CRM 5.0 Security

Similar Messages

• CRM 7.0 security model & accessebility of data at table level

  Hi CRM Experts,
  Firstly i am new to this topic 'CRM 7.0 security model' and i want following information from you, my simple requirement of my  on going project.
  1. what are different types of roles in CRM 7.0 system and how to define those roles & which table all the role information is stored in CRM 7.0 ABAP & Java stack installled system.
  2. How are the ABAP & JAVA roles are different from each other in CRM 7.0 system.
  3. How to define portal roles in CRM 7.0 & which table or storage location these portal roles data are stored & is there any way we can extract them from CRM system, if any webservice or any mean this can be achieved?
  Basically i am interested in users/roles/authorization data in CRM 7.0 for both ABAP & JAVA stack system. please help me achieving this requirement.
  Thanks,
  Digamber.

  Digamber,
  For an overview of the changes in CRM 7.0, visit the following link:
  http://www.sap.com/germany/solutions/business-suite/crm/SAP_CRM7_Highlights.pdf
  In respect to Security model, CRM 7.0 is a bit different, where a lot of functionality is executed via BSPs that are run on a browser. However, the authorizations should be still need to assign in the the backend.
  For CRM specific security guides, I recommend you visit the SAP link - http://service.sap.com/security
  In the left pane hierarchy, go to 'Security Guides'. Scroll down to find the CRM section and download the required guides.
  Also, further there are new concepts like WEBCLIENT UI (an extra authorization layer, which is UI COMPONENT LEVEL and logical links. (Controlled by object UIU_COMP)). Standard authorization setup in the new WEBUI client is now controlled by both backend authorizations and the UIU_COMP. That means even if the user has SAP_ALL access, he will not able to perform any actions.
  Hope this provides some light!!
  Rgds,
  Raghu

• CRM HTTP Survey Security

  Hi,
  We are currently triying to use CRM survey via HTTP.
  In order to give access to our customers we want to use SAP Web Dispatcher.
  Our Security team has issues about this solution, because they think that is insecure.
  I would like to know if anyone has already used this solution, and wich kind of infraestructure was used from the security point of view.
  Any information will be helpfull.
  Best Regards,
  Leandro Ferraiuolo.

  Hi Leandro,
  perhaps it helps if you have a look at my Weblog: <a href="/people/gregor.wolf3/blog/2005/11/07/setup-sap-web-dispatcher-with-url-filter-on-suse-linux-90">Setup SAP Web Dispatcher with URL Filter on SuSE Linux 9.0</a>. It describes our implementation to provide Surveyes in the Internet for our E-Mail Campaingns.
  Regards
  Gregor

• Are theCRM training courses which would help me with building CRM security

  Hello,
      We are implementing CRM  and I am totally new to CRM. To build proper security around CRM, I am trying to find courses which gives me an understanding about CRM and the security implementation.  In addition to R/3 security courses, there are security specific courses for BW and HR which I am already familiar with.
  Can any one suggest me with relevant CRM courses?
  Thanks,

  Dear Prasanthi,
  Check the below thread which gives you some useful documents.
  CRM Security
  There are several threads with similar query in this forum. So please do a search before posting in the forums that will obviously save your time.
  Regards,
  Edited by: Lakshmi Venigala on Dec 4, 2009 5:31 PM
  Edited by: Lakshmi Venigala on Dec 4, 2009 5:32 PM

• CRM 7.0 How to create Business role & generate

  Hi Team,
  Can you please let me know some breif idea about CRM 7.0 security guide.
  How to created Business role is this part of functional activity?
  Whats the role of Technical colleagues BASIS guys in CRM 7.0 security .
  Please help me to get some document regarding business role creation , generation , assignment & authorization checks in CRM 7.0.
  Thanks & Regards,
  Vyash Mishra

