Setting up Authorization for Account Segmentation

Similar Messages

• Set default role for Account in SAP CRM 7.0

  We are using SAP CRM 7.0
  When an end user creates a new account there is a section called
  "Role" sub assignment block with entries like "Competitor", "Account", Contact Person, etc.
  I want by default when you create an account that the role Account is specified in there.
  I want it done automatically and do not want to rely on the end user to seelct this.
  I was able to do this with contacts by using an SAP note to set this for cotnact person.
  But does anyone know how to do it for an Account ?
  All I want to do is that when an account is created the system automatically sets the role as "Account".
  Thanks,
  Jon

  Hi Jon,
  For any code changes in bsp components we need it's z-instance and that we get after enhancing the respective entity for eg views, context nodes etc..
  In case you are not familiar with the enhancement, please refer to some thread which explain about the component enhancement concept.
  Coming to this requirement..
  You need to enhance bp_roles component, then enhance rolelist view and roles context node.. redefine the GET_V_PARTNERROLE method.. copy the parent class code and do the necessary changes to manipulate the entries in gt_ddlb_add
  Check the statement at line no 107..
  gr_ddlb_roles->set_selection_table( it_selection_table = gt_ddlb_add ).
  Just before above statment call, manipulate gt_ddlb_add to keep the required role value at index 1..
  Another thing in my test system i can't see any role as "Account" under SPRO customizing "Business Partner Roles" instead "Business Partner (Gen.)" is available, don't know if you are able to see Account Role in the Roles DDLB..
  i would suggest debug the get_v_partnerrole method once at line no 107 see the entries in gt table you will get an idea what you need to change.
  Hope this helps..
  Cheers,
  Sumit Mittal

• Document for Account Segmentation

  Hi,
  Can any send Document Account Segmentation through DTW in SAP 8.8 to c.premanand at gmail

  Hi,
  you can use dtw template that I have asked the sbo_knowledge_village yahoogroup mailist moderator to publish such dtw template. it is for segmentation account.
  Join the group and you could dowload the template and other sbo document.
  JimM

• GL roll ups for Account Segments

  Hi All,
  How is it to extract the data from tables to show the roll ups of the account segments. We dont have roll up groups for account flexfields defined but have parent /child defined.
  for example: certain accounts fall under this category and certain team/department falls under this business unit.
  Please let me know how we can get that relational data from backend tables.
  Thanks,
  Prathima
  Edited by: Prathima on Jun 5, 2009 4:43 PM

  use autoaccounting

• GL Determination - General Tab for Accounts segmentation

  Hi All,
  I am using Accounts Segmentation - as Location and Advance G/L Determination. In Advance GL Determination i can able to map ledgers segment wise for purchase,sales and Inventory. But for General tab am not able to map ledgers segment wise.
  For Example : I want to map Rounding Off in General Tab segment wise.
  Regards,
  Chidambaram R

  Hi Jitin
  I din get any error message. I want to map General Tab in G/L Determination segment wise.
  For Example - I want to map Rounding off ledger segment wise.
  Regards,
  Chidambaram R

• How can I use ken burns end transition frame to set cropping size for next segment?

  I am trying to figure out how to trivially take a large frame view, in a clip, and use a Ken Burns transition to "zoom" into a new view, and then grab the ending "frame" location and size and set that as the clipping rectangle in the next segment.  It seems like I should be able to just select the end fram view, type CMD-C to copy, and then select the next segment, choose "Clip", and type CMD-V to paste that "rectangle" as the clip.  This doesn't work, so I am looking for another way.  There's nothing in the popup menus or the main menus that I can find.
  Is this possible?

  I am afraid there is no easy way to this with Ken Burns. A better way may be to animate the Crop tool instead, using keyframes.

