Previous Topic

Book Contents

Book Index

Next Topic
Authorizations for Business Objects

There are five different possibilities to define Authorizations for Business Objects. You can define them by:

  • Object Type

Controls access to all instances of a specific BO Type.

Example: User can access all Systems and Components but not the Contracts or Payments.

For more information see Authorization by Type.

  • Attribute Value

Controls access to specific instances of a given BO Type. Attributes of the Instance itself are used to determine whether access is granted or not.

Example: User may access Contracts with the supplier ‘HP’. (The name of the supplier is an attribute in the contract).

For more information see Authorization by Attribute Value.

  • Instance of BO

Controls access to specific instances of a given BO Type. It is a comprehensive filter mechanism to identify the instance to which access should be denied or granted.

Example: User may filter all Components which are allocated to systems which are assigned to Cost Centers managed by Mr. Smith and then decide to restrict the access to all or some of them.

For more information see Authorization by Instance.

  • Relation

Controls access to BOs which have a specific relation to another object(s). The permission is evaluated in the runtime by the right the current user has to the target object the relation points to.

If the relation points to a collection, the access is allowed if at least one of the objects held by the collection permits it. If such a collection is empty, the permission is ignored.

Example: Users are authorized to access to the systems, which belong to the cost-center to which they are granted access.

Note: You can only permit access using this right, however you are unable to restrict it.

For more information see Authorization by Relation.

  • Individual Attributes

Controls access to specific Attributes within a BO Type. This differs from the other mechanisms above in that it controls which attributes may be accessed.

Implicitly, a role is granted access to all attributes of the business object, including the relational ones. Thus, in the catalogs, all fields by the catalog definition are displayed. The administrator can either ensure that catalogs displays only the attributes the role is allowed to see, by creating various catalogs specifically customized for administrators, managers and other users are in use. Or, he can take advantage of the authorizations to individual attributes and prohibit certain users the access to given attributes.

Example: User may access Name and Telephone number but not Date of Birth and Salary Grade.

For more information see Authorization for Attribute.

See Also

Basic Concepts

Introduction to Valuemation Authorization Management

Roles, Users and Groups

Default Authorization

Authorizations for Technical Objects

Authorization Rights