CRM Authorizations

Similar Messages

• How to use CRM authorization object.

  Hi All,
  I have a specific requirement to restrict user while he/she tries to save a record. It appears that if that restrictions are implemented the save logic for an entity has to be changed because there are some validation regarding relationship management in SAP system. SO I need to bypass that validation to allow some users of specific(Marketting) role to save the entity record bypassing that validation. here I am planning to use the CRM authorization objects. But dont know how to use these and which authorization object to refer.
  Please let me know if you guys have any idea.
  Regards,
  Bikramjit.

  Hi Bikramjit.,
  You might need to create a Custom authorization object and then use it. Else you can create one Z table and maintain the User ID of all users. The mainatin one field with flag and set it to X for the user that are aloowed to save the transaction.
  Also once you maintain the table, generate the table maintenance so that it becomes easier for future use.
  Hope this helps

• CRM - Authorization Management Tool

  Hi All,
  I am new to CRM-MS-AMT can someone tell, if  Protected Business Objects area is the only place business object should be available on the Authorization Management Tool?  Because right now I only have 80 protected business objects should their be more available?  Any information you provide pertaining to AMT- Business Objects would be greatly appreciated.
  Jeanell

  Hi Jeanell,
  About 80 should be correct.
  You should refer to the following link form the SAP Online help. For this tool it is quite good.
  http://help.sap.com/saphelp_crm40sr1/helpdata/en/93/96033c1c902c05e10000000a114084/frameset.htm
  Regards,
  Gervase

• SAP CRM Authorizations - restrictions on viewing BP from specific country

  Hi
  We have a requirement that says that it should only be possible to view customers that belongs to the same country as the employee and it should ony be possible for the employee to create activities for these customers.
  We have set filters on organizational level(Sales group, Sales office) on the role in PFCG.
  However, this does only apply for sales orders, and it is now possible to only search for orders from their own country.
  Does someone know what restrictions we should set on the role in PFCG to fullfill this requirement?
  Should not the organizational filters cover this?
  BR
  Johan

  This can not be achived with pfcg role. You have to options:
  - implement badi BADI_CRM_BP_UIU_AUTHORITY
  - implement ACE

• Authorizations for Opportunity searches in CRM/EP?

  Need help restricting user results in Opportunity searches.
  Our authorizations scheme defines users by their sales group, but when doing searches in CRM/EP User 1 can see results for users 2 and 3 when doing an opportunity search which are defined outside of user 1's sales group.  Does this require any additional config enhancements such as Account or Territory management?
  Does this need to be solved by authorizations at field level, or is there a table where these restrictions can be maintained? So far I have been trying to restrict values via CRM_ORD_LP and B_BUPA_BZT.
  Not sure if this is the correct forum to post in, if not, is there a forum on here specifically for CRM Authorizations or configuration?
  <removed_by_moderator>
  Edited by: Julius Bussche on Aug 7, 2008 3:10 PM

  Hi Ram,
  The way we ended up resolving this was by adding the authorization object B_BUPA_ATT to each sales user role.  Each user had a secondary role which defined their particular sales group in the org model.
  It involved some programming (which required an outside resource) on our development side, but it worked.
  We basically had the consultant write code to perform a check against custom Z values in the AUTHTYPE field, and then the variables were the data placed in
  the AUTHVAL1 and AUTHVAL2 fields.  And obviously ACTIVITY was whatever the specific user was allowed to do with items in that sales area (postal code, country, etc)
  SAP's preferred solution is something called ACE which creates an extra layer of authorizations, however we didn't have the time and resources to properly implement that.  You may want to look into that if you have the time.
  Hope this information helps!

• BP Authorization Object

  Hi,
  I have the necessary CRM authorizations to create Business Partners of type person in roles such as employee, contact person, general using the BP transaction.
  I have now activated the role 'Internet User'. While I can see this role in the 'Create in Role' dropdown on the BP creation screen, I cannot create a BP of type person in this role.
  I get the error message: "You are not authorized to maintain user data".
  Are there any additional authorizations that I require to be able to assign this role to a business partner?
  Thank you,

  But you could assign different values of B_BUPA_FDG authorization object for different authorization profiles. For example:
  Profile 1: B_BUPA_FDG
  Values:    FLDGR= FLDGR1  (Defined in IMG)
             ACTVT= Display
  Profile 2: B_BUPA_FDG
  Values:    FLDGR= FLDGR1  (Defined in IMG)
             ACTVT= Change
  User Group 1 -> Profile1
  User Group 2 -> Profile2
  However probably the best solution for your requirements will be the GuiXT Tool.
  You can find more information about this tool in <a href="http://www.synactive.com">http://www.synactive.com</a>. You will be able to assign different scripts to different user groups.
  Message was edited by: Javier Merino Vivar

