Changes to authorizations for the R/3 spool system

Description

The authorizations for printing and for managing spool requests and devices in the R/3 spool system have been extended and reworked for Release 4.0. The changes provide for better and more detailed control over spool administrators. These are the users who work with R/3 spool device definitions, and users who manage spool requests in the output controller.

Here are the changes in overview:

The changes in more detail:

The authorization value feature: The system tests for authorization to S_SPO_ACT only if an authorization value is entered in the attributes of a spool request (Authorization field). If no key is entered, then no authority check is made.
This practice remains the same in Release 4.0. However, if the Authorization field is empty, the system now automatically assumes that the user ID of the owner of the spool request is entered as the authorization value.
In effect, the system now ensures that an authorization value is always present for every spool request. (Note that this automatic use of the user ID happens only internally in the system. The Authorization field in the attributes of a spool request remains empty if the user who generated it did not specify a key value.)
An R/3 user continues to have unrestricted access to his or her own spool requests as long as:
If the owner tries to access a spool request, the system sees that user ID matches the authorization value, and it does not check the users S_SPO_ACT authorization. The user may do anything that he or she wants with the spool request: print it, display its contents, delete it, and so on.
The S_SPO_ACT authorization is tested, however, when a user tries to access a spool request in his or her own client and either of the following is true:
In these cases, the system lets the user access the spool request only in the ways explicitly allowed by his or her S_SPO_ACT authorization.
The effect of this change is to broaden the protection offered by the Authorization field. Specifically, there is more protection against indiscriminate access by system administrators to spool requests that belong to other users. Normal users may display only their own spool requests in the output controller. But administrators with the S_ADMI_FCD (System administration functions) SP0R or SP01 authorization can display spool requests from other users.
Up until Release 4, these administrative users had unrestricted access to any spool request that did not contain an authorization value. Now, within their own clients, administrators have only the access allowed by S_SPO_ACT.
As already described, the owners access to his or her spool requests is not affected by this authorizations change.
The new authorization value: DISP
The new authorization value: AUTH
The new authorization value: PRNT
BASE is now used only to allow listing of spool requests in the output controller and to allow display of request attributes.
The effect of these changes are to let you control all actions that users take with respect to spool requests (printing, displaying, changing attributes, changing the authorization value, and so on). A user is always authorized for spool requests that carry his or her user ID as the authorization value. However, you can then limit which actions a user may take with his spool requests or forbid access to printing/spool request management entirely.
Spool device administration (Tools -> Administration -> CCMS -> Spool -> Spool administration). You can now authorize users for different administration functions:
Required: Existing authorization value SPAD and new value SPAA
Required: Existing value SPAD and new value SPAB
Required: Existing value SPAD and new value SPAC
Before Release 4.0, spool administration authorizations worked according to the on-or-off principle: You could either perform all spool administration functions or none at all.
The effect of this change is to let you define lower-level spool administrators if necessary. For example, you can now authorize a user only to define devices (printers) and not to work with device types or with the definitions of output management systems.
Spool request management (Tools -> Administration -> CCMS -> Spool -> Output controller). The authorizations needed for managing spool requests have been changed. The main effect: More control over access to spool requests other than the administrators own.
For administrators with authorization to manage spool requests of all users from all clients, the existing S_ADMI_FCD SP01 authorization is still required. The output controller operations that the administrator can carry out are now subject to additional authorizations. There are two cases:
If there is no S_SPO_ACT authorization, then the system does not allow any access to spool requests. The S_SPO_ACT authorizations are described above.
If the administrator has the existing S_ADMI_FCD SPAD and the new S_ADMI_FCD SPAM authorizations, then he or she has full control over all spool requests in other clients.
Without these authorizations, the user can only list spool requests (for all users) and display their attributes. This access is equivalent to S_SPO_ACT BASE authorization for all users.
In both cases, access to requests in the users own client remain restricted by the S_SPO_ACT authorization.
For administrators limited to spool requests that were generated in their own clients, the existing S_ADMI_FCD SP0R authorization is still required. The output controller operations that the administrator can carry out are now subject to the adminstrators S_SPO_ACT ( Spooler: actions) authorization.
If there is no S_SPO_ACT authorization, then the system does not allow any access to spool requests. The S_SPO_ACT authorizations are described above.
Before Release 4.0, there was no restriction on the actions spool management actions that a user could take if he or she had S_ADMI_FCD SP01 or SP0R authorization. You could only control whether the user had full control only in his or her current client or in all clients.

