CRM Security Design Concepts

Hello Gurus,
My Client is in a process of CRM implementation, as a security consultant , I am gathering the data from the business for CRM Role Design.
Can Anybody share their design methodology in CRM Security.
Best practices..
Thanks in Advance
-Thanks
Sam

Hi Sam,
In CRM CIC, mostly users will be accessing the CRM system via Web client. Generally an ECC or R/3 system would exist as the backend. In CRM 2007/7.0, there is a concept of Business roles (BR) & PFCG roles as described in my earlier post.
Every end user in the CRM would be assigned a Business role. Business role is created by CRM Functional Consultant & is assigned at Oranizational model/level via transaction PPOMA_CRM and corresponding PFCG role would be assigned via transaction PFCG
To create the Business role, matrix for the same would be provided by some Business Consultant in your Project. That will describe the kind of access would be given to the end-user-meaning: Work Centers, Navigational links, logical links etc. You then need to create the corresponding PFCG role for a Business role. If your Organizational model is in such a way that only one Business role is created & assigned to all users, then you need to create several PFCG roles & you need restrict access based on the requirement in these roles. Else if there are several Business roles, then mostly Business roles will take care on the access restriction, then you may need to have only one PFCG role - it depends on how the Organizational model is set up & depends on whether the maintenance burden is on the Functional Team or Security Team
Also if ECC is your backend system, roles need to be created for ECC also & they would be mapped with CRM roles as all backend work will be done in ECC system, so role matrix of both systems need to be mapped by the Business Consultant in your Project, you would then create roles for CRM & ECC system

Similar Messages

  • Concept behind CRM Security

    Hi,
       I have read about variuos objects and roles to be made in CRM , but could anyone help me to understand the basic concept and difference between CRM security and SAP r/3 security.
    the technical details required for implementing CRM security.
    Regards
    Puneet

    <b><commercial_advertising_removed_by_moderator></b>
    kind regards

  • Difference between SAP CRM Security and SAP ECC 6.0 security

    Hi
    I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
    Can anyone please let me know the difference between CRM security compared to  ECC security.
    Thanks...

    I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
    really sad.....
    The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
    1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
    2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
    E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
    another example is business transaction processing...which can be launched by:
    a very generic transaction code: CRMD_ORDER
    transaction category related transaction codes :e.g.
          > CRMD_BUS2000126 for activity management
          > CRMD_BUS200115 for Sales processes
    Again...allowed activity is not controlled by the tcode, but on authorization object level...
    3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
    However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
    Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
    STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
    4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
    This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
    You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
    cheers
    Davy Pelssers

  • Role maintenance of "enabler" design concepts

    hi all,
    which is the correct way of maintaining MAster and enabler rle in SAP GRC.
    As per ma knowledge, T Cdes and activitites we shuld maintain in master role and rest in enabler role. is it right ??
    Edited by: Julius Bussche on Oct 12, 2010 6:08 PM
    Subject title made more meaningfull...

    Hi muskaan,
    I provided some thoughts to you on this question in the [GRC forum|Query], but wanted to echo some of the feedback provided here.  For what it's worth, your best bet in this situation is to discuss your questions and concerns with the other members of your security/GRC team - they will be in much better position to talk through your detailed questions regarding your specific situation than any more generic advice you will get on SDN.
    As you have heard, the enabler and master/derived concept are 2 approaches for localizing your roles. Up until the point of localization your role build approach will be the same under either methodology following the steps Dipanjan laid out above.  Each approach has strengths and weaknesses that must be weighed for your specific SAP environment and your business and security objectives. Without getting into too much detail, I believe the enabler concept yields the greatest value in environments with very deep and fluid/changing organizational security requirements.  In these situations the enabler concept allows you to more efficiently manage your organizational security when the pure economies of managing derived roles across the security landscape become burdensome. Often times managing your roles not only occurs within your SAP application where they are built, and in these cases you must consider how your localization approach will impact the maintenance of traditional composite roles, CUA composite roles, or even more "virtual composite" roles that group SAP access, but sit outside SAP in a role management, IDM, or other provisioning systems.
    Like you have seen, one of the biggest drawbacks of the approach is that it is a non-standard strategy so education, documentation, and knowledge management becomes crucial for its ongoing sustainability. As mohanjani pointed out, it often works out very well when your strategic approach addresses the right business/security concerns and it is implemented in a very structured manner.  On the flip side, it can quickly create numerous headaches if implemented improperly without the correct understanding of the approach or if implemented in an environment where the situational factors do not drive the benefits you wish to achieve from your security design.  As with any security approach, as part of your design and strategy development, it is imperative to not only address the traditional "role build" aspect of SAP security, but also how you anticipate getting those roles to users via your request/provisioning process.
    To address your specific question on what fields need to go into your enabler rolesu2026 that will really all depend on your organizational security requirements and your design/build approach - again this is best addressed by those most familiar with your environment & project.  In general, though I am concerned if I understand your messages correctly that you are planning to create 27 different types of enablers based upon your functional areas - I would usually expect to see the types of enablers aligned to your organizational security demands rather than a process area. I would also echo mohanjani's thought that for any type of enabler you really shouldn't be creating more than a functional and display version of that role. From a sustainability perspective it is critical that you do not over-engineer the roles and end up with an overly confusing and complex situation where maintenance and knowledge management is difficult.
    On a semi-related note, I am intrigued by the role generator tool SAP developed for their DFPS module and has discussed in more detail in their recent authorization publication.  It seems to be an interesting approach to addressing the economic limitations of managing localized roles in complex environments that provides a good balance to the different design methodologies discussed in this thread.  Unfortunately, it seems to suffer from lack of broad knowledge as well, making it somewhat more of a customized approach.
    Best of luck working through your questions and your implementation!