• Control authorization of mass change functionality via PCUI

  Hi,
  We are having the following issues with the Opportunity iview, com.sap.pct.crm.opp.opportunities_s.(Business package for CRM 5.0 and contains functionality CRMD_BUS2000111).
  Once the user clicks Go..he has the list of Opportunities. He can select some or select all and use "Mass Change".
  We would like to control the functionality of "Mass Change" attribute in the backend CRM System so that only a few people can be authorized to do this. However we are not able to find any CRM authorization
  object that controls the mass change activity for opportunities and pursuits in the backend CRM System.
  What is the backend CRM Authorization object that controls this functionality in the backend CRM System ?
  Regards,
  Rajan.K

  Frank,
  In IW38/IW3N we added our own Mass-Change button (in addition to the standard option) via Enhancement Spot ES_EAM_LIST_ENHANCEMENTS_EXT. This was required to perform functions that don't exist in the standard mass-change function e.g. mass-add/delete operations, mass-un-TECO, mass-un-CLSD, etc.
  This Enhancement Spot may work for IE05 too.
  PeteA

• Marketing Plan Element Authorization

  Dear All,
  We are working on SAP CRM 2007 and have a business requirement.
  We want to make a role that can only approve or release marketing projects. We do NOT want this role to be able to create anything like marketing plan, marketing plan element or campaign. The marketing project constitutes of marketing plan, marketing plan elements and campaigns
  We managed to make it work for campaigns and marketing plans but we cannot exclude marketing plan elements.
  The user is stil able to create them.
  Does anyone knows a way to fix this????
  thank you in advance
  Michalis Tamiolakis

  Hello Michalis ,
  You may make use of filed called Authorization Group
  In this activity, you define authorization groups for use in Marketing. Authorization groups can be maintained at both marketing plan level and campaign or trade promotion level. Authorization groups enable you to control which users are authorized to change which of these two types of marketing project. You could, for example, define one authorization group to be assigned to a marketing plan, then define further authorization groups to be assigned to the different campaigns within the marketing plan. In Marketing, the Authorization Group field is located under General Data.
  The path of this is Customer Relationship Management>Marketing>Marketing Planning and Campaign Management>General Settings>Define Authorization Group
  Once you have defined authorisation group, the campaign needs to be updated with this particular field.
  This auth group field needs to be updated for following object in PFCG role for Change & display activities.
  CRM_MPLRES     CRM     CRM Markeitn: Person Responsible for a Marketing Plan
  Another option would to use object "CRM_MPT     CRM     Authorization Object CRM Marketing BusObject Marketing Plan."
  This way you might be able to control the create authorisation for the user.
  Hope it will be helpful to you.
  Regards,
  Rahul

• Service Request Authorizations

  Hi,
  I would like to ask if there is an equivalent of transaction code SU53 in the Web UI? I am not familiar with the PFCG role set-up and our process that whenever we don't have authorizations to transactions, we send SU53 screen shots to the security team.
  Whenever I try to create a service request in the CRM web UI, i cannot create one because the system says that I don't have any authorization to create. But when i log on to CRM gui and check on tcode SU53, is says that authorization check is successful. Is there a way to go around this?
  Thanks,

  Hi,
  You might find this [thread|CRM AUTHORIZATIONS Position levelu00B4s; useful. Additionally, check the values maintained in the objects mentioned in that thread.
  Possibly the transaction value SRVR is missing in the PFCG role assigned to you via the business role.
  Hope it helps.
  BR.

• Authorization Object for Webclient UI BI-Links

  Hello,
  i created my first two BI-Reports for CRM Service and added them over navigationbar-profile to my businessrole.
  No i have the issue that i can see and process this new to BI-Links (authorization SAP_ALL and SAP_NEW).
  But i have an testuser which has the same authorization as our service users. With this testuser i can´t see the links.
  Does anybody know which authorization object i need to add to PFCG-role to see the links?
  Thank you
  Best regards
  Manfred

  Hello Robert,
  it must have to do with authorization.
  The buisnessrole is the same for both users "ZSRVHELPDESK".
  Authorization in BW is done for both users.
  But the user without CRM authorization SAP_ALL and SAP_NEW can´t see the two links to custom BW-Reports.
  Another idea?
  Thank you.
  Best regards
  Manfred

• SU24 for CRM UIU Component

  Hello Experts,
  As the CRM "PFCG Roles and Authorization Concept" didn't mandate to maintain SU24 for the CRM UIU component. I wonder if anyone out there maintained it for UIU component or not? If maintained was it really helpful in your assignment?
  CRM "PFCG Roles and Authorization Concept" document link:
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00515e75-f1d0-2c10-bebb-e5675f470ee6?quicklink=index&overridelayout=true
  Thanks in advance for your input.
  Thanks,
  Himadama

