BP Role maintainence

Thought this would be useful:
Frequently Asked Questions about Business Partner Roles in CRM.
Solution
Business Partner Roles functionality in CRM can be confusing. For further information it's worth to know some basic facts:
General Information
Any Business Partner in CRM can be seen in any Role, but it doesn't affect to its data.
In CRM the term "Role" is used for different object, which is, in fact, just a screen template for a transaction BP. Role is not a characteristic of a Business Partner in CRM, instead Partner Functions (SalesArea-depended) are used.
Business Partner Role means nothing in CRM. It's not involved into the PartnerDetermination process or Business Transactions. Again, only Partner Functions and Relationships are used instead.
Is there a Relation between CRM BP Role and R/3 Partner Role?
No.
R/3 Partner Role is mapped to Partner Function in CRM.
CRM BP Role is not trasnferred to any other system, and used
exclusively for the transaction BP in CRM.
Why BP created in R/3 has another Roles in CRM?
CRM BP Role has NO relation to R/3 Partner Role.
In CRM any BP can have any Role, which can be switched anytime. This value is CRM-specific, and doesn't relate to R/3 role. Mapping between CRM and R/3 is based ONLY on Classifications, Roles are not used.
You can think about BP Roles as of Screen Templates for comfortable maintenance of Role-depended data.
Are Validity Periods for BP Roles supported in CRM?
Currently it's not planned to add a validity to the role and we don't recommend to implement this, bacuse no processes support this validity check.
Are Validity Periods for BP Roles supported in CRM 5.0?
Yes, in CRM5.0 a validity of a role technically is realized. As in CRM4.0, still no process in CRM supports this validity. Therefore the possibility to maintain BP Roles in a timedependent way is deactivated in the CRM5.0 shipment. Though, under certain conditions this function can be activated. For further details see note 810634.
Is it possible to delete a Role from the BP?
Generally speaking, No.
Even if it's technically possible, it should never be done.
Explaiantions and reasons are following:
First of all, as it was explained above, this is not a characteristic of a BP, so it's not just some field value, which technically can be stored and then changed anytime.
Technically, Role is a dynamical link to the group of BP subscreens in the table BUT100, this is an only place where this Role is presented phisycally. This value is not shown anywhere, and used only by a transaction BP for internal purposes.
But even after usage of some solution for doing it, nothing can prevent automatical detection. That means, if you maintain some BP data, which is enough for some particular role, this role will be marked as "maintained" anyway.
This is not an only side effect, which can not be resolved. Please remember, that actual BP Data is not changed by changing a Role. That means, that after deleting of a Role, which provides an access to some Role-specific data, this data won't be deleted, just hided from user in transaction BP.
In this case, when some program will request for this data, it will receive it without a problem, and potentially this program can determine this BP incorrectly.
Also, when somebody switch a Role for this BP to the "deleted", already maintained data will "suddenly" appear. The same can happen, if this data is shared between several BP Roles (like Sales Area data for Ship-to party and Sold-to Party) - after switching to another Role, data for "deleted" Role will appear again.
Is it possible to delete a Role from the BP in CRM5.0?
Yes.
In the BP maintenance in transaction BP there is a function to delete Roles from the BP. Removing a Role from a BP means deletion of the corresponding record from table BUT100, whereas using the time dependency of the BP Role and limiting the validity of a Role to a past date just changes the attribut value in table BUT100 without physical deletion of the Role from this table.
Given the above described consequences by deleting a Role and accessing the Role-relevant data of the BP afterwards, the difference between deletion and restriction of the Roles' validity becomes obvious.
Note, that Roles, which are not updated in table BUT100 (such as technical Role "BP General") can't be deleted.
Will changes of a BP in CRM5.0 still be exchanged with R/3 after deletion of BP Role "Sold-To Party"?
Yes.
The BP Role just becomes importance concerning data exchange with R/3 whilst creation of the BP for defaulting the corresponding Sales Classification-flag, but itself doesn't influences data such as the BPs' Account Group etc.
For the same reason restriction of the validity of a Role to the past there are no consequences concerning data exchange as well.
We don't need a "BP General" role. Is it possible to hide it, or to change according to our requirements?
NO.
"Business Partner (general)" is a technical role, which is required for internal needs of CRM system. Despite the fact, that there's a solution in Note 507748, which allows to customizize this role, it shouldn't be done!
For further details see Note 533396.
CreationBP in Role, different from "BP (general)" is strange. Sometimes data is lost, and strange popup appears.
Read the popup message carefully.
Why Classification is not assigned automatically when I change a BP
Role? It works during creation of BP.
During creating of a BP in some standard Role, Classication is assigned automatically as well. How can it be done for custom-defined Role?
This behaviour is hardcoded for standard Roles, so it can't be customized. But you can define a standard Role as a Higher-level for your own custom-created Role using transaction BUSD. In this case, when BP is created in your custom-defined role, a standard Higher-level Role will be maintained automatically, and correponded Classification will be assigned also.
Will Classification be assigned automatically when creating BP in a custom-defined Role in CRM5.0?
Yes, this easily can be done. As in CRM5.0 there is a distinction between the Role itself and the Role category (in which SAP applications and customer programs as well can use the Role category on which is hardcoded), any custom-defined Role assigned to Role category "Sold-To Party" can be used to create a BP in and automatically assign Classification. This is because the automatic assignment of Classification uses the Role category, not the Role.
For further information see note 873055.
If CRM BP Role has so less functionality in CRM, why I need it?
An only place where BP Role is used is BP Master Data Maintenance.
WhenBP is created in some basic Role, some predefined hardcoded values will be maintained automatically (like Classification).
Another purpose is to separate BP Data between logical Screen Containers, which make BP Maintenance more comfortable. You can hidesome fields, group them differently, and make some values mandatory according to the Role, in which BP is currently displayed.

