CRM Analytics - User Authorization Not Suficient

Hi Guys,
We have implemented the CRM analytics report, however when I access the menu Sales Pro in CRM and try to open the report Closed Opportunities, I get the error : User Authorization not sufficient.
If I open the error I get the message :
Diagnosis
The user doesnot exist in the BI client or has insufficient authorizations
Procedure
Contact system administrator to verify the user is setup properly in both CRM and BI client
Procedure for System Administration
Verify that the user exist in BI client with the same user id, if not create it and assign proper authorizations as per the configuration guide.
When I run the query or the webtemplate in BW I don't have authorization problems, but I can't run from CRM.
Any suggestion about how to fix it?
Thanks in advance,
Fernando

Hi Fernando,
The report which you have implemented is doing a RFC call to BI system where some other system program is getting called which have authorization logic check for the RFC user ( or the person who is running the report). here report is terminating with error. I have face the similar issue.
generally such reports we use to schedule as a background job with batch user which have SAP ALL access but I feel in your case user who runs the report have not sufficent authorization in BI system and also you are not running report as an background job.
There aretwo tricks to findout the missing authorization which I also have used.
First option : close all the session except one in CRM and than run the report as soon as the error comes open transaction code SU53 to know the missing authorization - may be you can fail here as the authorization check fail in BI.
Second option definitely will work. Whenerror is coming double click on the mmessage to know the message detail(class and number) than again run the report in debugging mode (/H- type in address bar to activate debugging) than set breakpoint in the message and press f8( may be system will not set the break point immediately than you need to debug till the RFC calls BI system) . system will take you to the exact authorization code check where the error is coming. there you can find out the missing authorization object which is not included in the user assigned role. than can ask access team to add in the user role.
I hope this will solve your issue. Please revert with your finding.
Thanks,
Prem

Similar Messages

User should not delete Sales orders in CRM before May 2014.

Hi,
We have requirement in CRM i.e. user cannot delete Sales orders before may 2014 in SAP CRM.
Recently we have implemented Credit Check management in ECC (Cash n Carry Process especially for some customers)
Normally we do create orders in CRM it should be replicated to ECC, based on FD32 credit value in ECC, CRM order should give credit check massage.
go through the below notes n help us where to change BADI in CRM, plz.
We like to add a scenario where prior to April’14 period, user can not cancel/delete any order in CRM, so that the order cancellation data will not flow to SAP and below problem can be resolved.
While checking the credit Exposure of the INDL Customers, we found in some cases, user has deleted few old orders in CRM which creates a open sales order value as Negative in SAP System. Due to this for a customer, if there is ZERO credit limit, ZERO outstanding, ZERO liability, Credit Exposure is become Negative as open order value is there. In CRM order is being raised and credit block is not appearing if the order amount is below the Credit exposure.
Request you pls maintain the open Sales order value as ZERO for the INC customers (as per attachment list) for those who have a NEGATIVE open sales order value.
For the open Sales order Value which are POSITIVE, keep these as same as these are customer’s actual & current open orders.
NOTE: If user delete before may 2014 sales orders, all the deleted order values will be added to FD32 (Credit exposure -Negative),then user can able to raise sales orders for that value also.(It cannot be happened)
Regards,
JK

Hello JK,
I guess you can play around with the standard. You need to create a separate PFCG Role which only contains sales order related authorization object. Basically removing sales order related authorization object from the main primary PFCG role. And then controlling the secondary PFCG Role which only have sales order object. Controlling sales order PFCG role with validity period. Below is the screen shot of the PFCG role where you can maintain the validity period of the PFCG role for the specific user assigned to it.
I hope this solution was helpful for you!
Regards,
Neha Gupta

'The logged-on user does not have permission to use this object'

Hello everyone,
I am getting the message 'The logged-on user does not have permission to use this object' while saving the Sales Order. I am logging in as a CRM user. There is an addon also running on the server, that saves some data into a user defined table when the Sales Order is saved. Is there any authoisation for users to access user defined tables.
Regards,
William

hi William,
this is an Authorization issue. provide the user with authorization on your UDT. Definition of user authorization can be found in Administration -- >> System Initialization -->> Authorizations -->> Additional Authorization Creator.... if already defined from here you can fined the additional authorization from the General authorization window.
regards,
Fidel

Looking for best approach to implement all ERP and CRM Analytics

There is a scope to implement all the ERP Analytics (HR, Finance, SCM, Procurement & Spend, Project) and CRM Analytics (Sales, service, Marketing, Contact Center, Price, Loyalty ). Just want to know the best approach for impelmentation of both ERP and CRM analytics
1- Work with two separate containers with separate execution plan for ERP and CRM
2- Work with one container with one execution plan for both ERP and CRM
3- Work with one container with separate execution plans for both ERP and CRM
Also, Please let me know if there any standard document to achieve both the implementations simultaneously.
Thanks!