  Hello Viyash
  I will add the most important information for generation of business roles and assignment of authorizations to users.
  You must first create the PFCG roles. PFCG role is built based on the Business Role.
  Please see documentation in : SPRO
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Authorization Role
  Then the PFCG role can be assigned to the business role in 
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Business role
  Finally you must assign business roles to Organizations or positions in organizations in
  SAP Implementation Guide =>  Customer Relationship Management
  UI Framework  > Business roles > Define Organizational Assignment
  The users that are assigned to such organizations / positions will be therefore linked to the business role.
  With the previous steps the users will have the authorizations that are assigned to the PFCG profile that is linked to their business role.
  Business roles are the main way to configure authorizations for users in CRM but you have more options that give you flexibility.Each business role has assigned one PFCG role, but the relationship between business role and PFCG role is not strict. You can even assign a dummy PFCG role to a certain business role in business role customizing and then go to transaction PFCG and assign other PFCG role(s) to the users that are assigned to that business role.
  I would say that the previous tasks must be performed by the basis team but in cooperation with the functional team
  Best Regards
  Luis Rivera

• Security Deposit Replication

  Dear experts,
  In our scenario (CRM 5.0 integrated with ERP 2005), we have to create the security deposit in CRM. The security deposit must be replicated to R3 when the CRM contract is replicated to the backend.
  When I was reading the ERP2005 release notes there was a section 1.9.1 Enhancements to the master data generator that included the submodule MOVE_IN_SEC.  Using the installation field ANLAGE you can associate a security deposit exemption (SECWAIVERAS)  or a security deposit amount and reason it was requested (SEC_TOT_AMOUNT  and SEC_REASON).
  Do you know where I can capture these fields in CRM in order to populate the correct values in the MDT?
  Thanks in advance for your help,
  Best regards,
  Stephanie

  Hi Stephanie,
                    Did you ever find out these fields in CRM ? I'm facing the same problem.
  Cheers,
  Perzad Avari

• CRM Survey in B2C Internet Sales Application

  We have CRM 2007 and are live with B2C Internet Sales Application (ISA). Now we want to make Customer Surveys accessible via B2C ISA.
  For security reasons, we do not want our B2C Internet Customers to have access to the CRM system. Therefore the BSP option is ruled out. I have seen some blogs on how to enhance security for BSP option but that is also not approved in our organization so BSP option is totally ruled out.
  SAP help documenation mentions following:
  http://help.sap.com/saphelp_crm70/helpdata/en/ee/eaf995082649c6a594511e1f48672d/frameset.htm
  Internet Scenarios
  Since Internet users cannot be allowed access to the CRM system for security reasons, surveys have to be made accessible in a different way. You can do this by downloading the required HTML survey to your PC. From here, you can:
  Copy the HTML survey into any Web site
  Send the HTML survey attached to an e-mail
  Internet Scenarios
  In Internet scenarios, results can be returned by the following methods:
  Mailto
  In this case, a mail client, for example, Microsoft Outlook, needs to be set up in advance on the client machine. Survey results are sent to a CRM Server Mail User, that is, a u201Cmachineu201D user. From here, the results are routed to the CRM system for further processing.
  http(s)
  Note
  The http(s) case is recommended, because the user does not have to have a personal e-mail account. Here, the survey results are first sent to a Survey Mailer. The Survey Mailer receives the http request and then mails the results to the CRM Server Mail User, where they can be processed. The Survey Mailer needs to be set up by the administrator at the customer.
  For presenting the Survey on ISA, we would like to take the option of Copy the HTML survey into any Web site as suggested in SAP help and would like to get back the results as per SAP help recommendation of https(s) above.
  We need guidance on follwing
  1. How to download and then copy the HTML surveys into any website (ISA)
  2. Detailed steps that are needed for gettting back the survey results.
  By the way...we do understand the survey functionality and have been successful in testing the BSP option so we are not looking for general information.
  Thanks
  Vijay

  Hello Vijay,
  Could you please share the information on solution steps used as per the requirement??
  I'm working on the similar one.
  Your earliest response would be greatly appreciated. Thank you Vijay.

