Authorization/Permissions in CRM

Similar Messages

• Authorization restriction for CRM 2007

  Dear Experts,
  We are in process of defining the authorization matrix for CRM 2007 for end users who will be using Web UI.
  Here my requirement is the service orders created by USER1 should not be displayed by USER2 and vice-versa when they do a search in both Web UI and GUI in Tx CRMD_ORDER for service orders.
  Please let me know how can I acheive this and what is the auth. object for the same.
  Thanks & Regards,
  Sharath

  Dear babu,
  If I understood your request, you want that, only one user will be able to access the document. If you want to do that, this is the answer:
  At tcode PFCG you shoud set:
  First you must set what type of document will be avaible to the user, in this case Z020.
  CRM_ORD_PR: PR_TYPE 'Z020',ACTVT '*'
  Next you must set which activities they will be able to do (notice, you must set the same field in the previsou object(
  CRM_ACT: ACTVT u2018*u2019
  And then you set which partner function or partner category are able to access the document, here is the main point !
  In this example I set that only users who has Partner Category (not partner function) Employee Responsible (std partner category 0008) are able to access the document
  CRM_ORD_OP: ACTVT '', PARTN_FCT '', PARTN_FCTT '0008'
  Here you can notice again field ACTVT, here you will set what user are able to do, "*" means everything, "1" = create, "2" = modify, etc. (I can see the list at PFCG, adding the auth. object to the PFCG profile).
  I notice only std partner function or partner category works with this object. I sent a message to sap support, and they confirm that, so if your user has Z partner funcition or category it is not possible to do that.
  Summary, your user must be present in the partner list of the document, and they must have a partner function or partner category std. It is possible to set together both values PARTN_FCT  and PARTN_FCTT, but I think it is not necessary.
  The easy way to do that is, user who will be able to access the document, must be the employee responsible.
  This help is very usefull
  http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
  Regards,
  Lalas
  ps.: As you should know, only one partner function must have partner category Employee Responsible, in the partner det. procedure, otherwise, you will get error message in your application.

• S_DEVELOP authorization needed for CRM Web Client in SAP CRM 7.0?

  We implemented an own WebUI component in SAP CRM 2007 and use it in others components (with USAGE).
  After we transport the component in SAP CRM 7.0 we always got an error CX_BSP_DLC_CONFIG_GENERAL_ERR at loading the component. But if we set the permission to SAP_ALL all thing work fine.
  In SAP Note Nr. 1367944 we read:
  "It is not possible to run the CRM Web Client without the S_DEVELOP, activity=03
  authorization because it is needed by the Web Client Framework.
  The S_DEVELOP authorizatin is part of the SAP_CRM_UIU_FRAMEWORK PFCG role, which must
  be assigned to every user."
  "This dependency has been removed in CRM 7.0."
  Do we need to install some other SAP Notes at SAP CRM 7.0?
  Many thanks for advices!
  Handri Gunawan

  Hi Handri,
  I asked my collegue here, who created the note.
  The note is correct, in CRM 7.0 you do not need S_DEVELOP anymomre.
  The error that you have might occur because of another reason.
  Could you track the call stack of this exception?
  And send me back the call stack?
  Regards,
  Steve

• Question regarding Authorizations in SAP CRM 7.0

  Hello,
  The problem is this:
  We have a client who will use two ways of accessing SAP CRM 7.0 data -
  1. CRM Web UI
  2. Mobile devices via standard SAP CRM BAPIs
  Now the situation is that the client wishes to control display authorizations based on the Business Role. Certain Business Roles can allow its User to see Accounts where the User is also Employee Responsible and certain other Business Roles can allow its User to see all those Accounts that are associated with that Role. In summary Business Roles control what an User can see.
  This has already been implemented for the CRM Web UI using the Access Control Engine (ACE).
  Now the questions are:
  1. How do we implement this for BAPI Access?
  2. Should we recreate what has been achieved by ACE, via PFCG Authorization Profiles?
  3. Can we not reuse what has been done by ACE?
  4. What are the runtime APIs that allow somebody to use the authorization checks of ACE?
  5. Does the standard Function Module CRM_ORDER_CHECK_AUTHORITY_ACE help in this regard?
  Any help here will be greatly appreciated. Please let me know if you need any clarifications.
  Thanks in advance.
  Best regards,
  Sudhi