Answer, as always, is "it depends". Here is a list of things to consider w the 3 approaches you mentioned:
1- Work with two separate containers with separate execution plan for ERP and CRM
This is a good approach if you plan on a different frequency of ETL loads for each container or different timings. As long as the targets are the same and you run INCREMENTAL loads from both containers, then the refresh dates will be updated. This is usually a good idea if your ERP and CRM users have different timing and load requirements and do not want to "interfere" w each other. You will also have DATASOURCE NUM ID uniquely defined for each system so the data will be segregated. By default, each source system will have its own container
2- Work with one container with one execution plan for both ERP and CRM
This is good if you are ok w the same exact load time for both. Its a simple approach and all tables will be loaded at the same time to avoid any confusion.
3- Work with one container with separate execution plans for both ERP and CRM
Not sure what the advantage of this option versus keeping them in separate containers (like Option 1).
I would also review the secion in the DAC guide for "MultiSource Execution Plans"
if helpful, pls mark correct

Credit Card number entered CRM sales order is not appearing in R3 Sales ord

Hi,
We are entering our Sales orders in CRM which are gtting replicated to SAP R3,In the credit card scenario ,In some sales orders entered in CRM,where the Credit card numer has been entered,In some cases,the card numer is not appearing in R3 Sales order either in the overview screen or Payment card tab,due to ehich most of the times these cards fail authorization .
Kindly let me know as to what could be the reasons as to why the card numer seen in CRM is not appearing in SAP R3,sales order?
Appreciate your help on this.
Regards
Mohammed Roshan

Hi All,
Looking forward to your valuable inputs on this as to how and why Credit Card number entered CRM sales order iwould not appear in R3 Sales order?
Regards
Mohammed Roshan

Please Help PI Data Dependent Integration Builder Authorizations NOT Workng

Dear Friends / Experts,
I had spend many days and explored all Weblog and links on this website and implemented all the steps required to acheive Data Dependent Integration Builder Security and I am not successful so far. I am just giving up now - Please Help Me ---
As I said, I already read all the important Forum Links and SAP Web links and Followed Each and Every Step - service.sap.com/instguidesNW04 ® Installation ® SAP XI
Security Requirement - Data Dependent/Object Level Authorizations in XI / PI
In distributed teams or in a shared PI environment it might be necessary to limit authorization for a developer or a group of developers to only one Software Component or objects within a Software Component or to specific Configuration Objects.
Our Environment - PI 7.0 SP 16
Created a new role in the Integration Builder Design
u2013Add Object Types of any Software Component and Namespace
- Enable usage of Integration Builder roles in Exchange Profile
Integration Builder u2013Integration Builder RepositoryParameter com.sap.aii.util.server.auth.activation to true
Assign users to the newly created Integration Builder roles
u2013Create dummy roles in Web AS ABAP, these roles are then available as groups in Web AS Java
u2013Assign users to these roles
u2013Assign the Integration Builder roles to the above groups in Web AS Java
u2013Assign unrestricted roles to Super Users
Please help - How to validate whether Data Dependent Authorizations are Activated?
I am working with XI Developers and Basis Team and we did updated all the Required Exchange profile parameters.
Per this Document - User Authorizations in Integration Builder Tools - Do we need to update the server.lockauth.activation in Exchange Profile. When We updated, It removed Edit Access from all XI Developers in PI
In both the Integration Repository and the Integration Directory, you can define more detailed authorizations that restrict access to design and configuration objects.
In both tools, you define such authorizations by choosing Tools ® User Roles from the menu bar. The authorization for this menu option is provided by role SAP_XI_ADMINISTRATOR_J2EE. Of course, this role should only be granted to a very restricted number of administrators. To activate these more detailed authorizations, you must set exchange profile parameter com.sap.aii.ib.server.lockauth.activation to true.
The access authorizations themselves can be defined at the object-type level only (possibly restricted by a selection path), where you can specify each access action either individually as Create, Modify, or Delete for each object type, or as an overall access granting all three access actions.
http://help.sap.com/saphelp_nw04/helpdata/en/f7/c2953fc405330ee10000000a114084/frameset.htm
I was able to control display and maintain access from ABAP Roles, but completely failed to implement Integration Builder Security?
Are there any ways to check Whether Data Dependent authorization or J2EE Authorizations are activated?
Thanks a lot
Satish

