authorizations by activity and business process

The run time authorization mechanism works as follows:

Authorization via roles

Roles can be linked to the following model items:

You must first define the roles in the Roles (tgbrg8110m000) session for the current modeling version before you can link these roles to any business process or activity.

All the roles that are linked to a business process are inherited by all the activities within that business process.

A role that is linked to a business process or an activity in the repository, is inherited by that business process or activity in the business model.

Example

Activities B, C, and D are incorporated in business process A.

Business process A represents the highest level in the business process structure. The other activities, which can also be nested business processes, represent the lower levels in the business process structure.

Roles:

  • Manager
  • Secretary

The manager is responsible for all business process activities except activity D. The secretary is only responsible for activity D.

You can define the situation in the example as follows:

  1. Link the manager role to business process A in the Roles by Business Process (tgbrg5106m000) session or in the Roles by Business Process by Business Model (tgbrg3140s000) session. The role applies to business process A and includes all lower-level activities because roles are inherited by the lower levels.
  2. Select the Excluded check box in the Role by Business Process Activity Properties (tgbrg3150s000) session to exclude the manager role from activity D. This session can only be started from the enterprise modeler editor.
  3. Link the Secretary role to activity D through the Roles (tgbrg8110m000) session. Start this session from the enterprise modeler editor.
Linking of roles

After you have imported the roles, you can link additional roles to the business processes and activities. These roles are incorporated in the business model, and do not apply to the these same business processes in the repository.

In the Enterprise Model Browser and in the Enterprise Modeler Editor you can view which roles are linked to the business processes, and where they were linked (repository or business model).

Use the following sessions to link one or more roles in the repository:

Use the following sessions to link one or more roles in a business model:

Authorization via responsibility codes

You can define the responsibility codes in the Responsibility Codes (tgbrg8130m000) session in the master data.

If you link a role to a business process or activity you can specify a maximum of six responsibility codes (responsibilities) for that role.

The business process and/or activity to which the role is linked can be carried out by an employee if at least one of the responsibility codes linked to the role is set to YES. If the role has no responsibility codes, the role is always active.

The responsibility codes that are linked to a role are inherited by all the activities within the business process to which the role is linked.

Example

This example is the same as the one for the role authorization, except that in this example the responsibility codes are also involved.

Activities B, C, and D are incorporated in business process A.

Business process A represents the highest level in the business process structure. The other activities, which can also be nested business processes, represent the lower levels in the business process structure.

Roles:

  • Manager
  • Secretary

Responsibility codes:

  • Maintain Data
  • Informs Manager
  • Checks Data

The manager is responsible for all business process activities except activity D. The secretary is only responsible for activity D of which must be reported to the manager. The manager checks activity D as soon as the secretary has carried out this activity.

You can define the situation in the example as follows:

  1. Link the Maintain data responsibility to the Manager role. Link that combination to process A in the Roles by Business Process (tgbrg5106m000) session. The role applies to business process A and includes all lower-level activities because roles and responsibilities are inherited by the lower levels. Consequently, these roles and responsibilities do not have to be defined at the lower levels.
  2. Select the Excluded check box in the Role by Business Process Activity Properties (tgbrg3150s000) session to exclude the manager role from activity D. Remove the responsibility Maintain Data and add the responsibility Checks Data.
  3. Link the Secretary role to activity D in the Roles (tgbrg8110m000) session. Also, define the maintain data and informs manager responsibilities for that activity.
Authorization for Application type activity

If you link a role to a business process or an activity you can also define the authorization for that role for activities of type application.

Authorizations:

  • No Authorization: The application cannot be started by any user.
  • Display: Data is only displayed. No data can be maintained or printed.
  • Print/Display: Data can only be printed.
  • Modify/Print/Display: Data can be displayed, printed, and changed.
  • Insert/Modify/Print/Displ: Data can be displayed, printed, changed and new data (records) can also be inserted.
  • Full Authorization: Data can be displayed, printed, changed, and inserted. Data can also be deleted.
Linking employees to roles

If you have defined the roles, the next step is to link to each role the employee(s) that must fulfill it.

Carry out the following steps to link employees to roles:

  1. Start the Roles (tgbrg8110m000) session.
  2. Select the role to which you want to link one or more employees.
  3. On the Specific menu, click the Employees by Role... command.
  4. Click the New button and link the employees to the role.

Verwandte Themen