CRM Security Design Concepts
Hello Gurus,
My Client is in a process of CRM implementation, as a security consultant , I am gathering the data from the business for CRM Role Design.
Can Anybody share their design methodology in CRM Security.
Best practices..
Thanks in Advance
-Thanks
Sam
Hi Sam,
In CRM CIC, mostly users will be accessing the CRM system via Web client. Generally an ECC or R/3 system would exist as the backend. In CRM 2007/7.0, there is a concept of Business roles (BR) & PFCG roles as described in my earlier post.
Every end user in the CRM would be assigned a Business role. Business role is created by CRM Functional Consultant & is assigned at Oranizational model/level via transaction PPOMA_CRM and corresponding PFCG role would be assigned via transaction PFCG
To create the Business role, matrix for the same would be provided by some Business Consultant in your Project. That will describe the kind of access would be given to the end-user-meaning: Work Centers, Navigational links, logical links etc. You then need to create the corresponding PFCG role for a Business role. If your Organizational model is in such a way that only one Business role is created & assigned to all users, then you need to create several PFCG roles & you need restrict access based on the requirement in these roles. Else if there are several Business roles, then mostly Business roles will take care on the access restriction, then you may need to have only one PFCG role - it depends on how the Organizational model is set up & depends on whether the maintenance burden is on the Functional Team or Security Team
Also if ECC is your backend system, roles need to be created for ECC also & they would be mapped with CRM roles as all backend work will be done in ECC system, so role matrix of both systems need to be mapped by the Business Consultant in your Project, you would then create roles for CRM & ECC system
Similar Messages
-
Hi,
I have read about variuos objects and roles to be made in CRM , but could anyone help me to understand the basic concept and difference between CRM security and SAP r/3 security.
the technical details required for implementing CRM security.
Regards
Puneet<b><commercial_advertising_removed_by_moderator></b>
kind regards -
Difference between SAP CRM Security and SAP ECC 6.0 security
Hi
I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
Can anyone please let me know the difference between CRM security compared to ECC security.
Thanks...I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
really sad.....
The big difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
2) If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
E.g. transaction code BP allows you to create/change/display any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
another example is business transaction processing...which can be launched by:
a very generic transaction code: CRMD_ORDER
transaction category related transaction codes :e.g.
> CRMD_BUS2000126 for activity management
> CRMD_BUS200115 for Sales processes
Again...allowed activity is not controlled by the tcode, but on authorization object level...
3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links.... controlled by object UIU_COMP.
However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
cheers
Davy Pelssers -
Role maintenance of "enabler" design concepts
hi all,
which is the correct way of maintaining MAster and enabler rle in SAP GRC.
As per ma knowledge, T Cdes and activitites we shuld maintain in master role and rest in enabler role. is it right ??
Edited by: Julius Bussche on Oct 12, 2010 6:08 PM
Subject title made more meaningfull...Hi muskaan,
I provided some thoughts to you on this question in the [GRC forum|Query], but wanted to echo some of the feedback provided here. For what it's worth, your best bet in this situation is to discuss your questions and concerns with the other members of your security/GRC team - they will be in much better position to talk through your detailed questions regarding your specific situation than any more generic advice you will get on SDN.
As you have heard, the enabler and master/derived concept are 2 approaches for localizing your roles. Up until the point of localization your role build approach will be the same under either methodology following the steps Dipanjan laid out above. Each approach has strengths and weaknesses that must be weighed for your specific SAP environment and your business and security objectives. Without getting into too much detail, I believe the enabler concept yields the greatest value in environments with very deep and fluid/changing organizational security requirements. In these situations the enabler concept allows you to more efficiently manage your organizational security when the pure economies of managing derived roles across the security landscape become burdensome. Often times managing your roles not only occurs within your SAP application where they are built, and in these cases you must consider how your localization approach will impact the maintenance of traditional composite roles, CUA composite roles, or even more "virtual composite" roles that group SAP access, but sit outside SAP in a role management, IDM, or other provisioning systems.
Like you have seen, one of the biggest drawbacks of the approach is that it is a non-standard strategy so education, documentation, and knowledge management becomes crucial for its ongoing sustainability. As mohanjani pointed out, it often works out very well when your strategic approach addresses the right business/security concerns and it is implemented in a very structured manner. On the flip side, it can quickly create numerous headaches if implemented improperly without the correct understanding of the approach or if implemented in an environment where the situational factors do not drive the benefits you wish to achieve from your security design. As with any security approach, as part of your design and strategy development, it is imperative to not only address the traditional "role build" aspect of SAP security, but also how you anticipate getting those roles to users via your request/provisioning process.
