Hi,

We have ERPLN FP2 environment and we use DEM process browsers for ERP users.

Now we have got requirement from auditors where they want to check which users are having what rights on specific sessions.

We have created a report that shows the DEM roles and business processes assigned to employees. But we are unable to get session level authorizations.

Can anybody guide how we can get employee's session level authorizations.

Vishal

Hi Vishal,

you can try with Session "Print DEM Session Authorization".

Call that report from Session "Project Models" -> Choose Session Employees by Project Model".

Regards,
Juergen

We couldn't find a suitable session for DEM reporting in the standard system, so wrote our own. It's pretty complicated if you include all potential situations: roles that include roles, business process that include other business process, and optionally subapplications (specific options). It starts with the roles that a user has, then walks the structure from roles to business processes to sessions. Optionally, you can go another level from sessions to subapplications since many important sessions are called from others (like maintain business partners or addresses from sales orders). Uses these tables:

tgbrg820, Roles by Employee
ttaad200, User Data - identifies superusers and those with run/program.
tgbrg840, Employees by Project Model
ttaad100, Companies - determine for current package VRC.
tgbrg000, Central Enterprise Modeler Data Company - get DEM defaults for some table lookups.
tgbrg005, Runtime Project Model per Company - get DEM defaults for some table lookups.
tgbrg035, DEM Parameters - get DEM defaults for some table lookups.
tgbrg100, Versions - get DEM defaults for some table lookups.
ttadv040, Current Package Version by User - get DEM defaults for some table lookups.
tgbrg836, User DEM Settings - identifies menu browser vs process browser users.
tgbrg110, Current Versions by User - get DEM defaults for some table lookups.
tgbrg300, Business Models - if used, for business process/role links with less than full access.
tgbrg340, Roles by Business Process Business Model
tgbrg500, Business Processes
tgbrg520, Business Process Activities - sessions
tgbrg523, Subapplications by Business Process Activity - specific options/zoom sessions.
ttadv200, Sessions - determine if a session is print/display or full/update access.
tgbrg555, Applications by Component
tgbrg557, Components
tgbrg810, Roles
tgbrg815, Subroles by Role
ttams330, Session Authorizations by Package - include AMS permissions.
ttams331, Session Authorizations by Module - include AMS permissions.
ttams332, Session Authorizations by Session - include AMS permissions.
ttams333, Session Authorizations by Company - include AMS permissions.
ttadv112, Package VRCs in Package Combination (Runtime)

Moving to a more recent tools level and enabling the Enhanced AMS feature greatly simplifies the process since new AMS tables are generated that already has sessions by roles and security level. Another consolidation table in DEM (tgbrg998) provides the business process for each role/session.


I found it easier to create a holding table to store the data as it was discovered in order to support nested roles and business processes.

Determine roles by user (as linked in roles and nested roles)
Determine business processes by role and user (as linked and nested business processes)
Determine sessions by business process, role, and user.
Optionally, determine subapplication sessions by sessions, business process, role, and user.
Check AMS for any overrides by company.
Keep updating temporary table until all sessions and permissions are filled.
Report from temporary table.