I don't understand your doubt either, but I will assume you are talking about the BP role (partner function).
By default the customers from ERP are created in CRM with the sold-to party role, this is the standard behaviour,  if you want to replace that logic  to use a specific role or even add another role you must add a custom FM to the middleware event table for BPs, you will find lot of information about this if you search a little.
Cheers!
Luis

Similar Messages

  • Roles regarding E-Recruitment are not there in role maintainence

    roles regarding E-Recruitment are not there in role maintainence . could anyone tell me why ?

    Hello,
    Which query have you used for checking as the requisition is usually in status 'draft'?
    Regards
    Nicole

  • Tool for role Maintainence

    Can someone suggest me a tool for role maintainence and administration in Oracle.
    I want to admin roles groups and securty policies.
    Is there a good tool available.
    Best Regards,
    ashish

    Oracle Enterprise manager is cool but i want a tool that is just for security management for the database. which has inbuilt scripts for finding out links between tables and views and the bas structure if possible generate charts or something that can be easily referenced.
    Or if anyone has any scripts available like these i will glad if i can use them...
    Ashish Nanda

  • Mass Role Maintainence

    Hi Experts,
    Need your advise.Is there any way in SAP, thru which we can perform mass changes in 200 roles at once.I need to make some changes in an objects .The object has presence in more than 200 roles and doing changes one by one is very tough task,please let me know any way thru which i can save time and do changes perfectly.
    Regards,
    Mukesh

    As others have already stated, there is no mass change capability for roles.  However, there are some options that can help but it really depends on the type of change that you are making.
    If you are attempting to add authorizations associated with a particular transaction, you can populate the change in SU24 have have it propagate the new values for you.  Just be careful that the values you put in SU24 are appropriate for all roles containing this transaction.  You will still have to go through the manual process of re-reading the authorizations for each role and then regenerating it, but this may save you some typing.  Even then, if there are no further values to populate in each role then you can consider a CATT script for the steps above.  A CATT won't be good for making any changes inside a role, but it can be used to tell PFCG to re-read the authorizations and then regenerate.
    Another option is to consider the use of derived roles.  If you're not already using them, then this will be of no immediate help but if your role design fits then these are very helpful.  Derived roles are a huge time saver if all that is different between roles is organizational-level values.  Changes to org-level values in derived roles are still manual and time consuming, but any non org-level field that is changed in the parent will be propaged to all the derived roles and generated.
    Good luck.