Hello,
so to give you status of our issue.
We were able to export missing business component .
But we also exported some interfaces after that and we had some return code 8, due to objects still present in change list on quality system (seems after previous failed transports , the change list was not cleared completley...).
So now we have checked that no objects is present in the change list of quality system and we plan to export again our devs on quality system.
Hope after that no more return code 8 during imports and all devs transported correctly on quality system.
Also recommending to read that, which is pretty good.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/7078566c-72e0-2e10-2b8a-e10fcf8e1a3d?overridelayout=t…
Thanks all,
S.N

Change User password not working in SAP ME 6.0

Hi,
In SAP ME 6.0 SP01 6.0.1.0 Counter 40, the activity "Change User Password" does not work for me or any other user.
The activity window (Netweaver) shows, but in the top it says "An error occurred - contact system administrator".
This is the output from the default trace file. Seems my user is not authorized, but where do I set this authorization?
Br,
Johan
#2.0 #2011 09 06 11:15:11:064#+0200#Error#com.sap.security.core.wd.jmxmodel.JmxModelComp#
#BC-JAS-SEC-UME#sap.com/tcsecumewduimodel#C0000AD3034800820000000100000450#9934850000000004#sap.com/tcsecumewdkit#com.sap.security.core.wd.jmxmodel.JmxModelComp#JONORD#16##380199ECD86811E088C3000000979802#ae0e9d52d86811e08e7a000000979802#ae0e9d52d86811e08e7a000000979802#0#Thread[HTTP Worker [@312363456],5,Dedicated_Application_Thread]#Plain##
public void supplyCompany(IPrivateJmxModelCompInterface.ICompanyNode node, IPrivateJmxModelCompInterface.IContextElement parentElement)
[EXCEPTION]
com.sap.engine.services.jmx.exception.JmxSecurityException: Caller JONORD not authorized, required permission missing (javax.management.MBeanPermission -\#getCompanyConceptEnabled[:SAP_J2EECluster="",j2eeType=UmeJmxServer,name=IJmxServer] invoke)
     at com.sap.engine.services.jmx.auth.UmeAuthorization.checkMBeanPermission(UmeAuthorization.java:100)
     at com.sap.engine.services.jmx.JmxServerFrame.checkMBeanPermission(JmxServerFrame.java:101)
     at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.checkMBeanPermission(MBeanServerSecurityWrapper.java:438)
     at com.sap.engine.services.jmx.MBeanServerSecurityWrapper.invoke(MBeanServerSecurityWrapper.java:288)
     at com.sap.engine.services.jmx.ClusterInterceptor.invoke(ClusterInterceptor.java:813)
     at com.sap.pj.jmx.server.interceptor.MBeanServerInterceptorChain.invoke(MBeanServerInterceptorChain.java:367)
     at com.sap.security.core.jmx._gen.IJmxServer$Impl.getCompanyConceptEnabled(IJmxServer.java:1415)
     at com.sap.security.core.wd.jmxmodel.JmxModelCompInterface.supplyCompany(JmxModelCompInterface.java:1498)
     at com.sap.security.core.wd.jmxmodel.wdp.InternalJmxModelCompInterface.supplyCompany(InternalJmxModelCompInterface.java:710)
     at com.sap.security.core.wd.jmxmodel.wdp.IPublicJmxModelCompInterface$ICompanyNode.doSupplyElements(IPublicJmxModelCompInterface.java:4301)
     at com.sap.tc.webdynpro.progmodel.context.DataNode.supplyElements(DataNode.java:110)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElementListAsObject(Node.java:263)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.createMappedElementList(MappedNode.java:78)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.supplyElements(MappedNode.java:71)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElementListAsObject(Node.java:263)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.createMappedElementList(MappedNode.java:78)
     at com.sap.tc.webdynpro.progmodel.context.MappedNode.supplyElements(MappedNode.java:71)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElementListAsObject(Node.java:263)
     at com.sap.tc.webdynpro.progmodel.context.Node.getElements(Node.java:270)

Hi,
Change User Password screen is in fact user self services screen of NW UME and to access it, user must have Manage_My_Password action. Installation and Security Guide ask to assign this action to all roles.

