Authorisation in CRM

Similar Messages

• Position based authorisations in CRM

  Hi there,
  In SAP ECC the user account is assigned against the employee record.  When the employee is assigned against the position it automatically inherits the roles when transaction PFUD is run.
  We want to use the same functionality in the CRM environment but find this is not working.
  We distribute our org structure using the standard model via message HRMD_ABA and include IT0105 subtype 0001 (User)
  We note the distribution assigns the user against the BP employee role created in CRM.  However in PFCG it is the CP that is assigned to the position not the BP
  Can you please provide any information to get position based authorisations working in CRM.
  Many thanks
  Stephen.

  >
  Mike Ferguson wrote:
  > Hello,
  >
  > So we before we go down this path we would like to know how many others have.
  >
  > We are distributing our OM hierarchy with O, S, AG, and User to BI from ECC so that role assignments that are on the position get pushed to BI.
  >
  > We run RHPROFL0 in BI to create new users and push roles to the user master record.
  >
  > Everything is working a expected, however I haven't seen this done anywhere so I can't answer questions about sustainability or stability.
  >
  > Please provide feedback to this approach if you have experience with it or if you considered implementing and decided against it, please provide your rationale.
  >
  > We have also looked at using CUA which works for this scenario as well, however would have a larger impact to our implementation from a technical and process perspective.
  >
  > Thanks,
  >
  > Mike
  Mike,
  I don't see any problem with your design except for the double maintenance of new users and possibly of role assignment to positions.
  My vote is for the CUA, depending on how you look at it, it might be less work up front and can save a lot of maintenance overhead once implemented.
  BI is a child in our CUA, we assign ECC composite role on a position and these composite roles are pointed to BI child roles using variables.  When we run RHPROFLO in ECC new user will be created in BI if the position has ECC composite role pointed to BI child roles.  Everything is maintained in ECC.

• Security Assessment for CRM

  Hi,
  We have been asked to do a security assessment for a client for SAP CRM.
  Any pointers to this ?
  Can anyone share any basic information on the following :
  1. Basic Functionalities in SAP CRM
  2. Structure of roles / authorisations for CRM?

  crm does not give the rights through to sharepoint. u have the option to open sharepoint external with list component where you must take away the sharepoint rights and for us never a usefull option. We created custom application internal and did not published
  sharepoint, we programmed so that documents are visible in iframe via a IIS website and looks to the logged-in user´s and only the documents are visible which belongs to his security role. its a lot of work but we found that it is also faster then the list
  component.
  gruss Daniel Ovadia MBSS - Microsoft Dynamics CRM MCNPS

• CRM Web UI - Authorisation error for Dashboard report

  Hello
  I am accessing CRM specific BI reports on CRM Web UI for areas like Lead Analysis, Marketing and Campaign Analysis etc, and most of the reports are working fine. But when I try to access a dashboard report (I am not really sure if it is called daashboard report beside the report name- it gives me an Authorisation error saying that the 'User does not have proper authorisations'.
  I have tried by assigning the role SAP_CRM_OR_USER suggested by a colleague, but even then I get the same error. Our Basis team does not have an idea on the exact role to be used.
  Could anyone of you please tell me the exact role to be used in order to see those report on Web UI. Thanks.

  Hi Sven
  I have tried that option of the transaction ORDYWB to activate the reports (this was also suggested in a SAP note i.e. to create a Z report and the code for which was given in the SAP note and upon executing the report, it showed a number of activities which have to be performed and had to implement those activities one by one). But in that transaction all the reports and InfoTypes are active with status 'OK'
  If you could give me the exact role which you have used for those reports, I will give it a shot. Also, in the CRM Web UI, I am unable to see the technical name of the report of the interactive report (dash board report?). If the report was executing in the CRM Web UI, we could see the technical name of the report, but for the non-executing reports, could you please tell me how to see the technical name?
  I have raised this to SAP and looks like even they are having a hard time finding the solution. Thanks.