To address your specific question on what fields need to go into your enabler rolesu2026 that will really all depend on your organizational security requirements and your design/build approach - again this is best addressed by those most familiar with your environment & project. In general, though I am concerned if I understand your messages correctly that you are planning to create 27 different types of enablers based upon your functional areas - I would usually expect to see the types of enablers aligned to your organizational security demands rather than a process area. I would also echo mohanjani's thought that for any type of enabler you really shouldn't be creating more than a functional and display version of that role. From a sustainability perspective it is critical that you do not over-engineer the roles and end up with an overly confusing and complex situation where maintenance and knowledge management is difficult.
On a semi-related note, I am intrigued by the role generator tool SAP developed for their DFPS module and has discussed in more detail in their recent authorization publication. It seems to be an interesting approach to addressing the economic limitations of managing localized roles in complex environments that provides a good balance to the different design methodologies discussed in this thread. Unfortunately, it seems to suffer from lack of broad knowledge as well, making it somewhat more of a customized approach.
Best of luck working through your questions and your implementation! -
Hi All,
I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
1) Different database users means I cannot take advantage of connection pooling.
2) The architect argues SQL querying can be controlled at database level for each user.
I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
Worst case if I have to go with this design, How to implement ADF security using database users.
ThanksI blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
I'll dig out an ADF BC example and blog about it, too.
--olaf -
Role of SAP security design consultant
Hi All,
what role does a SAP HR (SAP Security Design) Consultant play?
how different is it from a regular SAP HR?
pls let me know
regards,
PratikWhat i assume is you will have to understand different roles of users in that company who will need access to Hr system, and classify under catogories, set up roles and define authorisation profiles, set up structural authorisations based on clients requirements.
as far as HR is concerned you need to understand different authorisation objects,roles, profiles available in standard SAP ystem and set up new ones add some additional privileges etc whereever required. get your self familiar with various HR authorisation Objects etc.
Also lil bit of user management, reporting on Infoytpes, tracking changes, modiufication to business critical transactions etc. -
Hi Gurus,
What is CRM Proof Of Concept ?
I need some resources regarding CRM Proof of Concept Installation.
Can anyone pl. provide me the link regarding this ?
Many thanks in Advance,
Thanks and Regards,
- IshanThanks a Lot to both of you : Shalini and Ashish !!
Actually Client has gave me just a very basic Req. that they want to implement CRM from the scratch and I have to Install CRM with Proof-Of-Concept for it. No other details have yet provided.
I would sure post it here, once I have it. So, that you can further give inputs regarding it.
I do have now the basic info about what is Proof-Of-Concept ...By any chance, any one of you have any link / other resources of how
the POC was developed / tested / demonstrated for a Specific ' X ' Idea or Methodology in Real Life Scenario.. like Case Study ?
If so, kindly provide it here. ..So, that I can start my ' homework ' based on it.
Thanks Again to Both of You...
Best Regards,
- Ishan
Edited by: ISHAN P on May 15, 2008 6:56 PM
Edited by: ISHAN P on May 15, 2008 7:00 PM -
i have never worked with APO and CRM security. can anyone walk me through them. thanks
>
george G wrote:
> Neither Have I ..but could wrk on them after reading few books on Security from SAP
>
> Thanks
famous last words .....APO & CRM are full of "features" when it comes to security. Once bitten, twice shy -
Need help with security design!
Hi,
I haven't worked with security design very much. Currently I'm about to develop an application to my father which should implement some sort of security.
One of the reasons for this application besides making my father happy is educating myself.
The application is an online image album.
The security could be divided in role-based security and instance level security.
Role-based (NO PROBLEM):
A user cannot delete another user, an administrator can delete users.
Instance-level (DON'T KNOW HOW):
A user can load other users image albums if he/her is allowed/granted to view the album and its images. Note that the user could be granted to view the album, but not all of its images.
My problem is how I should design the "instance-level" security? Should I keep a ACL (Access Control List) with each instance of album and image?
This seems to be a common functionality to add view/load/read/write permissions to an instance in runtime to let a certain user to operate on an asset?
Have searched the Internet but haven't found any nice framework to help me.
Could anyone with some experience please help me out?!
