Authotization Object UIU_COMP
Hi,
does anyone of you have experiences in configuring roles in CRM 2007? It seems that authorization object UIU_COMP is very infuencial to system behaviour.
I am looking for a guide or something like this to understand the structure and the possibilities of the different components and their characteristic.
Up to now we use the authorization trace to find out the affected component within UIU_COMP. Doing it this way it is a long distance to get a complete role.
Does anyone know a more comfortable way of configuration?
Hope to read of you.
Bye
Thomas
Hi Thomas,
Let me explain in detail with example.
To your the Business roles you may configured the component for WorkCenter A&C Management(Accounts, Contacts etc), Marketing (Activities,Campaigns etc) and Sales(Opportunities, Quotation etc) via Naviagetion Bar profile. You can create the Authorization objects directly from your Business roles using report program. Following steps will help you:
1. Execute Report CRMD_UI_ROLE_PREPARE. Report will generate the .txt file and stores in SAP Work directory with business role name.
2. Go to PFCG and select your role.
3. Under Menu in change mode, import the generated .txt file by using Import file option.
4. Imported file will generate the folders under Menu and Authorization Objects under Authorization.
5. Deactivate the unwanted Objects.
Also you can assign Roles using report CRMD_UI_ROLE_ASSIGN.
Allot point if it helps!
Bob
Edited by: Bobby on Aug 20, 2008 12:00 AM
Similar Messages
-
Can we control Work center group links using auth object UIU_COMP
Hello All,
We are running into an issue while doing our PFCG role configuration.
I need to know if we can control Work center group links in a business role through auth object UIU_COMP.
We can control Workcenter's but not 'Work Center Group Links'.
Here is what we did:
- We have a business role Z_RA_DEFAULT.
- The Nav Bar Profile SRV-PRO for this business role has some work center group links that are checked in menu and visible.
- I'm trying to find the values in the auth object UIU_COMP to restrict Work center group links.
- Even though the values Work center group links are in menu and visible,
I want to remove these Work center group links from the screen using the auth object.
- If we remove the check from in menu and visible in the business role the Work center group links disapper from the screen.
Right now this is only way we are able to controle Work center group links.
Question:
- Can I use UIU_COMP to restrict Work center group links?
- any another auth object that controle Work center group links?
- any document/ website / info available which tells us what can we restrict with auth object UIU_COMP?
- or any other way of doing this... like code change, user exit, ....?
Really appreciate your help.
Thanks,
NasirI am not sure if I have understood the issue correctly, but still what stops you from actually creating a clone business role to your existing business role and deactivating the in menu visible work center group links. Use this new business role for users who need to be prevented from viewing the work center groups links in question.
If you are going to use authorization objects to control the visibility wont it impact all users (still defeating your original purpose?)
Again apologies in case I have got the question wrong. -
Missing authorizations for authorization object UIU_COMP
I have generated the pfcg role for a business role using report CRMD_UI_ROLE_PREPARE and assigned the pfcg role to a user.
The user is apparently able to perform navigation as required. However, when a ST01 trace is run for the user, there are few missing authorizations for UIU_COMP. Could anyone please explain the reason for this? No changes have been made to object UIU_COMP i.e. only values generated by the report is present there. Should the missing authorizations be added manually to the role?I would recomend that you define for component UIU_COMP in your pfcg role full access (all set to *), because this authorization object is used for access to web ui components. Even thou if you define this object to full access users will still see just components defined in business role.
Regards. -
I am looking for any direction on the use of UIU_COMP within PFCG roles for the new UI. The default roles which I have copied do not seem to cover all aspects of required security. What about any custom development? Is there any direction or rule of thumb as to determining what entries are required?
There are a number of methods available to determine the settings needed for this authorization object that you can try. Two initial suggestions I would have are:
1) Assign a test user SAP_ALL and run an ST01 trace while the test user is accessing the Web UI. Any calls to the UIU_COMP object will be listed along with the field values needed. Add these authorization values to the production user role.
2) Use program CRMD_UI_ROLE_PREPARE to generate the necessary UIU_COMP settings, based on the CRM business role that is being assigned to the user.
Hope this helps. -
Hi SAP CRM guru,
I am defining roles and authorization via PFCG for CRM 7.0.
