In this How-to we explain how to control the SAP ECTR menus with SAP authorizations. This allows you, for instance, to make certain functions in SAP ECTR available to certain groups only.
Authorizations in the SAP backend are maintained by assigning PFCG roles to users. Use the transaction PFCG to configure roles. A role represents the tasks that a person performs within a company. Depending on the tasks, a user can be assigned to several PFCG roles.
Allow - Control of SAP ECTR menus via multiple PFCG roles (additive)
Use the "deny all" strategy for the additive control via multiple PFCG roles.
First, deactivate all possible OMF functions in the global suppress file (menu_suppress_GuiCmds.txt).
Now you can allow OMF functions defined per PFGC role again. For each PFCG role, create a role file
menu_suppress_GuiCmds-<ROLE>.txt. In each of these role-specific configuration files, list all functions you want to allow and use an "!" (exclamation mark) as a prefix for each of the functions.
In the previous example, you prohibited all users from using the functions
fnc.doc.change.multi, fnc.doc.delete and
fnc.mat.create by listing them in the global suppress file.
Afterwards, you listed the functions in the role files
menu_suppress_GuiCmds-Z_CUST_MATERIAL_MANAGER.txt and activated them for users with the roles
In this example, you only allow users with the role
Z_CUST_CADKEYUSER to use the function
fnc.doc.change.multi and the function
You only allow users with the role
CUST_MATERIAL_MANAGER to use the function
First, you need to determine the set of functions to be controlled by roles. Then, list all functions in the global suppress file for suppressing them and afterwards activate the functions again in the respective specific role-dependent file.
- Once a function is activated in one of the role files via an exclamation mark, then it cannot be deactivated again by another role file, which means that the logic is additive.
- The recognition of the functions in the configuration files works with "starts with". This means, for instance, that with the entry
fnc.matin the file
menu_suppress_GuiCmds.txtall functions which start with
- Wildcard characters like "*" or "?" are not allowed in the function names.
This functionality is available as of 18.104.22.168.
Functions in administrator menu and menu_suppress files
As of version 22.214.171.124, functions in the administrator menu (
om.options.menu) are no longer affected by the functionality mentioned above.
fnc.doc.delete is built into the administrator menu (
fnc.doc.delete is also built into the document menu.
In the file menu_suppress_GuiCmds.txt, the function fnc.doc.delete is suppressed.
Now, when an SAP ECTR administrator logs in, the function
fnc.doc.delete is suppressed in the document menu, but is never suppressed in the administrator menu.
Unsuppress functions for administrators
menu_suppress_plm_admin.txt makes it easy to unsuppress functions for administrators in SAP ECTR .
fnc.doc.delete is built into the document menu.
In the file
menu_suppress_GuiCmds.txt, the function
fnc.doc.delete is suppressed. No one can see the function.
Now unsuppress the function for every SAP ECTR user with administrator rights by writing
!fnc.doc.delete into the file
Now the function is displayed for SAP ECTR administrators.
Deny - Control of SAP ECTR menus via multiple PFCG roles (subtractive)
You can remove OMF functions for each PFCG role. For each PFCG role, create a role file
menu_suppress_GuiCmds-<ROLE>.txt. List the functions you want to remove in each of these role-specific configuration files.
In this example, you prohibit users of the role
Z_CUST_CADUSER from changing the status of documents and from deleting documents.
To suppress a function for a user, it needs to be listed in all the
menu_suppress_GuiCmds-<ROLE>.txt files for each of their roles.
A user has the roles
Z_CUST_DOCUSER. To successfully suppress a function, the function needs to be listed in
Related SAP Notes/KBAs
- No labels