Kind regards, AndreasHi,
I ran into the same problem. Could you resolve it?
please give me your feedback. -
Are theCRM training courses which would help me with building CRM security
Hello,
We are implementing CRM and I am totally new to CRM. To build proper security around CRM, I am trying to find courses which gives me an understanding about CRM and the security implementation. In addition to R/3 security courses, there are security specific courses for BW and HR which I am already familiar with.
Can any one suggest me with relevant CRM courses?
Thanks,Dear Prasanthi,
Check the below thread which gives you some useful documents.
CRM Security
There are several threads with similar query in this forum. So please do a search before posting in the forums that will obviously save your time.
Regards,
Edited by: Lakshmi Venigala on Dec 4, 2009 5:31 PM
Edited by: Lakshmi Venigala on Dec 4, 2009 5:32 PM -
Hi Folks,
I've a security design issue using J2EE architecture framework in my
project..
Proj Requirement:
i) User Logs-into a health b2b/b2c portal website...
ii) Check the user exist in the database or LDAP directory service.
iii) If exist user then check the role Patient/Insurance Provider/Physician?
iv)If Patient then display his personal health record history.
else Insurance Provider then display about Insurance Policy information,
which he can update/create insurance for entered patient id. If patient has
granted access to Insurance Provider
and if Physician then display about hospital information like
waiting patients,sending appointments,etc..
The above security access control role & policy has to be implemented
very strong. so that other user cannot view/update someone health records..
Development tool:WebLogic Server/Oracle/LDAP.. on Linux
Security Problem:
i)What is the best security solution for the above requirement?
ii)How do I authenticate/validate user using J2EE security framework?
Can anyone explain in details or steps to implement?
Thanks,
-raj-I'm assuming that your using WLS 6, if so check out (I know we cover this in
the documentation but I'm guessing at the title) the "securing your site"
guide. Some of what you're planning the WLS server can protect through good
ACL usage. I'd recommend creating at least three groups (patient, provider,
physician), clearly the danger lies in having a user who is a member of more
than one group. I'd recommend implementing your own role checking at both
the servlet and EJB levels to fully enforce information access, using
servlet state and stateful session beans should help.
Alex
Raj <[email protected]> wrote in message
news:[email protected]..
Hi Folks,
I've a security design issue using J2EE architecture framework in my
project..
Proj Requirement:
i) User Logs-into a health b2b/b2c portal website...
ii) Check the user exist in the database or LDAP directory service.
iii) If exist user then check the role Patient/InsuranceProvider/Physician?
iv)If Patient then display his personal health record history.
else Insurance Provider then display about Insurance Policy information,
which he can update/create insurance for entered patient id. If patienthas
granted access to Insurance Provider
and if Physician then display about hospital information like
waiting patients,sending appointments,etc..
The above security access control role & policy has to be implemented
very strong. so that other user cannot view/update someone healthrecords..
>
Development tool:WebLogic Server/Oracle/LDAP.. on Linux
Security Problem:
i)What is the best security solution for the above requirement?
ii)How do I authenticate/validate user using J2EE security framework?
Can anyone explain in details or steps to implement?
Thanks,
-raj- -
Sync CRM Security with Sharepoint
I am a CRM Developer. We had a requirement to sync security roles of CRM with groups of sharepoint. For that I have create a mapping table where I have mapped CRM security roles with Sharepoint Groups. I am creating a plugin for CRM. We want when a user
is added to a CRM team then the same user should be added to corresponding sharepoint group and vice versa. I have the sharepoint group name and user logon. We want:-
1. If a user is added to CRM then my plugin will check whether the user exists in sharepoint if not then create it.
2. Add user to the desired group in sharepoint. I already have group name.
I am new to sharepoint therefore I will appreciate if someone can explain me in details what I have to do.
Thank you
Regards FaisalHi,
According to your description, my understanding is that you want to sync the user between CRM system and SharePoint.
I suggest you can use Client Object Model to add user to group.
For the error message, you need to load the groupcollection firstly before you loop it like below:
ClientContext ctx = new ClientContext(“http://foo”);
//get the groups
GroupCollection grps = ctx.Web.SiteGroups;
//load up the group info
ctx.Load(grps);
//execute the query
ctx.ExecuteQuery();
// enumerate
foreach (Group grp in grps)
// do something with each group
More information:
Using the SharePoint 2010 Client Object Model
How to: Work with Users and Groups
Thanks
Best Regards
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
How SCCM works internally, about design concepts and working principal of ConfigMgr?
Hi Guys,
Could you please recommend me any sort of data or link which explians
how SCCM works internally, about design concepts and working principal of ConfigMgr.