  • ADF Security Design Question

    Hi All,
    I am developing an ADF web application. The security design is such that user authentication is mapped to database users. The design I see several pros and cons
    1) Different database users means I cannot take advantage of connection pooling.
    2) The architect argues SQL querying can be controlled at database level for each user.
    I have never been involved in such a web application. Can anybody please guide me if this is the way to go for ADF web application, any other pros and cons. The database is Oracle 11g. I still believe that application security should not be tied to the database security.
    Worst case if I have to go with this design, How to implement ADF security using database users.
    Thanks

    I blogged a use case for using Proxy Authentication with JPA here http://blogs.oracle.com/olaf/2010/04/using_oracle_proxy_authenticat.html. (Being a sample it includes a setter for user name, but a case with a JAAS Subject and Principal is easily adaptable).
    I'll dig out an ADF BC example and blog about it, too.
    --olaf                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

  • Role of SAP security design consultant

    Hi All,
    what role does a  SAP HR (SAP Security Design) Consultant play?
    how different is it from a regular SAP HR?
    pls let me know
    regards,
    Pratik

    What i assume is you will have to understand different roles of users in that company who will need access to Hr system, and classify under catogories, set up roles and define authorisation profiles, set up structural authorisations based on clients requirements.
    as far as HR is concerned you need to understand different authorisation objects,roles, profiles available in standard SAP ystem and set up new ones add some additional privileges etc whereever required. get your self familiar with various HR authorisation Objects etc.
    Also lil bit of user management, reporting on Infoytpes, tracking changes, modiufication to business critical transactions etc.

  • CRM Proof Of Concept

    Hi Gurus,
    What is CRM Proof Of Concept ?
    I need some resources regarding CRM Proof of Concept Installation.
    Can anyone pl. provide me the link regarding this ?
    Many thanks in Advance,
    Thanks and Regards,
    - Ishan

    Thanks a Lot to both of you : Shalini and Ashish !!
    Actually Client has gave me just a very basic Req. that they want to implement CRM from the scratch and I have to Install CRM with Proof-Of-Concept for it. No other details have yet provided.
    I would sure post it here, once I have it. So, that you can further give inputs regarding it.
    I do have now the basic info about what is Proof-Of-Concept ...By any chance, any one of you have any link / other resources of how
    the POC was developed / tested / demonstrated for a Specific ' X ' Idea or Methodology in Real Life Scenario.. like Case Study ?
    If so, kindly provide it here.  ..So, that I can start my ' homework ' based on it.
    Thanks Again to Both of You...
    Best Regards,
    - Ishan
    Edited by: ISHAN P on May 15, 2008 6:56 PM
    Edited by: ISHAN P on May 15, 2008 7:00 PM

  • APO and CRM security

    i have never worked with APO and CRM security. can anyone walk me through them. thanks

    >
    george G wrote:
    > Neither Have I ..but could wrk  on them after  reading few books on Security  from SAP
    >
    > Thanks
    famous last words .....APO & CRM are full of "features" when it comes to security.  Once bitten, twice shy

  • Need help with security design!