• Authorization for Accounts(Sales district) and Sold-to parties

  Hi Experts,
  I have a requirement where I wanted to restrict Sales districts(Accounts) & Sold-to's depending on the employee responsible for.
  The requirement goes like this.
  There are Sales districts. Each Sales district has around 4 to 5 Sold-to parties.
  For each Sales district a sales manager is responsible, and for each sold-to party a sales group is responsible.
  Now when a manager logs in using his logon credentials then he should be able to see only the sales districts(Accounts), he is responsible for and the sold-to parties for that particular Sales district(Account).
  But when a sales group logs in , he should be able to view only his sold-to parties, which he is responsible for.
  Any clue on how to achieve this requirement.
  I have used CRM_ORD_LP, CRM_ORD_OP & CRM_ORD_OE but they are related to actvities, leads & opportunities authorization objects.
  How about Sales districts (Accounts)? How can I restrict it to Sales districts(Accounts) for managers and sales representatives?
  Thanks in advance.
  Rohan

  If you don't need to restrict access to all customers but only to propose customers assigned to certain salesman you could probably do it via partner determination rule where you would say when the employee responsible is entered in sales document that customers belonging to this salesman are proposed on selection screen.
  If you need to restrict it then I think you have 2 choices:
  - use ace to restrict by sales district
  - create Authorization Groups, assigned them to customers and then create pfcg roles for salesman providing in pfcg access to certain Authorization Group. in pfcg you use B_BUPA_GRP object. But the problem using pfcg is that you will have to create as many pfcg roles as many salesman you have and this can be a huge thing.
  So ace will probably be more appropriate.

• FS - RI module in SAP - authorizations for Account Release into FS-CD

  Dear experts,
  I have the following problem.  I have provided certain authorizations by creating roles which are being used for a) to display reinsurance treaty b) to create Account for the treaty and c) to release the created account into FS CD module.
  Now, these specific roles ( for example z_role_account release) works fine when a user has used it.  This user is able to create an account for a particular treaty and also release the account.
  Then, when the same role is given to another user (actually twenty of them who need to do the same tasks on daily basis), it does not work.  I ran the TC /nsu53 and the message appeared is "all authorizations checked are so far successful".
  My question is,
  The same account is released with first user id. 
  It is not released when working in the login of the second user.
  Both the users have similar authorizations.
  /nsu53 tells me there is no problem with authorizations, when checking second user.
  There are no data errors since the same account could be released by the first user.
  SQL trace mechanism does not display any records when tried.
  How to solve this problem.
  I tried to give same roles to a new user but, no difference.
  RK

  DFKKLOCKS

• Accounts Segmentation wise Authorizations possible or not?

  Hi Experts
  My clent needs authorisations for account segmentation wise
  One branch accounts will not see other branch employees
  Will it possible or not?
  If it is possible, Tell me how to do this?
  Prasad

  Hi Prasad,
  Check the thread
  Re: ACCOUNT SEGMENTATION
  Regards
  Jambulingam.P

• ECC6: Authorizations for GOS

  In ECC6, I should give two different levels authorization into generic object services Toolbox.
  I have two type of users:
  1. Administrator
  2. Accountant
  The Administrator should be able to create, edit, display and delete notes.
  The Accountant should be able just to create and display notes.
  Administrator users were given the S_OC_ROLE athorization object .
  Accountant users were given the S_GOS_ATT authorization object, though this doesnu2019t work since the accountant users are still able to edit and delete notes.
  My question is: how can I remove the edit and delete authorizations for accountant users?
  Thanks,
  Kind Regards

  A concrete scenario I have to deal with:
  The scope for all business partners and transactions should be limited to central Europe.
  The relevant field for this authorization is the id (number range) respectively the business partner grouping.
  - I would use ACE rules to filter the relevant business partners by their ID or grouping and relevant transactions by their account-assignment
  - I would set up ACE rights to limit access for the actions read, write and delete
  - to handle the create authorization, I have to define a PFCG role and limit access to certain CRM components
  The user should be allowed to read Corporate Accounts,
  to read, edit, create Contacts,
  is not allowed to deal with Opportunities,
  is allowed to create, read all activities and to read, edit, delete own activities (if he is the creator),
  is not allowed to deal with any report or pipeline performance.
  - ACE role/right to read Corporate Accounts
  - PFCG role to restrict create access for the BP_HEAD component
  - (ACE role/right to limit search results for opportunities)
  - PFCG role to restrict create, search, overview access for the BT111M component
  - Business role without Work Centers or Logical Links to opportunities
  - ACE role to limit access to read activities
  - ACE role to limit access to read, edit, delete activities which the user has created
  - PFCG role to restrict access to all pipeline performance components
  - remove PFCG roles for report access (e.g. SAP_CRM_OR_USER)