I have gone through many sites and videos but they only talk about how to work on SCCM with features however they do not talk about
how SCCM works\inner working of ConfigMgr.
Thanks very much in Advance!
Regards,
ChandanNot really sure what you're looking for here. Not much is explicitly published on the internals and most of what is "known" is anecdotal or based on reverse engineering by the community.There are specific things that have been documented fairly
well, but those are scattered among various blogs. We can potentially address direct questions here in the forums or point you to that info, but there's not much to really direct you to as a single source because it doesn't really exist in general.
Jason | http://blog.configmgrftw.com | @jasonsandys -
Help With Bringing My Photoshop Designed Concept To Life In Flash CS3
Ok basically i have made a flat image on photoshop
of what i want my flash file to look like
I do not really have any experience in Action scritping
so im hoping you guys can just pick at the image nd tell me
how to do some of the stuff
I dont expect someone to tell me how to do everything
although it would be very much appreciated
I think what im really trying to make here is a scrollable
text field
and a mini photoviewer directions to tutorials or given codes
will be appreciated
But here is the link to the concept i designed -
http://i150.photobucket.com/albums/s94/JDot_Ltd/HomePageConceptcopy.pngHi -- just a few comments --
The easiest way to get scrollable text is to use the TextArea
component (open the Components window, drag a TextArea component
onto your stage, change the X,Y,Width and Height properties in the
Properties window, and switch to the Parameters window (while the
component is selected) to change the text. However, that won't look
as cool as what you want so you may want to program your own.
In broad terms, you'll create a Symbol for each of the
following: the Up arrow in the scrollable text, the Down arrow, the
Next button for the photos, and the Previous button. When you drag
each of those symbols to the stage, you'll give the instance a name
in the Properties window. Then in the Actions window you'll add
some code to add event listeners to each of those instances on the
CLICK event, and the functions you write to be the event listeners
will move the text around or change the image.
If you know and have Illustrator it might be a preferable
design tool -- it's easy to copy your vector art directly from
Illustrator to Flash and have small file size for your SWF.
Good luck,
Bob -
Is file created by report CRMD_UI_ROLE_PREPARE mandatory in CRM Role Design
Hi All,
The CRM 7security guide mentions usage of file created by report CRMD_UI_ROLE_PREPARE for Designing role. Can anyone suggest, whether it is Manadatory to perform this report.
I have designed Role, WITHOUT using this report.Hi Raghu, your explaination is not clear to me.
my understanding-The report produces the file from a Business Role, which contains Services/BSPs,etc.... This file needs to be imported into Menu Tab, by option 'Import From File'. So, when these Services/BSPs are added into Menu tab, they will auto-populate their SU24 entries(authorization objects) in Authorization Tab(like in Transaction Codes)
Could you be clear on "report CRMD_UI_ROLE_PREPARE will help you with generating the CONTENT automatically", as mentioned by you. Which CONTENT: Entries(Services,etc...) in Menu Tab OR their SU24 auth. Objects.
Also, "you can import the file from PFCG profile menu" is not clear. Which MENU are you referring here? The MENU tab which contains Services/BSPs,Transaction Codesetc.. OR the MENU bar inside Authorization Tab
Could you suggest on this, as i this is what i am desparately looking for
Maybe you are looking for
-
Unable to Edit month field in iCal
Hello all, I'm having a very strange problem with iCal. I can not edit the month field of any event. The field always shows "01" (no mater the month) and when I try to move the cursor to edit it, it jumps over the month field to the year. This happen
-
Hi I have a Mac PowerBook G4 running OSX and a Hitachi external HD. When I try to back up the data from my Mac to the HD it copies much of the data across but some files such as incorrect "alias' files and some other files do not copy. The messages
-
Solaris 8/07 x86, wireless intel 2200bg networking
Just finished a dvd-based install of solaris 8/07 x86 (not opensolaris) and everything good, except wireless networking. Before the install, I ran the suitability/compatibility tester and it vetted my wifi and everything else. ifconfig doesn't show m
-
Layout and Pagination... Limiting my data to top 500 records
Hi, My report is based on SQL, it's displaying only top 500 records... May I know how to fix it...? I've tried different options under Report attibutes -> Layout and Pagination but no success yet Thanks
-
Images appear in reverse on iMovie '08 video screen.
How do I reverse the video images appearing on the iMovie preview screen? When using my iSight camera to import video directly into iMovie '08, objects appear in reverse. i.e. When I wave my right hand in front of the camera, it appears on the left s