• Security in CRMD_ORDER by sales org CRM_ORD_OE

  CRM 5.0 SP11
  Putting in a 2nd sales org, want to limit the agents access by sales org in either creating or displaying a sales document.
  In the role we limited CRM_ORD_OE to sales org A.  But in CRMD_ORDER the user can see all documents in sales orgs A & B and create orders for sales org B.
  This will be for the ICWC but I figure if I can get it to work in CRM online it should work in ICWC same way.
  I do not want to explore ACE, can anyone help?  this seems simple but am lost.  I have been reviewing the 100+ page CRM 5.0 security guide.  Copied our role from delivered role SAP_PCC_IC_AGENT

  Hi Lalas,
      From that url I could see this page;
  http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
     If I limited the role to CRM_ORD_LP to  "A" own sales organization that seem to work better than CRM_ORD_OE
  What was interesting was in CRMD_ORDER doing a search on OR orders did bring back all orders (not desired) but only orders in my users sales org did it allow me to display or change.
  The example using only CRM_ORD_OE in this url in the help didn't seem to work
  1.       A user should receive authorization to process sales transactions with the transaction type TA in sales organization 0001 and for distribution channel 01.
  You assign the following authorizations:
  CRM_ORD_PR: PR_TYPE u2018TAu2019, ACTVT u2018*u2019
  CRM_SAO: ACTVT u2018*u2019
  CRM_ORD_OE:  SALES_ORG u20180001u2019, DIS_CHANNE u201801u2019, SALES_OFFI u2018u2019, SALES_GROU u2018u2019, ACTVT = u2018*u2019

• WCEM 3.0 Security Question not asked

  Hi guys,
  we are working on WCEm 3.0 with CRM Backend. Security Questions are configured and enabled in the WCB but when I test the emails regarding "Forgot user name" or "Forgot password", I am not asked for the question. I only have to provide my personal data (name, city, postal code, etc. ) and then I get the email.
  Do you have any idea, where I am missing some config?
  Best regards
  Jan Arensmeyer

  Hi Jan
  Did you activate the security question setup AFTER you registered the customer? I had a look at the corresponding FM in the backend (CRM_WEC_VALIDATE_USER_ACCOUNT). It appears that the security question check will simply not return any security questions if none have been set up for this customer:
    IF iv_fetch_seq_qtn EQ 'X'.            " Fetch Security Question/Answer only when flag is set
       CALL FUNCTION 'WEC_USER_GET_SEC_QTN'
         EXPORTING
           iv_userid         = lv_r3_username
         CHANGING
           securtiy_ques_ans = lt_security_ques_ans.
       LOOP AT lt_security_ques_ans INTO ls_security_ques_ans.
         lv_question = ls_security_ques_ans-questionid.
         ev_sec_question = lv_question.
       ENDLOOP.
     ENDIF.
  The FM WEC_USER_GET_SEC_QTN will return an error code if no questions are found for a customer (in table  wec_user_sec_qtn), but as you can see above, that error is being ignored.
  Hope that helps. Otherwise, it might be worth debugging this FM (using external breakpoint for the logged in web shop user) to see whether any questions are returned.
  Good luck,
  Matt

• Display customers by Type on a web page

  I can find any module for displaying customers by type on a web page.
  The intention was to have customers entered under a specific Type, and then under a secure zone display them based on the customer type.
  Anyon know how this can be done?
  Thanks

  I have been working with BC (since Good Barry) for years and have had a few clients request the option for their members to create public profiles, so similar situation to what you are talking about.  One workaround I have used is having the clients enter their CRM details first (in my case after they subscribe to a secure zone) and then directing them immediately to a page with the Web App Submission form. THAT form can then be pre-populated with the newly saved customer's CRM details using secure zone modules (E.g {module_workphone}, {module_workaddress} etc..). It is not ideal, but reasonably seamless from the client's point of view, as you can populate the form with hidden or read-only fields, meaning they don't have to enter their details twice.
  Question for you, Mario - the problem I have always had is that obviously there comes a time when the client wants to update their profile and/or their details on file.  I noticed that the EDIT layout of the webapps will NOT populate fields with the CRM modules - setting the values of the fields to {module_whatever} just won't work, as simple as it sounds..  So every time a client wants to (for example) UPDATE their contact details, they have to do it twice (once for the "Update Details" form and once for the "Profile Web App"). 
  Is there ANY way around this?