  • How to do Enhancements in Reporting & What is Role and How to create Roles

    Hi All,
    Can any one tell How to do Enhancements in Reporting, and also What is Role and How to create Roles in Reporting?
    Plz reply back me on [email protected]
    Regards,
    Kiran

    Reporting Enhancement - RSR00001 - BW: Enhancements for global variables in reporting
    And using the SAP Exit - EXIT_SAPLRRS0_001
    RSR00001- With this enhancement to global variables in reporting you have the option of determining your default values for variables. You can use this enhancement for variables, for which 'Processing by Customer-Exit' has been selected in the variable maintenance. This is valid for all variable types (characteristic value, node, hierarchy, formula and text variables). You use the Exit EXIT_SAPLRRS0_001 for this.
    The Enhancement component (RSR00001) must be assigned to a Project Created using the Transaction CMOD. On activating the Project, the Exit would become active and in turn the logic written inside the Exit.
    To ensure that the data warehousing soultion reflects your company's structure and business needs it is critical that you establish who is authorized to access the data.With SAP BW, Authorizations can be defined and maintained by object and can also be applied to hierarchies and these authorizations can be inserted into roles that are used to determine what type of content is available to specific users or user groups.
    T-code for Role maintainence -PFCG.
    Please assign points if it is useful.
    Regards
    Pavan Prakhya

  • PFCG role maintainenece: Query

    Hi friends.I was just wondering if some can help me .
    How can we use the 'Import from file' system from 'menu' option for role maintainence.

    Hello Rahul,
    I think you need the same what was discussed in PFCG Roles in Favorite menu.
    Regards
    Gregor

  • Authorisation to access the Project

    Dear all,
    I have SAP_ALL authorisation but still system is giving error of authorisation. 
    For CJ20N, when I create new project, I am getting following error message:
    <i><b>You are not authorized to access this project</b>
    Message no. ZPS052
    Diagnosis
    You have not been set up as a team member for this project.
    Procedure
    If you are a project team member for this project please see your project manager in this regard. He will add you to the project team. You will then be able to access this project.
    If you are not a team member but still require access please see your system administrator and indicate to him that you require access to authorization object Z_PS_PRPS for this company code.</i>
    When I asked about this to basis, they say that I have sap_all authorisation so this may be the functional problem.
    Also, I am getting the error for lot of T codes like CJ40, CJ30, CN41, CN72 etc. error message is "You do not have authorizations".
    Can any one guide me.
    Is there any thing like adding my name in the project team for accessing the project or the problem is else where.
    Pls guide me.

    Hi,
    This is purely authorization issue. You can check about authorization details in Transaction SU01 & PFCG. Please check your role assigned to your user. Have you maintained any user status to your projects ? Is there any restriction based on company code ?
    Regarding the transaction n't able to access, please add the required transactions to your role. In Role Maintainence (transaction PFCG) in the menu tab, you can view various transaction code assigned.
    I feel that SAP_All has n't assigned to your role due to the mentioned Error message.
    Hope this will help you.
    Regards,
    Rakesh

  • Workflow approval - 'n' step BADI, Approval hierarchy problem

    Hi,
    Description of the issue:
    For a shopping cart approval, the approver's list determined by the 'n' step approval BADI does not include the user who is the immediate in the org. hierarchy. Rather the work item goes to the superior authority (say MD) for approval, which must not be the case.
    Pre-requisites checked:
    1. Checked the org. hierarchy - Proper.
    2. Checked the Roles maintainence for shopping cart approval - All is fine
    3. Checked for approval/spend limits also - All is fine.
    4. Tested BADI/Business Object - Approval Table is empty & Approver_administrator is 'WF-Admin was informed'.
    5. Workflow log (technical details) - Checked in the containers for 'Approver's list'.
    6. Checked table HRUS_D2 for any substitutes assigned - All seem fine.
    This is the org. hierarchy,
    (A - Requestor) --> (B - 1st level approver) --> (C - 2nd level approver) --> (D - MD final level approval)
    The approver's list shows two names instead of 3, that is only B & D and not C. Hence the work item goes to D directly than going to C.
    Please suggest.
    Best regards,
    Harsh Dave

    hi,
    Well the approver list is created from the badi for n-step approval in SRM.
    If you say that approver list is empty when testing the badi, then you have to check which workflow is used in your environmennt.
    It could be that  someone decided to create their own logic.
    so start by finding out which workflow template is used in this scenario, also you can set external break-points for users in teh approval badi which would be executed if you you use the approval preview in SRM (I'm guessing it is SRM since it sounds like it)
    Kind regards, Rob Dielemans

  • Restriction on the report

    Hi
    I have a report which is used by several users. In report i am using the variable on plant of type (Authorization).
    Now when user executes a report in the selection parameter screen, by default the site should disply the respective plantof the user.
    Ex: if plant 1001 user executes the report, by defaulty plant should be 1001
    if plant 1002 user executes the report, by defaulty plant should be 1002
    Is it possible to do this way.
    Regards
    Annie