    Hi,
    I haven't worked with security design very much. Currently I'm about to develop an application to my father which should implement some sort of security.
    One of the reasons for this application besides making my father happy is educating myself.
    The application is an online image album.
    The security could be divided in role-based security and instance level security.
    Role-based (NO PROBLEM):
    A user cannot delete another user, an administrator can delete users.
    Instance-level (DON'T KNOW HOW):
    A user can load other users image albums if he/her is allowed/granted to view the album and its images. Note that the user could be granted to view the album, but not all of its images.
    My problem is how I should design the "instance-level" security? Should I keep a ACL (Access Control List) with each instance of album and image?
    This seems to be a common functionality to add view/load/read/write permissions to an instance in runtime to let a certain user to operate on an asset?
    Have searched the Internet but haven't found any nice framework to help me.
    Could anyone with some experience please help me out?!
    Kind regards, Andreas

    Hi,
    I ran into the same problem. Could you resolve it?
    please give me your feedback.

  • Are theCRM training courses which would help me with building CRM security

    Hello,
        We are implementing CRM  and I am totally new to CRM. To build proper security around CRM, I am trying to find courses which gives me an understanding about CRM and the security implementation.  In addition to R/3 security courses, there are security specific courses for BW and HR which I am already familiar with.
    Can any one suggest me with relevant CRM courses?
    Thanks,

    Dear Prasanthi,
    Check the below thread which gives you some useful documents.
    CRM Security
    There are several threads with similar query in this forum. So please do a search before posting in the forums that will obviously save your time.
    Regards,
    Edited by: Lakshmi Venigala on Dec 4, 2009 5:31 PM
    Edited by: Lakshmi Venigala on Dec 4, 2009 5:32 PM

  • Security design issue

    Hi Folks,
    I've a security design issue using J2EE architecture framework in my
    project..
    Proj Requirement:
    i) User Logs-into a health b2b/b2c portal website...
    ii) Check the user exist in the database or LDAP directory service.
    iii) If exist user then check the role Patient/Insurance Provider/Physician?
    iv)If Patient then display his personal health record history.
    else Insurance Provider then display about Insurance Policy information,
    which he can update/create insurance for entered patient id. If patient has
    granted access to Insurance Provider
    and if Physician then display about hospital information like
    waiting patients,sending appointments,etc..
    The above security access control role & policy has to be implemented
    very strong. so that other user cannot view/update someone health records..
    Development tool:WebLogic Server/Oracle/LDAP.. on Linux
    Security Problem:
    i)What is the best security solution for the above requirement?
    ii)How do I authenticate/validate user using J2EE security framework?
    Can anyone explain in details or steps to implement?
    Thanks,
    -raj-

    I'm assuming that your using WLS 6, if so check out (I know we cover this in
    the documentation but I'm guessing at the title) the "securing your site"
    guide. Some of what you're planning the WLS server can protect through good
    ACL usage. I'd recommend creating at least three groups (patient, provider,
    physician), clearly the danger lies in having a user who is a member of more
    than one group. I'd recommend implementing your own role checking at both
    the servlet and EJB levels to fully enforce information access, using
    servlet state and stateful session beans should help.
    Alex
    Raj <[email protected]> wrote in message
    news:[email protected]..
    Hi Folks,
    I've a security design issue using J2EE architecture framework in my
    project..
    Proj Requirement:
    i) User Logs-into a health b2b/b2c portal website...
    ii) Check the user exist in the database or LDAP directory service.
    iii) If exist user then check the role Patient/InsuranceProvider/Physician?
    iv)If Patient then display his personal health record history.
    else Insurance Provider then display about Insurance Policy information,
    which he can update/create insurance for entered patient id. If patienthas
    granted access to Insurance Provider
    and if Physician then display about hospital information like
    waiting patients,sending appointments,etc..
    The above security access control role & policy has to be implemented
    very strong. so that other user cannot view/update someone healthrecords..
    >
    Development tool:WebLogic Server/Oracle/LDAP.. on Linux
    Security Problem:
    i)What is the best security solution for the above requirement?
    ii)How do I authenticate/validate user using J2EE security framework?
    Can anyone explain in details or steps to implement?
    Thanks,
    -raj-

  • Sync CRM Security with Sharepoint

    I am a CRM Developer. We had a requirement to sync security roles of CRM with groups of sharepoint. For that I have create a mapping table where I have mapped CRM security roles with Sharepoint Groups. I am creating a plugin for CRM. We want when a user
    is added to a CRM team then the same user should be added to corresponding sharepoint group and vice versa. I have the sharepoint group name and user logon. We want:-
    1. If a user is added to CRM then my plugin will check whether the user exists in sharepoint if not then create it.
    2. Add user to the desired group in sharepoint. I already have group name.
    I am new to sharepoint therefore I will appreciate if someone can explain me in details what I have to do.
    Thank you
    Regards Faisal