• Certification Error while selecting a material in WEB UI

  Hi Gurus,
  The time when I select a product in WEB UI {for ex. item 10}  in sales order, I am getting "CERTIFICATE ERROR". The Error is "Content was blocked because it was not signed by a valid security certificate. ". "For more information, see "Certificate Errors" in Internet Explorer Help."  
  This material is configurable material.
  Can anybody suggest me why we are getting this error. What is the way to correct this?
  Any help appreciated
  Thanks
  BLR

  Hi,
  1. maintain the CRM-URL as secure site in the internetexplorer properties
  2. mainten the CRM-URL as exception for the internetexplorer popup blocker.
  3. Delete the browser cache
  4. Restart the browser
  I hope this will help to solve your issue.
  Kind regards
  Manfred

• Retail Execution Application Device Registration Issues

  Hello Community,
  I am having issues registering the Retail Execution application with a user in CRM.
  I am testing with an iOS device where I downloaded the application from the app store and an Android device where I got the APK from the SAP marketplace.
  The guide I am following is the Administrator's Guide SAP Retail Execution 3.2.0.
  There are a few issues i've come across which I think might be contributing to my devices not enrolling.
  I've completed the setup of the environment till the point in the documentation for Data Change Notification where I need to create an RFC connection to the SMP server.
  I entered the IP address for the SUP server with the port as 80. Is port 80 correct?
  The username ive setup as supAdmin@Admin with the password.
  When I test the connection I get a : Status HTTP Response 404 error.
  Another issue I have is that in the documentation under the section enrolling a device using the Relay Server, all the fields are referring to SMP username, SMP Farm ID, SMP Activation code and so on. The connection details I have used in other apps are as follows:
  Server : <ip of relay server>
  Farm : Relay server Farm ID
  Username : jcommerford@crm           (CRM login ID @ security configuration - crm is my HTTPAuthentication security configuration I created in SUP)
  password :
  Port : 80 (relay server port)
  URL suffix : leave blank
  Domain : The new domain I created in SUP and where the Rex MBO is deployed.
  So it isnt making sense as to what details need to go into here.
  Lastly...
  What is the absolute minimum setup of the CRM system and SUP to register a user through the relay server?
  I would like to comment that I havnt performed the initial download of Master Data using DCN but didnt think this was needed to enrol a device. Other than that the guide was followed and configuration done according to it.
  Let me know if anymore information is needed as I am very stressed to get this issue sorted out.
  Thank you
  Jared

  Hello Jared
  Has the registration worked without the Relay server setup? I would suggest you try that first.
  I am assuming you already set the SM59 destinations for CRM to SMP and trusted RFC to corresponding ECC (but this is not necessarily the issue, because the registration is failing).
  Please confirm that the RFC Destination is set as follows (use the supAdmin user on the Logon & Security page)
  Check the security provider on SMP (your's may be different but I am using the following for POC and it works)
  Could you please confirm if the REX package was deployed correctly on the SMP server by selecting the connection pools for both CRM and ECC for corresponding MBO's
  Please post a log of the SMP server once you switch to direct registration to SMP (without relay server)
  Thanks
  Raza.

• ECommerce site vs. 'regular' site

  Hi,
  Seems like every eStore solution I look at seems to have the same grid / architecture. Does such a web company exist that offers a custom site built as 'responsive design', but with an eShopping experience to also reflect the same responsive, custom-looking experience vs. being the typical cookie cutter and/or segregated from rest of 'regular' site?
  I understand this is mainly because of the content management tool, but surely someone out there has broken that typical mold? Or is there no such thing? - The commerce orders need to integrate with CRM.
  Any references, or can you point me in the right direction where I should be looking?
  Thank you!

