Authorisation Plugin
Since SP28 a custom plugin point is available to enable some segregation of duties for workflow responsibility maintenance.
Note that the plugin is delivered OFF by default and must be activated to be effective.
Summary
The segregation of duties plugin enables you to specify subsets of workflow responsibility groupings which can be managed by specific teams. The segregation relies on the customer having a naming convention in place for their responsibility groups as it is patterns of the name that are used to define the segregation
Example
All Journal approval groups in a company have a patter like : JOURNAL_<company code>_<level> Example : JOURNAL_US01_1
All vendor approval groups in a company have a pattern like VENDOR_<company_code> Example : VENDOR_US01
To separate the management of these approval groups you define two patterns
Journal administrators : JOURNAL_*
Vendor administrators : VENDOR_*
You can then assign appropriate security authorisation to the administrators to ensure they only manage their groups.
Important Note : The Approval Group (APP_GROUP) is the value that is checked.
Configuration
Decision tree /PROMENTA/WF_RESP_MAINT should be copied and overridden to make changes
Activation
Node STEP=CONFIG –> KEY1=AUTHS_ACTIVE
Result=ON to activate, OFF to deactivate
Group ID List
Node STEP=GROUP_LIST
This node contains the list of administrator “groups”. In the previous example this would be as shown below
Group detail
Each group must then be assigned one (or more) patterns so the system can check if the user is allowed to manage a responsibility.
In the example below the group “JOURNAL” is assigned pattern JOURNAL_*
Authorisations
The authorisations objects below are used to assign groups and permission levels to administrator users via SAP roles
Object YZYWS00001
YZYMFORMID=94500140
YZYWSKEY1=GROUP
YZYWSKEY2=<Group ID> The Group Id is taken from the group id in the decision tree above
ACTVT = 02 (for maintenance access)