- Created by Sebastian Kiesel, last modified by Frank Holzapfel on Jan 16, 2023
Purpose
In this How-to we explain how to control the SAP ECTR menus with SAP authorizations. This allows you, for instance, to make certain functions in SAP ECTR available to certain groups only.
Overview
Authorizations in the SAP backend are maintained by assigning PFCG roles to users. Use the transaction PFCG to configure roles. A role represents the tasks that a person performs within a company. Depending on the tasks, a user can be assigned to several PFCG roles.
Allow - Control of SAP ECTR menus via multiple PFCG roles (additive)
Use the "deny all" strategy for the additive control via multiple PFCG roles.
First, deactivate all possible OMF functions in the global suppress file (menu_suppress_GuiCmds.txt).
Example:
menu_suppress_GuiCmds.txt
fnc.doc.change.multi fnc.doc.delete fnc.mat.create
Now you can allow OMF functions defined per PFGC role again. For each PFCG role, create a role file menu_suppress_GuiCmds-<ROLE>.txt. In each of these role-specific configuration files, list all functions you want to allow and use an "!" (exclamation mark) as a prefix for each of the functions.
Example:
menu_suppress_GuiCmds-Z_CUST_CADKEYUSER.txt
!fnc.doc.change.multi !fnc.doc.delete
Example:
menu_suppress_GuiCmds-Z_CUST_MATERIAL_MANAGER.txt
!fnc.mat.create
In the previous example, you prohibited all users from using the functions fnc.doc.change.multi, fnc.doc.delete and fnc.mat.create by listing them in the global suppress file.
Afterwards, you listed the functions in the role files menu_suppress_GuiCmds-Z_CUST_CADKEYUSER.txt and menu_suppress_GuiCmds-Z_CUST_MATERIAL_MANAGER.txt and activated them for users with the roles Z_CUST_CADKEYUSER and CUST_MATERIAL_MANAGER.
In this example, you only allow users with the role Z_CUST_CADKEYUSER to use the function fnc.doc.change.multi and the function fnc.doc.delete.
You only allow users with the role CUST_MATERIAL_MANAGER to use the function fnc.mat.create.
First, you need to determine the set of functions to be controlled by roles. Then, list all functions in the global suppress file for suppressing them and afterwards activate the functions again in the respective specific role-dependent file.
Please note:
- Once a function is activated in one of the role files via an exclamation mark, then it cannot be deactivated again by another role file, which means that the logic is additive.
- The recognition of the functions in the configuration files works with "starts with". This means, for instance, that with the entry
fnc.matin the filemenu_suppress_GuiCmds.txtall functions which start withfnc.matare suppressed. - Wildcard characters like "*" or "?" are not allowed in the function names.
This functionality is available as of 5.2.0.0.
Functions in administrator menu and menu_suppress files
As of version 5.2.6.0, functions in the administrator menu (om.options.menu) are no longer affected by the functionality mentioned above.
Example:
The function fnc.doc.delete is built into the administrator menu (om.options.menu).
The function fnc.doc.delete is also built into the document menu.
In the file menu_suppress_GuiCmds.txt, the function fnc.doc.delete is suppressed.
Now, when an SAP ECTR administrator logs in, the function fnc.doc.delete is suppressed in the document menu, but is never suppressed in the administrator menu.
Unsuppress functions for administrators
The file menu_suppress_plm_admin.txt makes it easy to unsuppress functions for administrators in SAP ECTR .
Example:
The function fnc.doc.delete is built into the document menu.
In the file menu_suppress_GuiCmds.txt, the function fnc.doc.delete is suppressed. No one can see the function.
Now unsuppress the function for every SAP ECTR user with administrator rights by writing !fnc.doc.delete into the file menu_suppress_plm_admin.txt.
Now the function is displayed for SAP ECTR administrators.
Deny - Control of SAP ECTR menus via multiple PFCG roles (subtractive)
You can remove OMF functions for each PFCG role. For each PFCG role, create a role file menu_suppress_GuiCmds-<ROLE>.txt. List the functions you want to remove in each of these role-specific configuration files.
Example:
menu_suppress_GuiCmds-Z_CUST_CADUSER.txt
fnc.doc.change.multi fnc.doc.delete
In this example, you prohibit users of the role Z_CUST_CADUSER from changing the status of documents and from deleting documents.
Please note!
To suppress a function for a user, it needs to be listed in all the menu_suppress_GuiCmds-<ROLE>.txt files for each of their roles.
Example:
A user has the roles Z_CUST_CADUSER and Z_CUST_DOCUSER. To successfully suppress a function, the function needs to be listed in menu_suppress_GuiCmds-Z_CUST_CADUSER.txt and menu_suppress_GuiCmds-Z_CUST_DOCUSER.txt.
- No labels