  First of all, to SnakEyez, CRM referrs to customer relationship management, a model for managing a company’s interactions with customers, clients, and sales prospects. You're collecting information about clients and maintaining it in a database so that you can prospect those past clients for future business.
  To r_tist, I have tended to "roll my own." I do custom websites that have a sales engine that handles orders. I have not implimented CRM at all because I am concerned about data security on my server and don't want to assume responsibility for the data if my system were to be hacked or cracked. I do, of course, secure my sites with a security certificate. Because I am "rolling my own," I can come up with unique ways to handle sales and have done so.
  That can be expensive and I would price a sales engine with CRM at around $5,000 (entry level) to do for someone and I would ask that my customer keep the CRM database on a server that is not 100% live on the Internet, rather than use my server's SQL database handle CRM for the security concerns I have just mentioned. And I think the price is why you're finding lots of sales sites are doing the same thing over and over. Something that is all ready "cooked" may be cheaper than something custom.
  I do see Apple doing something unique and I think that is because they have a very good team of code people who work on that unique
  architecture. Apple developed their own database engine, which I imagine they use as well as their own web standards, which they promote through Safari.
  WebAssist does sell an "online store" that is pretty much as you describe, though I don't know if it has any option to deal with CRM.

• Sap CRM 2007 Security related issue

  Hi All,
  I am working on SAP CRM 2007 security.
  I have scenario, which we are trying to fix.
  There are two users A and B.
  A is assigned to role X
  B is assigned to role y
  Business Partner 123 is created for user A
  Business Partner 456 is created for user B
  These Business Partners are assigned to Authorization Groups.
  See below:
  1)Authorization Group (LK01) is assigned to Business Partner --123.
  2) Authorization Group (LK02) is assigned to Business Partner --456
  3) Authorization groups LK01 is assigin to user A in PFCG role X
  4) Authorization groups LK02 is assigin to user B in PFCG role Y
  a) User A assigned with PFCG role X>Authorization Group (LK01)>BP 123.
  b) User B assigned with PFCG role Y>Authorization Group (LK02)>BP 456.
  Note:
  1) Authorization Groups are assigned to BPs under the Control tab.
  2) These Auth Groups are assigned in Authorization Object in PFCG role.
  Now, USER 'A' should not be able to work under the BP 456 as this BP is assigned to authorization group LK02.
  The issue is when we open the WEB UI and login with user A role X, He can search for the BP 456 assigned to Auth Group LK02.
  User A can open the Interaction History and edit the Service Order created using the BP 456.
  He can Edit the following in Service Order details:
  1) General Data Status (from created to complete), Contact person, Sale Rep name.
  2) Organization Data like Sales Office, Sales Org Unit, Distribution Channel
  3) Business Partner.
  However, one good thing is he cannot edit the Account details like Account ID, House No, Employee Resposible, the message he get is "No authorization to change partner with authorization group"  which is a
  good thing.
  I have tried to be precise, please let me know if you require more information.
  Regards,
  Dave.

  I suggest the following:
  Please, check whether the system works if you activate the implementation BUPA_F4_AUGRP.
  In addition check the notes 559662, 674869 and 782927. Maybe the notes are already implemented but you can try then the implementation of the BADI (SE19). It should resolve your issue.
  I have implemented this Badi solution before, and after activation; the search help ; nor search result list did NOT show any Business partners anymore that had an authorization group I was not allowed to see.
  kind regards
  Davy Pelssers
  SAP CRM/Security consultant

• CRM 2011: Can you control which form is used based not security roles, but on a field value?

  I see that you can control which form is used based on security roles, but can you control it based on other field values?  I'd like a new record to use a different form until a given status is updated.  I have a status of draft and active. So
  it would be nice if I could use form1 for those in draft, form2 for those that are active.  But I only see where you can control that via the security roles.
  I can code all of this via JavaScript, but having the ability to use two separate forms would be nice.  Is that even possible.
  Best regards,
  Jon Gregory Rothlander

  Hello,
  Recheck following article - http://gonzaloruizcrm.blogspot.com/2014/11/avoiding-form-reload-when-switching-crm.html
  Dynamics CRM MVP/ Technical Evangelist at SlickData LLC
  My blog