    Hi,
    According to your description, my understanding is that you want to sync the user between CRM system and SharePoint.
    I suggest you can use Client Object Model to add user to group. 
    For the error message, you need to load the groupcollection firstly before you loop it like below:
    ClientContext ctx = new ClientContext(“http://foo&#8221;);
    //get the groups
    GroupCollection grps = ctx.Web.SiteGroups;
    //load up the group info
    ctx.Load(grps);
    //execute the query
    ctx.ExecuteQuery();
    // enumerate
    foreach (Group grp in grps)
    // do something with each group
    More information:
    Using the SharePoint 2010 Client Object Model
    How to: Work with Users and Groups
    Thanks
    Best Regards
    TechNet Community Support
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
    [email protected]

  • How SCCM works internally, about design concepts and working principal of ConfigMgr?

    Hi Guys,
    Could you please recommend me any sort of data or link which explians
    how SCCM works internally, about design concepts and working principal of ConfigMgr.
    I have gone through many sites and videos but they only talk about how to work on SCCM with features however they do not talk about
    how SCCM works\inner working of ConfigMgr.
    Thanks very much in Advance!
    Regards,
    Chandan

    Not really sure what you're looking for here. Not much is explicitly published on the internals and most of what is "known" is anecdotal or based on reverse engineering by the community.There are specific things that have been documented fairly
    well, but those are scattered among various blogs. We can potentially address direct questions here in the forums or point you to that info, but there's not much to really direct you to as a single source because it doesn't really exist in general.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Help With Bringing My Photoshop Designed Concept To Life In Flash CS3

    Ok basically i have made a flat image on photoshop
    of what i want my flash file to look like
    I do not really have any experience in Action scritping
    so im hoping you guys can just pick at the image nd tell me
    how to do some of the stuff
    I dont expect someone to tell me how to do everything
    although it would be very much appreciated
    I think what im really trying to make here is a scrollable
    text field
    and a mini photoviewer directions to tutorials or given codes
    will be appreciated
    But here is the link to the concept i designed -
    http://i150.photobucket.com/albums/s94/JDot_Ltd/HomePageConceptcopy.png

    Hi -- just a few comments --
    The easiest way to get scrollable text is to use the TextArea
    component (open the Components window, drag a TextArea component
    onto your stage, change the X,Y,Width and Height properties in the
    Properties window, and switch to the Parameters window (while the
    component is selected) to change the text. However, that won't look
    as cool as what you want so you may want to program your own.
    In broad terms, you'll create a Symbol for each of the
    following: the Up arrow in the scrollable text, the Down arrow, the
    Next button for the photos, and the Previous button. When you drag
    each of those symbols to the stage, you'll give the instance a name
    in the Properties window. Then in the Actions window you'll add
    some code to add event listeners to each of those instances on the
    CLICK event, and the functions you write to be the event listeners
    will move the text around or change the image.
    If you know and have Illustrator it might be a preferable
    design tool -- it's easy to copy your vector art directly from
    Illustrator to Flash and have small file size for your SWF.
    Good luck,
    Bob

  • Is file created by report CRMD_UI_ROLE_PREPARE mandatory in CRM Role Design

    Hi All,
    The CRM 7security guide mentions usage of file created by report CRMD_UI_ROLE_PREPARE for Designing role. Can anyone suggest, whether it is Manadatory to perform this report.
    I have designed Role, WITHOUT using this report.

    Hi Raghu, your explaination is not clear to me.
    my understanding-The report produces the file from a Business Role, which contains Services/BSPs,etc.... This file needs to be imported into Menu Tab, by option 'Import From File'. So, when these Services/BSPs are added into Menu tab, they will auto-populate their SU24 entries(authorization objects) in Authorization Tab(like in Transaction Codes)
    Could you be clear on "report CRMD_UI_ROLE_PREPARE will help you with generating the CONTENT automatically", as mentioned by you. Which CONTENT: Entries(Services,etc...) in Menu Tab OR their SU24 auth. Objects.
    Also, "you can import the file from PFCG profile menu" is not clear. Which MENU are you referring here? The MENU tab which contains Services/BSPs,Transaction Codesetc.. OR the MENU bar inside Authorization Tab
    Could you suggest on this, as i this is what i am desparately looking for

Maybe you are looking for