    The purpose of Variable with Processing Type Authorization meant for this.
    All you need to do is
    1. Make the Plant Authorization relavent - > infoobject maintainence
    2. Create Authorization object at Tcode RSSM
    3. Create two Role at Tcode PFCG and in Role Maintainence -> goto Authorization tab -> Create a Authrization profile that contains the above Authorization object.
    Role 1 -> Authorization profile -> maintain new Authorization object -> value is Plant 1001.
    Role 2 -> Authorization profile -> maintain new Authorization object -> value is Plant 1002.
    fiinally
    Assign Role 1 to User 1 ; Role 2 to User 2.
    Well, if the BI 7.0 system you can use new Authorization Analysis concept.
    Regards, Vj

  • Travel Request  two Approvals

    Hi,
    Can anybody suggest me is it possible  to provide 2 approvals in TRIP transaction .
    Actually at our client  case travel request should be  1st approval by HOD and 2nd Approval by Finance head ..
    Can any one suggest me..
    With Regards,
    San Rao.

    Hi,
    Check in customization in maintain authorization -
    role maintainence.
    If not possible please check  with apabper hope there will be solution for this.
    cya
    udayakumar

  • Publishing Queries to Roles

    Hello Gurus,
    I would like your take on the practice of publishing BW queries to roles? For an example there are 10 sets of queries and these 10 are published into a role for each company that exists. So in essence if there were 20 company codes we will have 20 roles containing 10 queries hardcoded with a company code. I spoke to our BW developer to get an idea as to why this is being done instead of restricting access through S_RS_COMP. Response was that this was done due to performance reasons (something to do with the queries linking directly to the infoprovider containing the information rather than going through all of the infoproviders). So,  Rather than leaving the query open and the user entering the parameter themselves it was decided that the queries were to be hardcoded to cut down the time it takes for systems to display the results.
    Anyone experience this issue before? My goal is to setup a derived role where the child roles are restricted by S_RS_AUTH for the company codes and query access through S_RS_COMP instead of being published to a single role. Before I do this I would like to figure out a way to move away from this practice without affect performance for end users.
    By the way our users access these queries through the Bex Analyzer. 
    Thanks,
    Wes

    Wes,
            Using derived roles in BW or S_RS_AUTH may not be the best design as field for S_RS_AUTH does not appear as org level. So you are not really going to have any advantage by going with derived role concept in terms of maintainence effort.
            With 10 queries  - 20 Company Codes - you will not need 20 roles  because of Company Code, just update the queries with appropriate authorization variable for company code and restrict users on company code. Just 20 company codes should not cause any performance issues
            Also with hardcoding the queries for each single company code - how are you resolving the scenario when user has access to more than one company code/ or global access. 
    Regards

  • Restriction for table maintainence

    Hello Gurus,
    I am working on a SLO project, where i had merged 5 source systems to one system.
    In few roles in source systems for table maintainence the authorization groups is maintained as '*' in production.
    In source systems if they maintain * they would be able to display/change the data related to that system only.
    But now in target system , if we maintain * in authorization group they are able to display/change the data related to all the 5 systems.
    This need to restricted, Please provide some pointers on how this can be done.
    This restriction should be in such a way that they should be able to change data related to the system they belong to .
    Thanks,
    Sanketh.

    >
    Sanketh Teegala wrote:
    > Thanks for the reply prashanth.
    >
    > But , suppose consider users are maintaining table T001B. ( they are maintaining it through parameter transactions).
    > as it is a standard table it has been assigned to same authorization group in both source and target systems.
    > In source system , user is able to view data related only that system.
    > But in target system user is able to view other system data also.
    >
    > How can i restrict this data ?
    >
    > Thanks,
    > Sanketh.
    Hi Sanketh,
    I hope you are progressing with your SLO task.  Once you have finished this project, most things will be simple in comparison
    Unfortunately your requirement is not a simple one
    You could use line item auths (nasty to set up IMO).  Have a search for info on auth object S_TABU_LIN
    Alternatively you could introduce auth checks on key auth fields (e.g. BUKRS, WERKS etc) into the method that you use to display table data.  This would likely require new transactions with validation code that is performed before data is displayed or limits what can be updated.  Another messy approach would be to use parameter transactions that pass in an org unit into the table selection criteria.  You would need one for each org unit so will likely not be practicable.
    What I would say is that focus on what is legally required.  If none of it is required by law then focus on getting the rest of your consolidation done first and then address this in partnership with your project development team.