User Was Not Found when trying to run SSRS report!

I'm trying to run SSRS report (Custom Reports) for Dynamics CRM 2011. However, when I try to run the report from the Reporting Manager it errors out "User Was Not Found"!
Here's the complete error log:'
An error has occurred during report processing. (rsProcessingAborted)
Query execution failed for dataset 'DSMain'. (rsErrorExecutingCommand)
Microsoft.Crm.CrmException: An unexpected error occurred. System.ServiceModel.FaultException`1[[Microsoft.Xrm.Sdk.OrganizationServiceFault, Microsoft.Xrm.Sdk, Version=5.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]:
User Was Not Found <OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts"> <ErrorCode>-2147220969</ErrorCode> <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic">
<KeyValuePairOfstringanyType> <d2p1:key>CallStack</d2p1:key> <d2p1:value xmlns:d4p1="http://www.w3.org/2001/XMLSchema" i:type="d4p1:string"> at Microsoft.Crm.ServerLocatorService.GetCrmUserId(Guid organizationId,
String authenticationInfo) at Microsoft.Crm.Sandbox.SandboxHostSids.IsCallerAllowed(SandboxSdkContext requestContext, String& expectedSidSddlForm, String& callerSidSddlForm) at Microsoft.Crm.Sandbox.SandboxSdkListener.AuthenticateCaller(SandboxCallInfo
callInfo, SandboxSdkContext requestContext, String operation) at Microsoft.Crm.Sandbox.SandboxSdkListener.Execute(SandboxCallInfo callInfo, SandboxSdkContext requestContext, String operation, Byte[] serializedRequest)</d2p1:value> </KeyValuePairOfstringanyType>
</ErrorDetails> <Message>User Was Not Found</Message> <Timestamp>2014-05-09T21:37:02.5487525Z</Timestamp> <InnerFault i:nil="true" /> <TraceText i:nil="true" /> </OrganizationServiceFault>
An unexpected error occurred.
User Was Not Found

Hello,
Can you preview the report in Report Builder or Report Designer?
Based on the error message, the issue may related to a invalid user account for the report data source credentials.Please verify the user account is valid and has sufficient permission to access CRM data source.
You can refer to the following blog to troubleshooting CRM custom report rsProcessingAborted error:
http://blog.simpletrees.com/2013/04/mscrm-and-dreaded-rsprocessingaborted.html
Regards,
Fanny Liu
Fanny Liu
TechNet Community Support

Variable value to be populated based on user authorization

Hi all,
I want to have a variable with single value on plant.
when the user executes the report, value of the variable has to be populated automatically based on the authorization of the login user and it has to show the output without displaying the selection screen.
Kindly guide me of, what type of variable to create and to proceed.
Thanks.
I

Hi
Restriction Plant from user authorization can be achieved by the following steps
1. Plant infoobject should be authorization relevant.
2. make authorization object including plant and restrict to the plant u needed and assign the profile to the user
3. in BEX create variable of authorization type on plant. this variable will get the default values for the plant from the user authorization on the selection screen of the query.
4. if you dont want to display the variable on the selection screen then remove the chek box in variable that " variable is not ready for input"
thanks
radhika

Error Message' "The loged on user does not have permission to use this obje

The loged on user does not have permission to use this object-
I am entering a Sales order, which is customized, when I add the Sales order this system imformation appears.
The user has a pro-license and authorizations to all AR
Can someone tell me what my problem might be?