• Authorisation in SAP CRM 7.0

  Hello gurus
  How to work on Authorisation in SAP CRM 7.0
  1)If we want to deactive the Buttons like  Show configuable area,configure page ,Personlize which we see on the right top of the screen in WUI
  Your support is appreciated

  Hi,
  In CRM 2007, CRM7.0, SAP delivers standard roles which helps to run the business smoothly.
  However, if customer wants to change any standard business role, it is suggested to copy it to Zrole and change the authorizations for the corresponding PFGC roles. To change any standard authorizations of PFCG roles, one has to go to PFCG transaction in SAPGUI and should do the required changes.
  Please find more info in the following links:
  Customizing Business roles: http://help.sap.com/saphelp_crm70/helpdata/EN/6e/aab73e83764b4c897efce7020d562f/frameset.htm
  Maintaining Authorizations:
  http://help.sap.com/saphelp_crm70/helpdata/EN/52/671617439b11d1896f0000e8322d00/frameset.htm
  Hope this helps!
  Regards,
  Chethan

• Authorisations based on Sales Orgs in crm 2007 Web Client

  I have a requirement to restrict the visibility of data (both masterdata and transactional data) based on a specific sales org.  For a specific business role i need to restrict visibility for our account managers utilising the web client application to business partners from a specific sales org and also fortransactionsal data from the sames sales org.
  I have been using the following authorisation objects to effect this but with limited success:
  CRM_ORD_OP
  CRM_ORD_LP
  CRM_ORD_PR
  CRM_ORD_OE
  Whilst i can restrict users from viewing some of the specific data 9based on sales org), the transactional data and indeed customer master data  still appears on the web client searches.  What needs to happen to ensure that the data does not even appear in the relevant searches.  The same requirement for searches of customers should also be
  Has anyone met this type of requirement and if so what dod they do to implement it.

  Eddie,
  Are you familiar with Access Control Engine (ACE)?
  Go through this -> http://help.sap.com/saphelp_crm50/helpdata/en/04/0177f9bb67ac4cafb84bb4d4c1d8fc/content.htm.
  and https://websmp205.sap-ag.de/~sapdownload/011000358700002121742006E.
  Authorizations in CRM are controlled through ACE.
  Hope this helps.
  Amar.

• BP Replication from R/3 to CRM

  Hi Forum,
  I am facing an issue with BP Replication from R/3 to CRM.
  Although the same scenario and configuration works well on my dev and qual environment and the same has been trasported to Production, apart from that R3 dev and qual system are completely updated with Prod data as on date so there is no question of any mismatch at the data level and config level.
  The following are the error messages am receiving in SMW01 for BUPA_MAIN:
  1. Business partner with GUID 36F36B473D31C04985CC8AEB314C6BE3 does not exist
  2. Validation error occurred: Module CRM_BUPA_MAIN_VAL, BDoc type BUPA_MAIN
  Now none of my BP are flowing to CRM because of this issue.
  Appreciate any pointers for the resolution.
  Regards,
  Amit

  Hi Vikash,
  The RFCu2019s have been checked for authorisation test, remote logon n local logon. The RFC user is a dialog user and is working well for all logon. I have also checked both the systems they have the logical names as described by you (source & destination both).
  Another thing that validated my point regarding the connection setting is that the materials are flowing fine between the system and even the changes in these materials are replicating properly hence the delta for material is also fine.
  The Inbound and Outbound queues have been deleted from both r3 and crm and the only job running again at the moment is customer_main.
  Regarding you concern for the queue R3AI* it has not been generated even once whenever I have started the initial load. Right from the starting I am monitoring R3AD* in all the outbound and Inbound queues of both the systems.
  The sysfail message is coming for R3AD queue hence I think it is of no use to us. Still if I follow the error message it points towards SMW01 and there the error message is the same as described in the 1st message.
  I have just noticed 2 BP that have come in CRM as STP but its been hours after that no BP is flowing in.
  Now I am eagerly looking out for the final findings that we are going to get from the system when the issue is resolved.
  Thanks again and appreciate the efforts taken from your end.
  Regards,
  Amit

• Deleting Sales Order in CRM and connected R/3 - Help needed

  I have a sales order created from the E-commerce scenario in CRM and has reflected in the R/3 system also.
  Now I want to delete thi sales order from the systems.
  I had cancelled this sales order from the webshop and thus the status in shown as completed.
  Now when I delete the order in the CRM system it doesnt allow me to do so, though I have the option to delete the sales order (I am authorised to do it).
  The error it gives is: "An error has occured in the system LOGPROD100 while copying the document".
  If I delete it from the R/3 system it says you cant delete an order created in the CRM system.
  Please guide me for this ASAP.
  I will be ery thankful to any one who does it.
  Thanks
  Message was edited by:
          Naresh Deepchand

  Hey Vijay Duvvada,
  I hope you are already referred below sap note  and which explains scope & how to do   -
  1084315 - Consulting: Information about the multiple backend scenario
  1763516 - How-to: Basic Setup of MEP
  As explained by Rohit Sharma data should be start flowing to multiple sites.
  please let me know if it does help.
  Regards,
  Arjun