Possible Delta Maintenance for Existing Authorizations

If you are upgrading from Release 3.0, you will need to make the changes shown below to the authorizations of your system administrators if you wish to allow unchanged access to the system.

The authorization extensions have not been added to the standard SAP_NEW authorization profile. However, SAP is delivering predefined authorization profiles which you can give to your users. (See the mass change functions in the user maintenance system.)

Additional Authorizations Needed to Allow Existing Level of Access for System Administrators

Additional authorizations: SPAA, SPAB, and/or SPAC authorization for the single field in the System Administration Functions authorization object
Pre-defined authorization: listed below
The existing SPAD authorization is still required for spool maintenance, but must be supplemented by one or more of the values shown above.
For actions within the users current client (SP0R, SP01 authorization for S_ADMI_FCD): Additional authorization for the desired actions with authorization object S_SPO_ACT (Spooler: actions), if not already defined.
For actions in other clients (SP01 authorization for S_ADMI_FCD): By default, the user has S_SPO_ACT BASE authorization (display spool requests in the output controller list, no other actions permitted).
For full control over spool requests from other clients, you need to give the user the S_ADMI_FCD SPAD and SPAM authorizations. Access to spool requests in the users current client remain restricted by S_SPO_ACT.

Pre-Defined Authorization Profiles

The following profiles for spool functions have been pre-defined and are delivered with Release 4.0:

Pre-defined profiles for system administration

All S_ADMI_FCD (System administration functions) authorizations except for spool administration (authorization value SPAD).
Adding any of the following spool profiles gives the desired additional access to spool administration.
Management authorization for spool requests: Manage spool and output requests in the output controller in all clients and for all users.
In users current client: User must have an additional authorization for S_SPO_ACT (Spooler: actions).
In other clients: Full control over spool requests.
Unrestricted spool system maintenance authorization.
Allows all operations in Spool -> Spool administration, including defining printers, modifying device types, and so on.
Spool maintenance restricted to defining and editing devices (printers).
Device definitions identify a printer in your system to the R/3 System.
Spool maintenance restricted to managing external output management systems (OMSs) in the spool system.
Allows a user to define or edit the R/3 spools physical and logical OMS definitions. These definitions enable communication between the R/3 System and an external OMS.
Spool maintenance restricted to maintaining device types and associated components.
A user can define or edit a device type, work with R/3 formats, work with R/3 character sets, and so on.

Add one or more of the following end-user authorization profiles to an administrator profile to specify the access that an administrator has to spool requests in the spool output controller.

Example: The combination of profile S_ADMI_SPO_J (S_ADMI_FCD SP01, SPAD, SPAM) and S_SPOOL_LOC lets an administrator use the output controller to do everything except display the contents of spool requests. The administrator has this level of access for all spool requests that were generated in the client in which the he or she is logged on.

Pre-Defined Profiles for Printing (End-User Functions).

All S_SPO_ACT (Spooler: actions) authorizations; all printing and other output controller operations are allowed, but only on spool requests that belong to the user.
Includes an unrestricted authorization for output devices (authorization object S_SPO_DEV value *).
Like S_SPOOL_ALL except without authorization to display the contents of any spool request.
Change spool request attributes in the spool output controlller. Applies only to the users own spool requests.
Change the authorization value in spool request attributes. Applies only to the users own spool requests.
List spool requests and their attributes. Applies only to the users own spool requests.
Delete spool requests. Applies only to the users own spool requests.
Authorization to print to all R/3 spool output devices (S_SPO_DEV (Spooler: devices) authorization).
Display the contents of spool requests. Applies only to the users own spool requests.
Print a copy of a spool request. Allows selection of Print immediately when generating a spool request, printing of a spool request from the output controller. Does not restrict permission to create a spool request (without printing).
Redirect spool requests. Applies only to the users own spool requests.
Print multiple copies of a spool request. Applies when generating a spool request and when printing from the spool output controller. Applies only to the users own spool requests.

Examples

Authorization object S_ADMI_FCD values SPAD and SPAA.
Authorization object S_ADMI_FCD value SP0R or SP01 and Authorization object S_SPO_ACT value DELE
With S_ADMI_FCD, the user could also list spool requests from other clients and display their attributes.
Authorization object S_SPO_ACT values BASE and PRNT and Authorization object S_SPO_DEV value LP01