We have created some Z WORKCENTERS in the navigation bar.
Once I generate my Z PFCG role I have the standard Workcenters and the Z ones.
Now I 'd like to assign them authorization object UIU_COMP.
I checked Z workcenters and only for standard logical link it appears the authorization object UIU_COMP, meanwhile for the Z logical link authorization objecis not.
Here I have just a guid as external object and a series of question marks like:
???????????? as service type
0D027F94B6471351A19A33BC29ECD5 and service.
I think I am missing some entries in certain standard tables, supposedly customizing ones.
Can you suggest in which ones?
Any help is welcomed.
Regards,
AndreAHi all,
basically in order to map the object, you should add an entry in UIU_COMP authorization object.
Then the problem is solved.
Regards,
AndreA -
Authorization objects and screen elements
i would like to enable/disable a button on screen using authorization object.
haw this can be done.
please help....In the PBO of that screen just do an authority-check on the authotization object (if there is no standard object you can use, you have to create a custom one). In case the authorization fails set the button to inactive.
authority-check object 'authorization object'
ID 'object id name'
field 'field value'.
lv_subrc = sy-subrc.
loop at screen.
if screen-name eq 'field name of button'.
if lv_subrc eq 0.
screen-active = 1.
else.
screen-active = 0.
endif.
modify screen.
endif.
endloop.
That should do it,
Michael -
CRM 7.0 security model & accessebility of data at table level
Hi CRM Experts,
Firstly i am new to this topic 'CRM 7.0 security model' and i want following information from you, my simple requirement of my on going project.
1. what are different types of roles in CRM 7.0 system and how to define those roles & which table all the role information is stored in CRM 7.0 ABAP & Java stack installled system.
2. How are the ABAP & JAVA roles are different from each other in CRM 7.0 system.
3. How to define portal roles in CRM 7.0 & which table or storage location these portal roles data are stored & is there any way we can extract them from CRM system, if any webservice or any mean this can be achieved?
Basically i am interested in users/roles/authorization data in CRM 7.0 for both ABAP & JAVA stack system. please help me achieving this requirement.
Thanks,
Digamber.Digamber,
For an overview of the changes in CRM 7.0, visit the following link:
http://www.sap.com/germany/solutions/business-suite/crm/SAP_CRM7_Highlights.pdf
In respect to Security model, CRM 7.0 is a bit different, where a lot of functionality is executed via BSPs that are run on a browser. However, the authorizations should be still need to assign in the the backend.
For CRM specific security guides, I recommend you visit the SAP link - http://service.sap.com/security
In the left pane hierarchy, go to 'Security Guides'. Scroll down to find the CRM section and download the required guides.
Also, further there are new concepts like WEBCLIENT UI (an extra authorization layer, which is UI COMPONENT LEVEL and logical links. (Controlled by object UIU_COMP)). Standard authorization setup in the new WEBUI client is now controlled by both backend authorizations and the UIU_COMP. That means even if the user has SAP_ALL access, he will not able to perform any actions.
Hope this provides some light!!
Rgds,
Raghu -
Difference between SAP CRM Security and SAP ECC 6.0 security
Hi
I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
Can anyone please let me know the difference between CRM security compared to ECC security.
Thanks...I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
really sad.....
The big difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
2) If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
E.g. transaction code BP allows you to create/change/display any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
another example is business transaction processing...which can be launched by:
a very generic transaction code: CRMD_ORDER
transaction category related transaction codes :e.g.
> CRMD_BUS2000126 for activity management
> CRMD_BUS200115 for Sales processes
Again...allowed activity is not controlled by the tcode, but on authorization object level...
3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links.... controlled by object UIU_COMP.
However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
cheers
Davy Pelssers -
Remove authorization to delete Opportunities and Activities
Hi ,
The requirements are that the user can create and change Opportunities and Activities , but not Delete Opportunities and Activities .
I did generate a PFCG role from the Business role , but cannot find the correct object to deactivate/remove from the PFCG role
Thank you.Hi ,
Thank you , but the "Trash Can" in the WebUI is still accessible , the user gets an error log , but is asking from the "Trash Can" to be grayed out . Can we do that ? I was looking at Authorization Object UIU_COMP , but could not find a related activity .