• APD - CRM Data target - Don't run in background

  Hi ,
  I have create an APD to load the Marketing attributes for the BP on CRM.
  The process is ok and it works fine.
  When i launch this process in backgroung, the job failed with the following messages :
  CRM ERROR :
  CX_RSAN_MDL_CHECK_NODE_MSG=>T100_MSGID
  No authorisation for the function CHOOSE
  And nothing in SU53, very strange
  Thanks for your help
  Christiophe

  I have find the solution :
  This is an authorisation problem.
  The user used for background jobs (ALEREMOTE) must have some specific authorisation objects :
  C_CRMBWTGT
  C_CABN
  Christophe

• Business content data source for  BP Product (De)Authorisations & Terminate

  Hi Experts......
  Good evening!!!..
  I do have one requirement for which im not getting any business content ds. Could you pl help me out in that ?
  My requirement is like below.
  Report is extracting SAP CRM contracts data:
  u2022     This report lists the number (as a numerical count) and the Type of BP Contractual Relationships and the Product Groups (PPRs) they are able to sell under those BP Contractual Relationship Agreements (BPAs).
  u2022     This report should also include (at the usersu2019 discretion) all Terminated BPAs and any de-authorised (Terminated) Product Groups. 
  u2022     The user should be able to decide whether the report includes Terminated BPAs and de-authorised Products ONLY.
  Pre-Requisite     BPA Contract has been accepted (Registered)
  Pre-Requisite     Include only changes to BPA contract (including Terminations and Product Group de-authorisations) which have been accepted (Registered) in CLM/Upside.
  Pre-Requisite     Do Not include changes (including Terminations and Product Group de-authorisations) to BPA which are u2018pendingu2019
  ADDITIONAL DESCRIPTION
  u2022     Channel Partners are called  Business Partners by contract.
  u2022     Some T2 Business Partners have contractual relationships with the company, while some may not; referred to as non-contracted T2u2019s.
  u2022     These Contractual Relationships are regulated in Business Partner Agreements
  u2022     BP Agreements outline the BPu2019s Relationship Type with IBM (e.g. Distributor/Reseller/Solution Provider) as well as the Product Groups (PPRs) that the BP has been authorised to sell under the BP Agreement Terms & Conditions with IBM.
  u2022     The subject of this report is to report on the number (as a numerical count) and the Type of BP Contractual Relationships and the Product Groups (PPRs) the BP is authorised to sell under those BP Contractual Relationship Agreements (BPAs).
  u2022     This report should also include (at the usersu2019 discretion) all Terminated BPAs and any de-authorised (Terminated) Product Groups (PPRs) previously associated with the BPA. 
  u2022     The user should be able to decide whether the report includes Terminated BPAs and de-authorised Products ONLY.
  u2022     A BP can have multiple relationships with Company (e.g. Distributor and Solution Provider).
  u2022     For each of these relationships the BP may have a separate BP Agreement (BPA) with company.
  u2022     Both T1 and T2 BP Agreements are also stored as a system contract in CRM outlining:
  o     The Discounts a BP will get under the corresponding agreement
  u2022     The BP Relationships are also reflected as a SAP Distribution Channel in SAP.
  Waiting for your quick response....
     Thanks in advance.

  Hi,
  I think you need to recheck RFC created for QA system , i guess it contains IP Address of the Dev system . Which is why it leads to Dev system whenever you try to goto source system.
  In case if dev, quality server are in the same server with different client then
  Goto  Transaction SM59,
  Select RFC (Dialog ) and tabpage "Logon security" tick on logon screen
  Hope that helps.
  Regards
  Mr Kapadia
  Assigning points is the way to say thanks in SDN.

• Payment  Card Processing - CRM 4.0

  Hi,
  I have done all the config and customisation required for the Payment Card Processing in CRM 4.0.
  I was wondering if I have to make some changes on the R/3 4.6 c side?
  Right now the authorisation is happening in CRM. Once the document goes to R/3, it returns an error saying that the Credit card payment failed in R/3.
  Do I need to switch off the authorisation determination in R/3 (its not required, since its already been done in CRM), if yes, what needs to be done?
  Anything else on the R/3 side which I have missed?
  thanks
  Yash

  Hi Ash,
  You also have to do a bunch of configuration activities in R/3, apart from CRM. Basic authorization takes place in CRM order, and when this order flows into R/3, the approved authorization has to be validated for follow-up processes like invoicing, payment posting etc. Sometimes the order need to be re-authorized in R/3, if the quantities and or line items changes.
  List of all the required R/3 payment card configurations must have been provided by the payment card interface vendors like verisign, paymetric etc.
  By the way who is the payment card vendor for your project? Request them a copy of R/3 configurations docuement.
  If you don't get the copy, then let me know. I should be able to give you the list of configuration activities.
  Reward if helps.
  Regards,
  Paul Kondaveeti

