CRM Security

HI all,
In crm using the object CRM_ORD_OE , we can restrict that we can create oppurunities in a particular sales org of the Organization structure,Is there any authorization object to restrict the creation of opputunities to a particulat territory.
thanks.

Are there any objects other than CRM_TERRMA and CRM_TERRDY

Similar Messages

Difference between SAP CRM Security and SAP ECC 6.0 security

Hi
I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
Can anyone please let me know the difference between CRM security compared to ECC security.
Thanks...

I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
really sad.....
The big difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
2) If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
E.g. transaction code BP allows you to create/change/display any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
another example is business transaction processing...which can be launched by:
a very generic transaction code: CRMD_ORDER
transaction category related transaction codes :e.g.
> CRMD_BUS2000126 for activity management
> CRMD_BUS200115 for Sales processes
Again...allowed activity is not controlled by the tcode, but on authorization object level...
3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links.... controlled by object UIU_COMP.
However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
cheers
Davy Pelssers

Concept behind CRM Security

Hi,
I have read about variuos objects and roles to be made in CRM , but could anyone help me to understand the basic concept and difference between CRM security and SAP r/3 security.
the technical details required for implementing CRM security.
Regards
Puneet

<b><commercial_advertising_removed_by_moderator></b>
kind regards

APO and CRM security

i have never worked with APO and CRM security. can anyone walk me through them. thanks

>
george G wrote:
> Neither Have I ..but could wrk on them after reading few books on Security from SAP
>
> Thanks
famous last words .....APO & CRM are full of "features" when it comes to security. Once bitten, twice shy

Are theCRM training courses which would help me with building CRM security

Hello,
We are implementing CRM and I am totally new to CRM. To build proper security around CRM, I am trying to find courses which gives me an understanding about CRM and the security implementation. In addition to R/3 security courses, there are security specific courses for BW and HR which I am already familiar with.
Can any one suggest me with relevant CRM courses?
Thanks,

Dear Prasanthi,
Check the below thread which gives you some useful documents.
CRM Security
There are several threads with similar query in this forum. So please do a search before posting in the forums that will obviously save your time.
Regards,
Edited by: Lakshmi Venigala on Dec 4, 2009 5:31 PM
Edited by: Lakshmi Venigala on Dec 4, 2009 5:32 PM

Sync CRM Security with Sharepoint

I am a CRM Developer. We had a requirement to sync security roles of CRM with groups of sharepoint. For that I have create a mapping table where I have mapped CRM security roles with Sharepoint Groups. I am creating a plugin for CRM. We want when a user
is added to a CRM team then the same user should be added to corresponding sharepoint group and vice versa. I have the sharepoint group name and user logon. We want:-
1. If a user is added to CRM then my plugin will check whether the user exists in sharepoint if not then create it.
2. Add user to the desired group in sharepoint. I already have group name.
I am new to sharepoint therefore I will appreciate if someone can explain me in details what I have to do.
Thank you
Regards Faisal

Hi,
According to your description, my understanding is that you want to sync the user between CRM system and SharePoint.
I suggest you can use Client Object Model to add user to group.
For the error message, you need to load the groupcollection firstly before you loop it like below:
ClientContext ctx = new ClientContext(“http://foo”);
//get the groups
GroupCollection grps = ctx.Web.SiteGroups;
//load up the group info
ctx.Load(grps);
//execute the query
ctx.ExecuteQuery();
// enumerate
foreach (Group grp in grps)
// do something with each group
More information:
Using the SharePoint 2010 Client Object Model
How to: Work with Users and Groups
Thanks
Best Regards
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

CRM Security Design Concepts

Hello Gurus,
My Client is in a process of CRM implementation, as a security consultant , I am gathering the data from the business for CRM Role Design.
Can Anybody share their design methodology in CRM Security.
Best practices..
Thanks in Advance
-Thanks
Sam

Hi Sam,
In CRM CIC, mostly users will be accessing the CRM system via Web client. Generally an ECC or R/3 system would exist as the backend. In CRM 2007/7.0, there is a concept of Business roles (BR) & PFCG roles as described in my earlier post.
Every end user in the CRM would be assigned a Business role. Business role is created by CRM Functional Consultant & is assigned at Oranizational model/level via transaction PPOMA_CRM and corresponding PFCG role would be assigned via transaction PFCG
To create the Business role, matrix for the same would be provided by some Business Consultant in your Project. That will describe the kind of access would be given to the end-user-meaning: Work Centers, Navigational links, logical links etc. You then need to create the corresponding PFCG role for a Business role. If your Organizational model is in such a way that only one Business role is created & assigned to all users, then you need to create several PFCG roles & you need restrict access based on the requirement in these roles. Else if there are several Business roles, then mostly Business roles will take care on the access restriction, then you may need to have only one PFCG role - it depends on how the Organizational model is set up & depends on whether the maintenance burden is on the Functional Team or Security Team
Also if ECC is your backend system, roles need to be created for ECC also & they would be mapped with CRM roles as all backend work will be done in ECC system, so role matrix of both systems need to be mapped by the Business Consultant in your Project, you would then create roles for CRM & ECC system

