Examples how to adjust authorizations when working with projects

Working with projects in SAP Solution Manager and developing project documentation such as Business Process Design documentation, Functional Specification or configuration documentation may require limiting access to different document types; especially if you deal with sensitive data (e.g. HR related data). For that, you can create different Knowledge Warehouse folders for different documentation to store the different document types in different folders. You can provision access to those folders to selected project members using authorization objects.

Authorizations for document management

The system saves Solution Manager project documents in Knowledge Warehouse folders. Access to Knowledge Warehouse folders is controlled by the authorization object S_IWB, which is in the authorizations roles SAP_SOL_KW_ALL and SAP_SOL_KW_DIS.

Therefore, to enable selected members of the project team to create documentation, you can configure the object S_IWB to give the project members authorizations for the folder group with the same technical name as the project ID.

To do it, you have to copy the roles SAP_SOL_KW_ALL and SAP_SOL_KW_DIS in the “Role Maintenance” (transaction PFCG) to a customer name space, and:

• Assign the ID of your project in the copied role in the field Folder Group.
• Choose the authorization for your project in the field Activity.
• Remove the authorization object S_IWB from the composite roles of the Solution Manager (if such a role is assigned to user profiles).
• Assign the changed individual roles to the project team members.

See Example 1 below.

Alternatively, you may assign authorizations to manage access to different tabs (authorization object AI_SA_TAB) for editing project documentation, configuration documentation, test case and development documentation (for project folder group). 

Authorizations for assignment to a project ID

When you carry out multiple projects in one SAP Solution Manager system, you can assign authorizations at a project level to protect the projects team’s work against unauthorized accesses and changes. You can do this by adapting authorization object S_PROJECT ("Project Management: Project authorization") and assigning the relevant project ID.

Authorizations for modification of process structure node information

Additionally, the indicator “Restrict changes to nodes in project to assigned team members” (in the “Project Administration” transaction (SOLAR_PROJECT_ADMIN) on the tab “Proj. Team Member”) enables you to specify that only users assigned to particular business scenarios or processes on the “Administration” tab (transaction SOLAR01 or in transaction SOLAR02) may edit those parts of the process structure. Further on, the tabs they can work on depend on their tab authorizations (authorization object AI_SA_TAB). Other team members can only open the tab in a display mode.

Note:

This restriction does not apply for users with authorization allowing to assign resources at nodes (authorization object S_PROJECT, ACTVT = 78). They can work on all nodes independent on whether they are assigned to or not. See SAP Note 874539 (Solution Manager Implementation) for details.

Restrict Access to KW Folders for documents

• You can use different KW folders within one project.
• One KW folder can be assigned to exactly one Folder Group against which the authorization for all included documents will be checked.
• You can create a folder group in transaction SI23 for the area “Solution Manager”: Settings -> Folder Groups.
• You can create a folder for this folder group in transaction SI80: Folder -> Attributes -> Change.

Note:

If the system does not allow you to create a folder in the transaction SI80; make sure that you set the correct area the correct context.

To select the area in transaction SI80 go to: Utilities -> Settings -> Select Areas and choose “Solution Manager.”

To set the context in transaction SI80 go to: Utilities -> Settings -> Select “Change Context” and press “Show Enhancement”. Set the following values for the enhancement: Enhancement = /KWCUST/ and Release = 620.

• The folder group can be assigned to the authorization object S_IWB. The parameter IWB_FLDGRP is usually equal to the project name of the folder created by the system during project creation. You can assign a folder group you have created.
• Afterwards, you should be able to move special "top secret" documents to the newly created folder using the “Attribute” popup of the document and the button “Replace Folder” (transaction SOLAR01/SOLAR02).
  

See Example 2 below.

Authorization roles for Implementation and Solution Documentation scenario

The table below lists the main authorization roles (SAP Solution Manager SP11) for the implementation and Solution Documentation scenarios. The roles can be adapted adequately to project needs by adjusting the authorization objects. Further details on authorizations can be found in www.service.sap.com/instquides -> SAP Solution Manager -> Planning, Installation, Upgrade Guides -> Security Guide SAP Solution Manager 7.1.

Example 1

You want to limit the project visibility for some consultants: consultants working with project A should not see the project B content.

The combination of the authorization objects S_PROJECT and AI_SA_TAB will allow managing the access to the projects. The users who are not authorized will only be able to see the list of projects in transaction SOLAR_PROJECT_ADMIN (if this is allowed with authorization role SAP_SOL_PROJ_ADMIN_ALL) but they will not be able to see the process structure nor documents.

In this example, there are two projects created in the system: E_BPCA and E_SOLDOC. User A is expected to work with project E_BPCA but will not be allowed to changed (or even view) the Blueprint information (SOLAR01) of the project E_SOLDOC.

Therefore, you can go to transaction PFCG and change the standard SAP role SAP_SOLAR01_ALL. To do it copy the SAP role to a customer name spaces and modified it in this way:

If the role has been assigned to the user A, the user A can execute all actions on project E_BPCA but cannot view the business process structure of project E_SOLDOC. The only activity that is allowed for the E_SOLDOC project is running transaction SOLAR_EVAL (the reporting transaction). However, no project information can be accesses from the SOLAR_EVAL results.

Example 2 

You want to limit access to specific project documentation. For that you can create a new folder group and assign a document folder to this folder group (you can also create a new folder).

In the example below, the project name is E_BPCA. The project folder has the same E_BPCA name. The project lead has created the folder group ZE_BPCA in transaction SI23 and assigned the project folder E_BPCA to the folder group ZE_BPCA in transaction SI80.

The security department has copied the SAP standard role SAP_SOL_KW_ALL to a customer name space (e.g. ZSAP_SOL_KW_ALL) and modified the authorization object S_IWB in the following way:

Now, you can assign the authorization role ZSAP_SOL_KW_ALL to project member who are allowed to create and maintain documentation for the specific project. Only users who got access to the folder group ZE_BPCA can create and maintain the project documentation.

Example 3

Additionally, you want to limit access to the “Delete” icon in a project as not all project team members should be able to delete the documentation in the project (only leads can do it).

There is no SAP Solution Manager standard functionality to restrict the use of the “Delete line” icon. Only deletion with the “Delete” icon (the trash can) can be restricted for project documentation.

The system saves the Solution Manager project documents in Knowledge Warehouse folders. Access to the Knowledge Warehouse folders is controlled by the authorization object S_IWB, which is in the authorizations roles SAP_SOL_KW_ALL and SAP_SOL_KW_DIS.

Therefore, you can create a folder group and assign the project folder to this folder group (see Example 2). Then, the authorization object S_IWB can be used to prevent the usage of the “Delete” icon in SOLAR01.

The authorization role shown above allows the following actions for this folder group:

The action “Delete” is not possible. If this type of modified authorization role has been assigned to the user, then this user working in transaction SOLAR01 cannot delete any document (from folder E_BPCA):

Note:

The “Delete line” icon only deletes the assignment of the document to the business process structure node – the document is not deleted from the KW folder. The “Delete” icon (the trash can) can delete the document form the KW folder permanently.