  Hello,
  Normally, some notes are recommended in addition to the current support package implementation because they were developed to solve any known issues. These known issues occurred as side effect of any note which belongs to the implemented support package.
  If you take a look at older release notes, you will see the same.
  This is a part of implementation stack.
  1345085  SAP SRM 7.0 SP Stack 04 (09/2009):Release & Information Note 
  1365574  SAP SRM 7.0 SP Stack 05 (12/2009):Release & Information Note   
  1436687  SAP SRM 7.0 SP Stack 06 (03/2010):Release & Information Note 
  Kind regards,
  Ricardo

• ICSS: authorization in SAP CRM 7.0

  Hello Experts,
  Is it possible to restrict via authorization acces to diffrent types of transaction in ICSS in SAP CRM 7.0? For example some clients can have acces to complaints, some to service request and some for both.
  Regards
  Piotr

  Of course, you can. If you are creating the Z: roles for SAP_CRM_ECO_ISE_WU_B2B, then in this role, in the CRM Component, there is an authorization object called CRM_ORD_PR and a field name PR_TYPE. You can go an change the individual users with access to different transaction types or create Z: object or Z:role for each group as you wish. Use the field name ACTVT to control the access to the transaction type.
  Please note, there may still be some discrepancies in the search selection in the ICSS. Though you may want to restrict the user to not to access "Complaints", the restriction may work at the transaction level, but not at the search level. You may still see "Complaint" object in the Search dropdown list.  I am not sure if SAP has covered all the features of ICSS to abide by this role.

• Itunes authorization/permissions problems?

  i've been trying to play/connect to itunes on my new macbook...the song has downloaded and is in my folder, but will not let me play it
  it states the following error message:
  "there was an error storing your authorization information on this computer
  the required directory was not found or has a permission error. correct this permissions problem and try again, or deauthorize this computer if the permissions cannot be changed."
  i have tried repairing permissions, and it did not work
  i am obviously connected to the internet
  so i don't know what to do,
  but i would like to listen to the tunes i have downloaded and paid for
  let me know if anyone has fixed or at least encountered this problem
  Message was edited by: ceddydesi

  hey man so did you figure this out, i'm having the same problem and no one can help me, whats going on?

• Authorization check in CRM ISA

  Dear All,
  I need some small help.
  We have SAP CRM ISA MSA 5.0 SP8. We need to create some roles for the end users who access the system via the CRM Webshop. But we are not able to trace what authorization a user requires or lack. Like when I give a role which doest not contain the required object, few functions in the CRM webshop does not work. But we are unable to trace it, do we have something similar to su53 or a a trace (st01/st05). I tried actiavating the trace, but it does not work.
  How do I know which object is checked/missing when user clicks something in a webshop?
  Please help me in this.
  Will surely reward points if I find anything which helps me.
  Thanks.
  Rajeet

  Hi Rajeet,
  The following links would help you to some extent.
  http://help.sap.com/saphelp_nw70/helpdata/en/03/37dc4c25e4344db2935f0d502af295/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/43/3ab19fa272376de10000000a422035/frameset.htm
  Cheers
  Soma

• Private/etc/authorization permissions changed?

  I thought the unix board may be a good place to get an answer to this question:
  If I run "repair permissions", I always seem to get a message like the following (forgive me if it's not quite right in the file name, I'm doing this from memory)
  permissions corrected on private/etc/authorization group is 80, should be 0
  The reason I ask is that disk utility will repair it, but if I run it a day or so later, the error returns and must get corrected again. Just curious why this keeps getting reset and also curious as to what exactly it is referring to, i.e., authorization of what?
  Any info would be greatly appreciated.