CRM Security: Add Case from associated view on Account

I am having some issues in CRM Online...
Scenario:
User is allowed to Read all Account records in CRM but cannot Write to them. User is allowed to create new Case records and link these to any Account record.
The User must be able to create a Case from within an Account (i.e. from the Case Associated View within an Account Record).
Current implementation:
User as the following security permissions assigned:
Account Entity: Read (ORG); Append (ORG); Append To (ORG)
Case Entity: Create (ORG); Read (ORG); Write (ORG); Append (ORG); Append To (ORG)
Problem:
The User can create a Case record and link this to an Account record
BUT the user does not see the 'Add New Case' button from within the Case Associated View within an Account Record.
The permissions are correct as the user can create cases and link to Accounts but for some reason they do not see the 'Add New Case' button in the associated view.
I have done some testing and if the User has Write permissions on the Account entity then the button appears, but without that it does not. Oddly, there is a similar set up for Contacts, but the user sees the 'Add New Contact' button in the Contacts Associated
view (note that permissions for Contacts is the same as for Cases).
Has anyone encountered this problem or is there something that I am missing here?
Thanks

Hi,
customise the ribbon for case and make sure Add New Case button is visible all the times. Here is the MSDN article for how to customise the ribbon:
http://msdn.microsoft.com/en-us/library/gg309639.aspx
Alternatively use ribbon workbench from link below and alter the display rules for the Add New Case button.
https://www.develop1.net/public/Download%20Ribbon%20Workbench%202013.aspx
Hope this helps.
Minal Dahiya
blog : http://minaldahiya.blogspot.com.au/
If this post answers your question, please click "Mark As Answer" on the post and "Vote as Helpful"

CRM_ORD_OP - Auth to own documents CRM Security

Hi all,
In CRM, I built a role that should allow a sales rep( to whom the role is assigned) to display only the documents created by him using the CRM_ORD_OP authorization object . But when he clicks on the search button he is able to display all the documents which are not created by him also.
Thanks.
Neha

Hi Neha,
Refer to the following URL
<a href="http://help.sap.com/saphelp_crm50/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/content.htm">Controlling options in CRM</a>
Perhaps you might need to try with the following values and see if he is still able to get access to others documents.
Apart from this try to see if the User getting hte access form some other role assigned to the user in that case u can run a trace and compare the values with
RC=0 which means that he is having access to these authorizations.
Lastly sometimes the SU24 Check is inactive make sure that its in either C(check) or CM (check/maintain) mode
Perhaps this is what the user needs accesss to.
A user wants to keep the authorization to process a document in which he himself is entered as the employee responsible.
You assign the following authorizations:
CRM_ORD_OP: PARTN_FCT , PARTN_FCTT 0008 , ACTVT
hope this helps..
Regards,
Manohar

CRM security - is look up table possible for Sales org value

I have a requirement in CRM role where the sales organization value has to taken from a table. Since this value is different between development, Quality and production.
Please advice if I can set the field to all the three values or is there way make the field value in role point to a table where the sales organization value will be maintained.

Hi ,
Did you mean to say you will have one sales org value in DEV?
another in Quality? third variation in Production?
If this is the case , its not a good practice
Answer:
If you have tried all standard options and still insist that table is the method you want to follow:
creating a custom authority object, custom field name with the option to have one of the three values from the table under the field name is possible (ABAP DEVELOPER should work with you on this ).
Regards

CRM Security help needed

Hi,
My PFCG Role Menu data external services are not appearing which is imported from a file created by report CRMD_UI_ROLE_PREPARE in the PFCG transaction. Bussiness role and PFCG role mapping is done. File created by running the report but when I am trying to import the contents by going to the change mode I am not able to see it. Can you please let me know a solution for this.
Regards----