Thank you for your help

Changes made to the order in SAP CRM 7.0 is not transferring into ECC6.0

Hi SAP CRM Experts,
Could you please provide me the solution for the below concern?
When the changes are made in SAP CRM order ,the synchronization is not taking place i.e., those changes are not replicating into ECC6.0 and the other way round is working fine(from ECC6.0 to CRM)The order is not editable in CRM and giving the message as "Document is being distributed; changes are not possible" and BDOC status as " After qRFC step (intermediate state)" and in the in bound queue (SMQ1) and it is showing as "running" after a while it is clearing but the BDOC and the orders messages are still the same.
Would appreciate for the quick solution.
Best Regards
Succhi

Hi, Succhi
Note 1621031 - Incorrect status I1054 "To be distributed"
Note 1620893 - Screen output without connection to user - SMQ1
also check program CRM_DATAEXCHANGE_TOOLBOX
Denis

Hr_maintain_masterdata showing an infotype that the user does not have auth

subject: hr_maintain_masterdata showing an infotype that the user does not have authorisation for
Hi all,
I've a user account that's meant to perform staffing, based on the actual HR role. The system is also set up with an infogroup that contains infotypes 0000, 0001, 0006, 0185, XYZ and other infotypes; XYZ representing an actual infotype. The HR role is not supposed to have this infotype XYZ.
When PA40 is used, infotype XYZ will be skipped, as the user account do not have authorisation for it. I could then proceed to create the record.
When the fm: hr_maintain_masterdata is used, I was prompted that I do not have authorisation for infotype XYZ.
I have setup my fm with the mininum amount of values, as indicated below.
I did not populate a table for "proposed_values" so the infotypes called were due to the actions of the infogroup.
fm: hr_maintain_masterdata
pernr = 01234567
massn = 01          (new staff)
actio = INS          (insert record)
tclas = A          (master record)
begda = 01.09.2010
endda = 31.12.9999
werks = myCompanyPlant
dialog_mode = 2     (online)
luw_mode = 1          (commit, if no errors encountered)
no_existance_check = X
Q. Is there any way to let the function module call the infotypes, with authorisation checks, as what PA40 is doing?
Your guidance would be appreciated.
Thank you,
James Wong

A behaviour that has been observed was that, after infotype 0185 was saved, the function module throws me back to infotype 0000, citing, "No authorization to maintain XYZ exists". Data that I had populated to the screen, either via the FM or by manual input were cleared. If I skip the next 4 screens, I'll arrive at the Infotype after XYZ, with the data populated. Subsequent infotypes also have their data filled in.
Once I complete the sequence, the personnel record will be created. Upon examination, the frist 4 screens that were skipped in the 2nd pass contains data that were entered in the 1st pass.
My question, as posted in the original post, is why infotype XYZ is triggered by the function module, as the staffing account does not hae access for it. If I repeat the process using PA40, the infotype is skipped accordingly.
Any help would be appreciated.
Thank you,
James Wong,

CRM sales order is not saved in CRM but in ECC

Hi,
I am new CRM area and will not some hints on where to check.
When the the Sales orders are successfully created in CRM, they are replicated to R/3 but the sales orders are not saved in CRMD_ORDERADM_H table of the CRM system.
Also, I dont know see any details of the sales order in the interaction record document flow.
Can you please help me with any hints on where to check to fix this issue..

Hi Sangameshwar,
In CRM you can have two scenarios for ERP Sales Order.
1. ERP Sales offer and Sales order, using the CRM User Interface to create directly the ERP Sales Documents with LORD interface. The document is only saved in ERP. I believe this the scenario you are using.
2. CRM Sales offer and Sales order, the document is saved both CRM and ERP. The documents are replicated via Middleware.
In both scenarios the interaction record should add the document in the doc. flow, it's probably a missing customizing in the interaction record.
Hope this information help you.
Regards,
Jorge G.

User should not be able to import a request.

Dear Forum,
We have a role created with all the transaction (*) given to a user.
We want to revoke/restrict the authorization to import a request. User be able to create/edit/release the request but should not be able to import. This should happen without changing to existing (*) but at the same time user should not able to import.
<removed_by_moderator>
Regards,
DD
Edited by: Julius Bussche on Feb 18, 2009 10:48 AM

> And in the new role you can restrict the user.
I suspect the how was the original question. S_TRANSPRT is the (already given) answer. Deriving will do nothing for that object as not one of its fields is organizational. Besides that, restricting some more objects to make sure the user cannot create and/or use any workarounds is essential to make this work properly.
The additional request This should happen without changing to existing (*) scares me a bit. Why do these users need over 70000 transactions?

User should not be able to change the payment terms

Dear All,
My issue is that user should not be able to change the payment terms in any of the document.I have tried to do it through authorization but it is not working out.
Mona.

Dear Mona,
This may only be done through SP_Transaction_Notification.
Thanks,
Gordon

CRM Analytics - User Authorization Not Suficient

Similar Messages

Maybe you are looking for