Regard's
Edited by: Christophe Schutz on Oct 5, 2010 10:05 PM -
Role does not allow visibility on activities
Using CRM 2007 sp4 I have recently created a new business role and have assigned this business role a pfcg authorisations role (based on the original sales manager role). I was having problems having users assigned to this role being able to create activities. When they try and create an activity in the calendar area, or through quick create links set up as direct links in the direct link groups or through the activity component no activities types were selectable from. The setup of the authorisations appears fine as if i give the users sap_all access they can create any of the activity types they want. In my pfcg role I had been using the authorisation object to control access to spsecific transaction types (object : CRM_ORD_PR) and eveything seemed to be ok.
The system gives me the following info:
Details No transaction type is available for creating a transaction
Diagnosis: No transaction type is available when creating a transaction. This can be due to the following reasons:
No transaction type is available according to Customizing
The user has no authorization for the transaction type
System Response
It is not possible to create the transaction.
Procedure
Make sure that:
The transaction type is set up in Customizing
The user has authorization for the transaction type
From what i can see this appears to be an authorisation issue but i'm unsure what authorisation objects are required to create activities.
Any help would be appreciated
Regards
EddieHi Eddie,
based on the fact that you are setting restrictions on transaction type CRM_ORD_PR , it means you are actually modeling your access according to the third level check during the authorization check process flow for business transaction processing.
As such you should have access for following authorization objects:
CRM_ACT (value 45 = allow)
CRM_ORD_PR (where you restrict the allowed activity AND the allowed transaction types)
CRM_ORD_OE (where you restrict access based on the allowed sales/service organization).
you must at least have all 3 authorization objects avaialble in your PFCG role, and some concrete values should be maintained as explained above.
The problem however 'might' also be due to missing authorization on "UI component level"; based on object UIU_COMP.
As such it 's a good idea to perform tracing.....
cheers
Davy Pelssers -
Blank screen after login in SAP CRM 2007
hi,
we are experienceing blank screen after we login to crm2007 web client.
what we have done
- implemented sap note 168941, 612670, 1045941, 1144511
- assign PFCG role to business role
is there any other step we missed?
Thanks.Hi friend,
Please, check if in your pfcg profile you have the objects:
uiu_comp
CRMCONFMOD
with value *
Regards,
Lalas -
Authorization by Funds Center - Report Painter Review
I am providing authorization for report painter review. There is the requirement to limit Funds Center for each user to review.
I input Authorization Group in the Funds Center Master Data (FMSA). The Authorization Group coding is same as Funds Center Coding. Then I create authroization role for report painter reivew.
The authorization object "F_FMBU_ACC" has "FM: Funds CenterAuthorization (FM_AUTHGRC)" to scope. I tried input the mentioned coding in this authotization object but the report painter still show the other funds center when execute.
FYI: I created the authorization role and input the role to the new user id to test this authorization setup.
How could I scope Funds Center for the authorization role?
Regards
TonHi Ton,
First of all you have to check if you have not activated "Check Old Activities" in the customizing. Please check the following menu path in your IMG:
PSM -> Funds Management Government -> Basic Setting -> Authorization
check -> Activate Old authorization check.
If you activate the old authorization objects, the following objects are used for the authorization check:
F_FICB_FPS Cash budget management/Funds Management commitment item
F_FICA_FTR Funds Management FM account assignment
F_FICA_CTR Funds Management funds center
F_FICA_WCT Funds Management funds center internal
F_FICA_CCT Funds Management cross-funds center
F_FICA_FCD Funds Management fund
These objects were referred to for the authorization check in Funds Management (FI-FM) up until release 46C.
Regarding the way that you have used authorization group field, I believe you should consider the following:
1) Use of Authorization Groups for Funds Center and/or Commitment Item.
==========================================================
In case of Funds Center, within transaction code FMSC (fund center master data) is available the field 'Authorization Group', the same used in the authorization rules.
It is not the 'fund center' field itself, is the group that you are grouping the fund centers only for authorization purpose.
If in the table FMFCTR for your FM Area you have the same content for all records to this field, this means that all your funds center will be part of the SAME authorization group.