  • Manually added auth objects and Derived roles

    If there are manually added auth objects in the parent role do they come across to the derived roles?
    Also if you manually added auth objects into a derived role will they be overwritten by the parent role if you auto derive from the parent role?

    yes, any auth objects will come across to derived roles when you click 'generate derived roles'  from your parent role. basically its copying your parent role authorizations to derived roles  except org. level data( if you had maintained them thru 'org. maintainence' button and not adding in individual objects).
    yes. manually added auth objects in your derived roles will be overwritten by the parent role authorizations when you click 'generate derived roles'  from your parent role.
    if you just derived the role menu and din't copy the authorizations(generate derived roles) then there will not be any interlink between the parent and derived roles for authorizations.
    http://help.sap.com/erp2005_ehp_02/helpdata/en/1c/c38028816c11d396bc0000e82de14a/content.htm

  • Role Design Startegy

    Hi All,
    Any insights are greatly appreciated
    I am  strong believer that SAP Security role design startegy should be simple and  easy to manage with single roles rather than having composites. At current cleint, I tried to sell this idea and tried to avoid composite role design because of problems I have seen after go-live (SODs, maintainence issues, problem analysis effort)
    For some inexplicable reasons, I did not succeed completely now we are building roles with 3 tiers, 1 tier being common access role- single, second being display -single and 3 tier is composite role for each job function , having a combination of different task-based process roles . This is n+1 implementation with global roll out followed by individual markets. There will another tier of roles developed on need basis during blueprint of different market roll-outs
    Can anyone give me inputs if this kind of composite approach combined with 3-tier have been used and what will be potential nightmares after go-live
    Thanks in Advance

    I would suggest that it will depend quite a bit upon the business requirements, but a lot more on how many staff there are; potentially on how many roles would end up being created.
    However, when I set-up our roles, I used only single roles (no composite) and that has worked well (150+ users at the moment, more to be added later, possibly up to 450) There is an arguement for saying that we could easily switch to composite roles now, but we still get quite a bit of role movement and keeping them as single roles has proven to be better. Perhaps in a few years if it settles down we may then look at it again.
    Our roles are based upon job function, but in some cases, we have a "clerk", "supervisor", & "manager" role. The user in the supervisor function would have both "clerk" and "supervisor" role, but not manager. We also have some generic roles e.g. "purchase requisition" which are used by a larger number of people. This allows the specific items to be managed in one role rather than in say 8 or 10 roles.
    Each role can then have different t-codes or authorisations; as they are cumulative, that gives the required access to do the job. It's also fairly easy to test that the role is working as we want it to do.
    It took a while to get it right, but now it seems to be working really well for us. Moving people between job functions is really straight forward and easy to do. It's also very easy to add new users and will prove to be very easy as the new staff get added over the next few years.
    I would suggest that the old axiom is true; the more work you do at the beginning, the less you will have to do afterwards.
    Regards
    Tony

  • Conversion of Authorization roles

    We are doing Upgrade from 4.6C to ECC 6.0.
    After Upgrade need to maintain  currently 14.736 roles in our development system 
    12.336 of these roles are derived roles
    10600 are assigned in the ERP system,
    All roles are created with the standard Profile Generator.
    I would  like to convert these roles in the new release (ECC 6.0) .Is there any tools, best practices and expertise which anybody can give suggestion will be really helpful.

    su25 steps will guide you thru the whole process.
    The count of your all derived roles is 14,000, I would expect the count of master(parent) roles will be around 700 to 1000. I don't think its a big issue. your maintainence window for adjusting everything  in your development system might take a while. but you will be fine once its done.
    SU25 2b--if you have good amount custom checks, make sure you keep your old entries and accept the SAP defaults for new entries which came in with ECC6.0.
    SU25 2c-- In this step, start adjusting the master roles first. this will automatically adjust the derived roles. ofcourse that's how the SU25 will push you.
    one exception thou:-- if your master role has the t.codes which got any org.value related new objects, then you have to go thru all derived roles for that master. which you won't see happening for many roles.
    SU25D,-- for this It would be better to just select to include new t.codes in the same role where you have the old ones. I guess it would be better if you decide this with your functional guys.
    and don't forget to keep a copy of your customer tables.

Maybe you are looking for