  Hi fishin,
     That's not really a problem. It's doubtless a "spurious error", as discussed by Michael Conniff in Spurious Permissions errors in Mac OS X 10.2. I think you got the group membership backwards. The file is installed with group "admin", which is doubtless a mistake on Apple's part. The group should certainly be "wheel" and some process setting that correctly. Let it do so and don't worry about it.
  Gary
  ~~~~
     All I ask is a chance to prove that money can't make
     me happy.

• Standard authorization role for CRM implementation team member

  Hello,
  We are starting SAP CRM implementation project (7.0) and I would like to avoid giving sap_all authorizations to functional consultants in development environment. Unfortunetly I can't find standard customizer profiles like the ones in ERP system exists.
  So the objective is to have quite broad role or profile with no restrictions in customization and functional area. However it's important not to have Basis authorizations in this role/profile. Hope that someone can give me a hint in this direction.
  Thnak you,
  Jahoo

  Hi,
  as soon as the implementation team member should also do developments my experience is that without SAP_ALL you will have much trouble. Therefore in our dev-system each consultant will have SAP_ALL authorization. Of course only in the DEV-System.
  Kind regards
  Manfred

• Acs4.1 & aaa authorization & permit show

  Selam,
  I want to deny all commands except "show run" for a group and for all network devices.
  So I created a group on acs4.1 and attached with a "Shell Command Authorization Set" ("permit show runnig-config" - "deny unmatched commands")
  than I used commands which you can see below:
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  NOW: rules are runnig for my new group but other groups which have full access for all devices are failing (% Authorization failed)
  what can be the problem?
  Thanks
  Ozlem

  create another shell command authorization set for full access group and configure it for "unmatched commands - permit"
  and do not enter any command for it.
  That will work for you.
  ~Rohit

• Authorization check in CRM

  Hello All,
  Can some one tell me what are these fields in the IMG supposed to mean.
  1)Screen fieild1 2)Screen Field2
  Path:IMG>CA->SAP BP->BP>Basic Settings->Authorization Management
  >Maintain Authorization types.
  regards,
  Muralidhar Prasad.C

  HI
  Murali these are USer or BP Authoriasation Field settings depends up on
  role he is playing you are giving authiriazations to USers for Ex Sales manger is having diffrent authorizations , marketimng manager , Etc whther he i s key or core
  so you are setting the Set of fields for them set of fields are called segments , 2 or more than that segment will become one screen for the Bp or user, I think you are clear now, Reward points
  Cheers
  Venkat mallela

• Authorization accounts in CRM

  Hi,
  I have a question...
  Is there an easy way for showing only the accounts, where the user is assigned to (user = salesperson)? E.g. change the functionality of account searching / picking, adjust the screen settings or can this be achieved by authorization?
  Kind regards,
  Wim Kleinsman

  Dear Bryce,
  My Focus page is 'http://www.netpointfocus.com/dashboard/today.aspx'?
  Here I have the same problem. Using the link <u>Accounts</u> I get around 20 results. When I use the account search (in menu for example) I get more results (all accounts).
  Wim.

• Authorization display in CRM

  Hi,
  Is it possible to give access in display for "everything" in CRM ?
  Does it exist a role or a profile like SAP_ALL but only in display ? which one ?
  Thanks for your help.
  Yves

  Hi, Yves
  No, where are not the role with display acess,
  You need create such role.
  Denis

• Permissions errors? ./private/etc/authorization, should be 80, group is 0

  in the past 3 days i've been finding a error show up- on several machines- where programs would quit before they would even start up.
  the only way i've found to fix it, has been to run "Disk Utility" and repair the permissions for the drive management.
  Repairing permissions for “Macintosh HD”
  Determining correct file permissions.
  Group differs on ./private/etc/authorization, should be 80, group is 0
  Owner and group corrected on ./private/etc/authorization
  Permissions corrected on ./private/etc/authorization
  has anyone else found this error? where is this coming from?

  Thanks!
  Until I fixed this error using Disk Utility, I couldn't install a 3rd party software app. I didn't log in as root to do it either, just repaired permissions and the install "took" the second time. I'm a member of the admin group... at least I thought I was! My user account says I'm an administrator and I'm the only user on this mac... any way to see what my user account rights are? I know netinfo, but I don't know how to interprate it?

• Authorization Check in Business Transactions in CRM 2007

  Hi everybody, I have a problem whit the authorization check in CRM 2007.
  This link help me to follow the steps
  http://help.sap.com/saphelp_crm60/helpdata/en/e9/b29a39e7aee372e10000000a11
  I follow this steps:
  1.- Created a new single role on the PFCG
  2.- On the Menu tab add the transaction BSP_CRMD_BUS2000108 (Trax for LEADS)
  3.- On the authorization tab create a new profile and in the authorization data set the values for CRM_ORD_OP: PARTN_FCT ‘00000012’, PARTN_FCTT ‘*’, ACTVT ‚'02,03’
  4.- Generate the authorization.
  5.- Set my user "TESTUSER" on the user tab
  6.- Save the profile
  Then, I login to CRM whit TESTUSER and I see all the leads.  I miss something, what could be the problem ?
  Thanks for your help

  Hi Shaji, Pankaj and Jushan, thanks four your answers.
  I still have the same problem, I want to see only my leads that I´am the responsible, after I generated the authorization and assign the role to my user from tcode PFCG and SU01, I logout and login again and no changes, I still see all the leads.
  Another test I made, I changed the authorization data and set the values for CRM_ORD_OP: PARTN_FCT ‘’, PARTN_FCTT ‘0008’, ACTVT ‚'’   (person responsible)  and the results was the same, see all the leads.
  How works the User Comparisons and how can I check for errors in my pfcg role ?
  Thanks for your help.