  We had used a concept where in the UIU_COMP objects were enabled and disabled based on the unit testing between the front end and the backend.
  We did try adding the components to menu for plug-ins and outs it was a failure because the business roles were not configured or in otherwords 1:1 matching between the business role and PFCG role could be achieved.
  I would simply take the UIU_COMP roles copy it in PFCG work with the help and inputs from CRM team to complete the security task
  I was recently asked by an expert to maintain objects in SU24  for CRM
  I always thought we use transactions and then check and maintain objects in SU24
  Probably we could do that in SU22 as an external service.
  In my project almost a year ago, I did not put any object on and off, I worked with the role directly to edit the field values of the CRM authorization objects.
  Of course remember to disable S_SERVICE object
  Edited by: Franklin Jayasim on Sep 14, 2010 1:22 AM

• Service Team in Service Request

  Hi All,
    I need to find out Service team in service request.There is a field Service team.In this field with F4 help,those organisations are also coming which are not marked as Service Team.I only want those org which are assigned as Service Team.
  How this can be done through Customization?
  Thanks in advance.

  Hi,
  You might find this [thread|CRM AUTHORIZATIONS Position levelu00B4s; useful. Additionally, check the values maintained in the objects mentioned in that thread.
  Possibly the transaction value SRVR is missing in the PFCG role assigned to you via the business role.
  Hope it helps.
  BR.

• S_DEVELOP authorization needed for CRM Web Client in SAP CRM 7.0?

  We implemented an own WebUI component in SAP CRM 2007 and use it in others components (with USAGE).
  After we transport the component in SAP CRM 7.0 we always got an error CX_BSP_DLC_CONFIG_GENERAL_ERR at loading the component. But if we set the permission to SAP_ALL all thing work fine.
  In SAP Note Nr. 1367944 we read:
  "It is not possible to run the CRM Web Client without the S_DEVELOP, activity=03
  authorization because it is needed by the Web Client Framework.
  The S_DEVELOP authorizatin is part of the SAP_CRM_UIU_FRAMEWORK PFCG role, which must
  be assigned to every user."
  "This dependency has been removed in CRM 7.0."
  Do we need to install some other SAP Notes at SAP CRM 7.0?
  Many thanks for advices!
  Handri Gunawan

  Hi Handri,
  I asked my collegue here, who created the note.
  The note is correct, in CRM 7.0 you do not need S_DEVELOP anymomre.
  The error that you have might occur because of another reason.
  Could you track the call stack of this exception?
  And send me back the call stack?
  Regards,
  Steve

• Question regarding Authorizations in SAP CRM 7.0

  Hello,
  The problem is this:
  We have a client who will use two ways of accessing SAP CRM 7.0 data -
  1. CRM Web UI
  2. Mobile devices via standard SAP CRM BAPIs
  Now the situation is that the client wishes to control display authorizations based on the Business Role. Certain Business Roles can allow its User to see Accounts where the User is also Employee Responsible and certain other Business Roles can allow its User to see all those Accounts that are associated with that Role. In summary Business Roles control what an User can see.
  This has already been implemented for the CRM Web UI using the Access Control Engine (ACE).
  Now the questions are:
  1. How do we implement this for BAPI Access?
  2. Should we recreate what has been achieved by ACE, via PFCG Authorization Profiles?
  3. Can we not reuse what has been done by ACE?
  4. What are the runtime APIs that allow somebody to use the authorization checks of ACE?
  5. Does the standard Function Module CRM_ORDER_CHECK_AUTHORITY_ACE help in this regard?
  Any help here will be greatly appreciated. Please let me know if you need any clarifications.
  Thanks in advance.
  Best regards,
  Sudhi

  Hello,
  Normally, some notes are recommended in addition to the current support package implementation because they were developed to solve any known issues. These known issues occurred as side effect of any note which belongs to the implemented support package.
  If you take a look at older release notes, you will see the same.
  This is a part of implementation stack.
  1345085  SAP SRM 7.0 SP Stack 04 (09/2009):Release & Information Note 
  1365574  SAP SRM 7.0 SP Stack 05 (12/2009):Release & Information Note   
  1436687  SAP SRM 7.0 SP Stack 06 (03/2010):Release & Information Note 
  Kind regards,
  Ricardo

• SAP CRM 7.0.2 issue regarding authorizations

  Hello,
  I have noticed that the role change is not reflecting immediately for the user in CRM 7.0.2 Web UI. Is anyone facing the same issue like this? If so, any solution to this for immediate effect?
  Thanks in Advance.

  Hi Luis,
  You need to create a authorization object with 'sales rep' ou 'sales office' key.
  Your commercials are linked with these objects in master data? If no, create the link.
  After, in PFCG, create the key, as I said above, and done.
  Rgs,
  Fábio