• Transfer HR data from ECC 5.0 to CRM 5.0 via HRMD_ABA

  Hi there.
  We are implementing CRM for the first time using version 5.0.
  We wish to use ALE distribution via message type HRMD_ABA.
  We have researched all main notes (312090, 550055 and 934372 to name a few) and have set up configuration accordingly.
  We copied the HR to SRM/CRM 4.0 (with Qualifiations) distribution model template with data filter, distributed the model to CRM and succcesfully generated both partner profiles.
  The outbound parameter generated a HRMD_ABA04 idoc type. 
  We note when using the RHALEINI program that IDOC segment E1P0006 is not included against our employees.  Also IT0006 is not available as a selection in update mode.
  We confirm the template filter includes settings for object P, IT0006, subtype 1 and such addresses are maintained for our employees.
  Can you please advise suggestions why E1P0006 segments are not being included against the outgoing IDOC's.
  Thank you and kind regards.
  Stephen.

  Hi Pratik,
  Yes the IDOCs are passing successfully through to CRM with status of 03 (IDoc sent to R/3 System or external program).  However segment E1P0006 is not included within the IDOC.
  I performed an authorisation trace via ST01 whilst performing the distribution via RHALEINI and found no authorisation issues.  The trace did note authorisations were passed for IT0000, IT0001 and IT0002.  IT0006 was not checked.
  It appears the data filter as copied from the template for object P, IT 0006, subtype 1 is being ignored?
  Kind regards
  Stephen.

• FPL9 and authorisation objects

  Hi
  We use ISU 4.72 and users access FPL9.  We need to restrict certian users from accessing the budget billing and installment plan icons.  There appears to be no associated authorisation checks performed and the t-code remains the same also
  Thanks
  Alan

  Hi CRM Team,
  I have ECC6 but you can try SU24 and enter tran code FPL9.  You can set authorization object E_B_BIL_PL (Authorization object for budget billing plan) and F_KKINSTPL (FI-CA Auth. for Installment Plans in a Contract Account).

• More information on SAP CRM

  hello all,
  i just want to know how to certified SAP functional consultant ,courses,fees,place,training institution .please advise
  thanks
  prajith

  Hi. You can learn SAP CRM course at Siemens which is an authorised centre. IT is abt 2.5-3 lacs. you can take up the certificate later. To get a job, most companies will look out  for domain experience in sales or marketing..
  I  would suggest you to attend an onlline course or study in centres at Bangalore/Hyd, practice on IDES version for some time and then take up your certification though I cannot assure you the quality of such places. you can take up a CRM course for about 10-15k.
  Ask for real time trainers. Practice well and when u r ready go for certification.
  I have heard of many people leaving their jobs to do the SAP course. Pls dont do this.Try to study side by side.

• Protect customer from changes both in SAP and CRM XD02

  Hi
  I would like to protect some customer be changeable for some users. (Both in CRM and R3)
  The customer group on the customer is 0001, and itu2019s just a few customer in this group that the users not should be able to change.
  In CRM I solved it by using the field BUT000-AUGRP.
  I create an Authorization Group Z001, and on authorization object B_BUPA_GR, I set activity 03 and BEGRU on Z001
  Then assign this to the user. And the user could not change this customer
  In R3 I donu2019t got this to work.
  It seems that R3 more protecting fields then the hole customer.
  Anyone who can help me with this?
  How shall I solve the problem that I want to block some customer in account group 0001 to NOT be maintained in XD02, only from the user that have right authorisation.
  I have tried to use this IMG activity (and also maintained the customer with this)
  Group Fields for Customer Master Records
  Define Field Groups for Customer Master Recor
  Define Field Groups Relevant to Authorization
  Define ctivity  Maintain Authorization Types
  And then add this in the authorization profile.
  But the can still change this customer
  I also tried to set on a Trace in ST01  and marked authorization check, But I don get anything back on this
  Hope someone can help me out with this
  THANKS!

  Hi,
  Following Authorization Objects can be used for your purpose:
  F_KNA1_GRP     FI     Customer: Account Group Authorization
  F_KNA1_APP     FI     Customer: Application Authorization
  F_KNA1_AEN   FI          Customer: Change Authorization for Certain Fields
  Try with these. You will get the documentation for these objects in SU21.
  Regards,
  Dipanjan