So, you should consider within your company to divide the authorization groups according your needs and adjust your roles in transaction PFCG accordingly.
You should either specify a list of authorized funds center in the role, or assign a specific authority group to the funds center for which you do not want to allow posting.
2) Authorization objects
====================
The authorization object related to the funds center master data is the following:
- F_FICA_FSG Funds Management: authorization group for the funds center
In fact, in BCS you have to use also the authorization object 'F_FMBU_ACC'.
There is a short documentation in SU03 for this authorization object.
Assigning only the authorization object F_FICA_FSG could be not enough sometimes.
Use transaction SU53, SU56, SU01 and SU24 to trace authorizations.
I hope this helps.
Best Regards,
Vanessa. -
Authorization for Work center, logical links and components
Hi Gurus,
Can authorization be given to Work centers, logical links and components.
Thanks,
Sarat.It can be done using Authorization object UIU_COMP. it has 3 fields :
Component Name
Component Window Name
Inbound Plug
Note : You can maintain authorizations based on components, WC pages, Direct links groups and direct links but not on views.
Authorization object for direct links : C_LL_TGT which has 2 field : Logical Link Type and Link Parameter
Hope this helps,
Cenk Sezgin -
Hello Experts,
I faced a issue recently where I am not able to include any more UIU_comp authorizations. The error that pop up is "All authorizations beyond the maximum number are ignored" . Is there a way where we can increase the limit of authorization objects in a given PFCG?
Thanks!
NehaHi Neha,
This problem usually happens due to bad role design. The error message
description is most likely the following:
Message no. 5@026
Diagnosis
The maximum number of 100 authorizations per object was exceeded.
System Response
All authorizations beyond the maximum number are ignored.
Procedure
Additional authorizations can only be included if you first delete a
corresponding number of existing authorizations. Note that deleting
authorizations with the status "Standard" or "Maintained" can lead to
the inclusion of new default authorizations at the next merging of the
authorization data. Avoid the maintenance associated with this by
removing only changed or manual authorizations.
Probably you have a role that has among other authorization objects,
more than 100 occurrances for authorization object UIU_COMP. This is
more than the recommended, as the system limit of 100. You can confirm
that by selecting the role in question and reviewing this object in
table AGR_1251.
So, in order to overcome the problem, all you have to do is to
approach your Security expert and ask for a redesign on this role. It
will be most likely needed to split your authorization data in more
than one role, to avoid trespassing the expected limit.
==================================================
Hoping that above is helpful.
Best regards - Christophe -
Old rebate documents not appearing anymore......
Hi all,
the problem we have is that We cannot see the old payments in ''VBO3''.
There are only the documents from last 2 mounts.
but when I enter by VF03 to the missing document,I can see it.
How the old documents could be displayed in VBO3??
Any Idee?
Points if helpful.
Thanks and regards
GuilhermoHi,
the reason is missing authorization for the UI component.
You have to add the authorization Object UIU_COMP with the relevant values to your PFCG-role.
Best regards
Manfred
Maybe you are looking for
-
Need info on DVI to video adapter
Hi i have a pre-intel mac G5 with one DVI and one ADC port for my monitors. My plan is to buy a DVI splitter and then buy the DVI to video adapter to send one of the split signals to a TV. The apple site says it will work for MacPro, MacBook Pro or M
-
I recently subscribed to Acrobat XI after the trial expired but when I went to activate it I was asked for the serial number. I only have the order number on the invoice. How do I get the serial number for the trial software that is on my computer?
-
Trying to submit a wiki article but getting an error
I have tried two times today to submit a wiki article but each time I see the following message: Sorry, there was a problem with your last request! Is the site currently down for maintenance? As well, how will I know if my article is being saved or n
-
Can someone help me in creating an Array for the following?
Hi this is a flash banner done using AS3 but it is giving me bugs when published, can someone please look at the the following link http://webtemp2.idm.net.lb/alamflash/home.html and below is the script, can i create an array? stop(); import fl.tran
-
Performance issue at Webi/Universe
Hi BO Experts, I am new to Business objects. I have developed a new universe and webi reports, but I am facing some performance issues at webi side. Below I am furnishing my development details; please let me know how I can overcome with the performa