• What happends when you give 2 groups with some of the same members different authorizations for a document

  Hello,
  I'm doing my internship at a litte Telekom company. I'm investigating how they can use MS SharePoint as their central place to put projectinformation. Now i've been thinking what happends when i do the following:
  Make one document library
  Add 2 groups to the Active Directory, group "A" with all the employees and group "B" with only four people working on a project. When i add a document to the document library and set the authorizations for the document as
  follows:
  Group B: Read/Write
  Group A: Read
  Does the people from group B still be able to edit the document, because they are also in group A?
  I don't have a test environment to test this myself.
  Why i want to know this? The company want's one place to place all their documents with projectinformation. This information is about different projects. You only wan't that people can change the specific document when they are working on the specific project
  where the document belongs to.  

  You get the union of permissions, so if one group allows access and the other not, you will get the union of both and therefore access. Of course, you can break security settings per library/folder or document, and specify new settings,
  if you need too.
  Kind regards,
  Margriet Bruggeman
  Lois & Clark IT Services
  web site: http://www.loisandclark.eu
  blog: http://www.sharepointdragons.com

• What's the best way to do authorization for my app?

  The authorization situation is somewhat complicated for my app.
  Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM.
  From what I've seen so far, there are two different options of setting the authorization for the component:
  1. Set its Condition
  2. Set its Security Authorization Scheme
  Here is my understanding for each (from my limited experience with APEX):
  1. Set its Condition
  + Can pass in parameters such as :APP_USER, page numebr, P0_ITEM. So I can just create one function that does all the authorization
  - Have to combine the SQL query with the component's non-authorization display conditions, if any.
  2. Set its Security Authorization Scheme
  + By name, it seems like it should be used for authorization
  - Cannot take in parameters relating to the page, such as the page number --> therefore I will need to create many different schemes, for all the different pages.
  #2 will end up with a long list of schemes (each with its own SQL queries) for different pages, which doesn't seem as efficient as #1 with far fewer SQL queries and just take in parameters.
  Which one should I pick?
  Thanks!

  953006 wrote:
  Thanks fac586 for the detailed response, and also everyone else who replied. You guys are very helpful and respond promptly. And we'd appreciate it if you changed "953006" into a real handle promptly.
  Andre mentioned using conditions:
  The way I work around this is to have two functions, one which is used at the page level as a normal authorization scheme and one which can be passed variables which is called as a Condition and the name of the item is one of the variables, in effect giving it "self awareness".But fac586 said:
  You can't pass "parameters" to authorization schemes. Use application items, APEX collections or application contexts to set current context before the authorization scheme is evaluated, and access these values in the functions.Does this mean, fac586, that we can avoid conditions altogether? No, it means that I prefer to use Authorization Schemes to control access to resources based on user privileges and security, and Conditions to control rendering and processing for functional reasons. Using the approach described above I have found it possible to maintain this separation.
  Say if a page has two buttons, Button_A and Button_B. Button_A has a set of requirements for displaying and Button_B has its own set of requirements (some of which are shared with Button_A). So far, the only way that I can see of using pure authorization is to write 2 different authorization schemes, and set the authorization schemes for the two buttons respectively.What's the problem with that? Consider a more concrete example using a standard APEX report/form pattern for customer maintenance. Page 6 contains the report, and page 7 is the maintenance form with P7_CREATE and P7_SAVE buttons. Only users entitled to create new customers should have access to P7_CREATE, and only users able to edit customers access to P7_SAVE. This would be controlled by the CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes respectively. Functionally, conditions are used to show P7_CREATE if the P7_CUSTOMER_ID is null, and P7_SAVE if it's not null. We don't mix non-functional security considerations with functional requirements.
  The CREATE_CUSTOMER and EDIT_CUSTOMER authorization schemes are of type PL/SQL Function Returning Boolean. These are implemented using package functions. Exactly how a user has create/edit customer privilege is determined in the package. Determinants that are shared by multiple schemes can be combined at this level. These implementations can be changed as necessary without requiring changes to the application.
  The authorization schemes are reusable across pages and components. On page 6, CREATE_CUSTOMER can be used on the "Create New Customer..." button; EDIT_CUSTOMER on the report column containing the "Edit" links.
  Each component of the app is authorized based on not only the user, but also the page number, the value of at least one P0_ITEM. So I guess this goes back to my original concern with Authorizations:
  [Using purely authorizations] will end up with a long list of schemes (each with its own SQL queries) for different pages [and page items] ....
  Re: VPD policies. Note that in the example above there's no need for the authorization schemes to "know" which pages/items are being evaluated. The P7_SAVE button and the page 6 link column are involved with the EDIT_CUSTOMER operation, so that authorization scheme is applied to them.