Hi Mirza / Britney
I have encountered the similar situation when i was trying to upload the file into the PFCG role menu after downloading the file from CRMD_UI_ROLE_PREPARE.
The problem was that, i was downloading the log file and uploading the log file via the import button in PFCG, which is a very silly mistake but hard to notice, when you run the report for CRMD_UI_ROLE_PREPARE the import file for the role menu is already AUTOMATICALLY downloaded in to the SAP working directory which is C:\Users\ YOUR WINDOWS LOGIN ID \ Documents\SAP.. we have to go to thislocation and import that file into the ROLE MENU and not the log file .. see my screenshots for more info ..
Hope this answer solves your problem.
Good Luck
Uma

Sap CRM 2007 Security related issue

Hi All,
I am working on SAP CRM 2007 security.
I have scenario, which we are trying to fix.
There are two users A and B.
A is assigned to role X
B is assigned to role y
Business Partner 123 is created for user A
Business Partner 456 is created for user B
These Business Partners are assigned to Authorization Groups.
See below:
1)Authorization Group (LK01) is assigned to Business Partner --123.
2) Authorization Group (LK02) is assigned to Business Partner --456
3) Authorization groups LK01 is assigin to user A in PFCG role X
4) Authorization groups LK02 is assigin to user B in PFCG role Y
a) User A assigned with PFCG role X>Authorization Group (LK01)>BP 123.
b) User B assigned with PFCG role Y>Authorization Group (LK02)>BP 456.
Note:
1) Authorization Groups are assigned to BPs under the Control tab.
2) These Auth Groups are assigned in Authorization Object in PFCG role.
Now, USER 'A' should not be able to work under the BP 456 as this BP is assigned to authorization group LK02.
The issue is when we open the WEB UI and login with user A role X, He can search for the BP 456 assigned to Auth Group LK02.
User A can open the Interaction History and edit the Service Order created using the BP 456.
He can Edit the following in Service Order details:
1) General Data Status (from created to complete), Contact person, Sale Rep name.
2) Organization Data like Sales Office, Sales Org Unit, Distribution Channel
3) Business Partner.
However, one good thing is he cannot edit the Account details like Account ID, House No, Employee Resposible, the message he get is "No authorization to change partner with authorization group" which is a
good thing.
I have tried to be precise, please let me know if you require more information.
Regards,
Dave.

I suggest the following:
Please, check whether the system works if you activate the implementation BUPA_F4_AUGRP.
In addition check the notes 559662, 674869 and 782927. Maybe the notes are already implemented but you can try then the implementation of the BADI (SE19). It should resolve your issue.
I have implemented this Badi solution before, and after activation; the search help ; nor search result list did NOT show any Business partners anymore that had an authorization group I was not allowed to see.
kind regards
Davy Pelssers
SAP CRM/Security consultant

SAP SECURITY COURCES FOR HR, CRM and BI

Hi,
What are the courses that SAP offers for SAP SECURITY,
for HR, CRM and BI modules

You can find the info here:
www.sap.com/services/education/index.epx
As far as I am aware, there is no course covering CRM security, but look through the link and you will see there are courses for HR & BI security

S_TCODE in CRM Roles

Hi all,
I am relatively new to CRM and have the following question regarding design of CRM security roles.
We have a marketing manager who needs to log on directly to the CRM production system to execute a transaction. I have used the CRMD_UI_ROLE_PREPARE programme to create the PFCG role from the business role and this all works ok.
Now they need to be able to execute the transaction so I am wondering:
Is it good design to add s_tcode to the role with all the UIU* components?
Should transaction roles be kept seperate?
Is S_Tcode the only object used for this or are there further considerations for CRM?
Thanks.

Richard,
Since you are relatively new to CRM I suggest you obtain and look through the Security Guide for your version of CRM. From there you might have more specific questions regarding your CRM role design. Its a great start.
https://websmp208.sap-ag.de/~form/sapnet?_SHORTKEY=01100035870000401180
Thanks,
Matt

Security using custom field in PCUI

We would like to create a custom field on the header of the business partner to store information that would then be used in the security roles.
For example, we want to create a branch field on the header of the business partner and then use this field to restrict access to specific accounts within the sytem using a CRM Security role.
Does anyone know if you can use a custom field in the CRM system to restrict security within the PCUI application?
If anyone has any information, I would greatly appreciate it as we are on a crunch to get this implemented!
Thanks!

Hi Darcie,
If you add custom field and maintain value in it, i'm not sure if you can restrict access by CRM Security role.
If your users are going to be entirely based only on portal/pcui (i.e. they would not use SAP-GUI log-in) then you can consider the option of tweaking your Accounts advanced search and not letting users see certain accounts (based on the value in EEWB / custom field)
Hope this helps.
Regards,
Raviraj

CRM Security

Similar Messages

Maybe you are looking for