<br><br># This description was auto-generated #</div></div></div>

S41200_Role_definition_and_authorization

In most cases, to get a new role and related authorizations for your employees, you have to contact your company's admin team. However, to give you an impression of the options you have, you define a new role, assign transactions and determine the possible authorizations. At the end, the role is made available to a test user.  First, you start the role definition transaction directly. On the initial screen, you enter a role name and choose a single role for the creation. You then enter a description and save your role. In the next step, you decide which transactions you want to make available to the role. However, you decide to assign standard transactions. You enter the appropriate transactions for changing, displaying, and searching for documents. This is also saved again. You do not assign a workflow. Next, you take care of the authorizations. Since an authorization profile does not yet exist, the system generates a profile. You then edit this. First, you see groups of authorizations. The first group has the authorization object for transaction. Without this authorization, the other authorization objects do not help. The correct transactions have already been defined. Next, you look at the authorizations that are not important for your scenario. The authorizations for ACO only play a role in PLM WebUI. The authorizations for classification have already been set up accordingly, in exactly the same way as for logistics. Therefore, you next open the Authorization for Document Management. The first authorization object controls the definition of  object links. Depending on the status and the document type, you can decide which object links can be defined and how. In the next authorization object, you can set which file types can be used by the user. The authorization for the authorization group is set to default here. Otherwise, you could use this setting to control access to the individual document. The next authorization objects are all set to green. They always represent combinations of authorizations. The last authorization object represents the best combination, as you can combine the activity with the status and the document type here. This is now carried out by you. At the end, you activate the Authorization Profile and save it. As a next step you return to the overview and assign a user with whom you want to test the behavior. Finally, you perform a user comparison and write the role to the user record. At the end you open the user maintenance of the test user and delete the unused roles from the list. You also adjust the list of authorization profiles. You save the data and leave the screen.

<div>Explore a detailed test of user authorizations within the SAP system, including executing transactions, displaying documents, and encountering error messages based on document types and statuses.<br><br># This description was auto-generated #</div>

S41200_Authorization_tests_with_different_user

Once the authorizations have been defined in the system and assigned to a test user, this should now be tested in the system. The test user logs on to the SAP system and first determines that the user menu corresponds to what has been defined in the role. The user tries to execute another transaction in the form of a Create Document transaction. An error message is returned. The test user then starts the display of a released document. This works without any problems because the correct document type was used with the correct status. Next, the test user decides to create an overview of the existing versions. He would like to see the most recently created document version. Then he decides to open the latest document version. The test user receives an error message because the combination of status and document type is not intended for him. The test user then exits the application.