• No Authorization for BSP

  Hi friends,
  I transported this request(which had ICF Settings, Mime Object and BSP). Now when I go in Test System and then in SE80, I display my BSP and when I execute from SE80, it tries to open following url in IE:
  http://brcbdbd1.amoco.com:8010/sap/bc/bsp/sap/zbsp_filenet/default.htm?sap-client=110&sap-sessioncmd=open
  it does not display and gives me a message -
  "You are not authorized to view this page" It does not even ask for WAS userid and password screen
  Do we need to set up authorization for this BSP ?
  Any ideas on authorization and how do we maintain for BSP's.
  regards
  Deepak

  if you go to transaction <b>SICF</b>, try browsing and find your node <b>ZBSP_FILENET</b>. If you either doubleclick or right click, it gives a dialog box, and asks for username/password. You can set , username and password there.
  For more information, look here:
  http://help.sap.com/saphelp_470/helpdata/en/36/020d3a0154b909e10000000a114084/frameset.htm
  Internet Connection Framework -->
  HTTP Communication Using the SAP System as a Server -->
  Using the ICF -->
  Linking a HTTP Request to an ICF Service -->
  Creating an ICF Service
  All your doubts regarding Logons will be cleared.
  Regards,
  Subramanian V.
  Regards,
  Subramanian V.

• Authorization for Delivering Plant in Sales Order

  Dear All:
  We need to set up authorization for a user based on 'delivering plant' in Sales Order registration (VA01).  It appears there is no standard available for this.
  Can you kindly help by giving hints to achieve this?
  Regards,
  K. Dwarakanath

  Hi,
  1. You can create a custom authorization object (via SU21 or equivalent); add field 'ACTVT' with permissible values '01', '02', '03'.
  2. In form USEREXIT_CHECK_VBAP of include MV45AFZB, you can call the function module AUTHORITY_CHECK, to check the authorization and throw an error.
  This user exit is triggered everytime a user makes any change to item level, i.e. applicable for change of plant too. The call for authority check can be based on whether plant is changed or not. I guess *VBAP and VBAP can be compared to check whether plant is changed. If *VBAP-WERKS is not equal to VBAP-WERKS, then call authority check FM by passing username, custom object name, FIELD1 = 'ACTVT', VALUE1 = 01 or 02. If exception returned by FM is USER_NOT_AUTHORIZED, you can throw an error message.
  Cheers,
  KC

• Release authorization for Posting FI document nor Parked document

  hii guru
  I am facing a problem as below. i have created a release authorization for parking document using workflow variant, created event - Created, object type - FIPP, receiver type - WS10000051, and when i am parking the document its working fine, wants release authorization to post parked document. but my client requirement is to set release authorization for posting FI document in fb50.  not parked document.
  please give me a solution how do i cofigure the release authorization to post directly FI Document in fb50.
  thanks & regards
  Rajesh

  i have solved by myself