ICSS: authorization in SAP CRM 7.0

Similar Messages

• Question regarding Authorizations in SAP CRM 7.0

  Hello,
  The problem is this:
  We have a client who will use two ways of accessing SAP CRM 7.0 data -
  1. CRM Web UI
  2. Mobile devices via standard SAP CRM BAPIs
  Now the situation is that the client wishes to control display authorizations based on the Business Role. Certain Business Roles can allow its User to see Accounts where the User is also Employee Responsible and certain other Business Roles can allow its User to see all those Accounts that are associated with that Role. In summary Business Roles control what an User can see.
  This has already been implemented for the CRM Web UI using the Access Control Engine (ACE).
  Now the questions are:
  1. How do we implement this for BAPI Access?
  2. Should we recreate what has been achieved by ACE, via PFCG Authorization Profiles?
  3. Can we not reuse what has been done by ACE?
  4. What are the runtime APIs that allow somebody to use the authorization checks of ACE?
  5. Does the standard Function Module CRM_ORDER_CHECK_AUTHORITY_ACE help in this regard?
  Any help here will be greatly appreciated. Please let me know if you need any clarifications.
  Thanks in advance.
  Best regards,
  Sudhi

  Hello,
  Normally, some notes are recommended in addition to the current support package implementation because they were developed to solve any known issues. These known issues occurred as side effect of any note which belongs to the implemented support package.
  If you take a look at older release notes, you will see the same.
  This is a part of implementation stack.
  1345085  SAP SRM 7.0 SP Stack 04 (09/2009):Release & Information Note 
  1365574  SAP SRM 7.0 SP Stack 05 (12/2009):Release & Information Note   
  1436687  SAP SRM 7.0 SP Stack 06 (03/2010):Release & Information Note 
  Kind regards,
  Ricardo

• Authorizations SAP  CRM 7.0

  Hello experts,
  I have doubts about the authorization in SAP CRM 7.0.
  The issue is, our commercials in the system should see only their customers,  the system will know who are their customers by the relationships.
  So we want user to see only BPs who have a relationship with the user.
  I have been investigating and I have found the ACE functionality ( Access Control Engine)  It seen ACE meets our requirements but  I am not sure.
  It is possible to use ACE in CRM 7.0? I ask it because I have read lots of information about the use of ACE in CRM with EP (CRM in portal) and I know it is not possible to use ACE on SAP Gui, so I am not sure if it is possible to use it on CRM 7.0.
  Also I am not sure whether I can covert requirements ( showing BP base on relationship with the employee), by using other functionality of CRM such as PFCG authorization?
  Thank you very much in advance.

  Hi Luis,
  You need to create a authorization object with 'sales rep' ou 'sales office' key.
  Your commercials are linked with these objects in master data? If no, create the link.
  After, in PFCG, create the key, as I said above, and done.
  Rgs,
  Fábio

• S_DEVELOP authorization needed for CRM Web Client in SAP CRM 7.0?

  We implemented an own WebUI component in SAP CRM 2007 and use it in others components (with USAGE).
  After we transport the component in SAP CRM 7.0 we always got an error CX_BSP_DLC_CONFIG_GENERAL_ERR at loading the component. But if we set the permission to SAP_ALL all thing work fine.
  In SAP Note Nr. 1367944 we read:
  "It is not possible to run the CRM Web Client without the S_DEVELOP, activity=03
  authorization because it is needed by the Web Client Framework.
  The S_DEVELOP authorizatin is part of the SAP_CRM_UIU_FRAMEWORK PFCG role, which must
  be assigned to every user."
  "This dependency has been removed in CRM 7.0."
  Do we need to install some other SAP Notes at SAP CRM 7.0?
  Many thanks for advices!
  Handri Gunawan

  Hi Handri,
  I asked my collegue here, who created the note.
  The note is correct, in CRM 7.0 you do not need S_DEVELOP anymomre.
  The error that you have might occur because of another reason.
  Could you track the call stack of this exception?
  And send me back the call stack?
  Regards,
  Steve

• Issue with special characters in SAP CRM ICSS application.

  Hi ,
  I have issue with the special character in CRM web application.
  1. In CRM IC Webclient application(5.0) . i am copying and pasting some special characters in the description of the service request document. then this is saving the character as it is.
  But when i am opening the same service request in SAP CRM  ICSS(Internet Customer Self-Service) application, then the special characters are converting to different characters.
  I am not sure whether this is the right forum for this or not.
  Can anyone please suggest how can i correct this. Or is there any standard solution to handle the special characters in ICSS.
  Thanks
  Sudhansu

  misunderstood =/
  Original (Coming - output):  "<PAY_TXT>PAYκ Contact your bank or financial institution to make this payment from your cheque, savings, debit or transaction account.</PAY_TXT>"
  it's in output but what is data in database ?
  sorry but without knowing about source data for forming the xml i haven't ideas about your problem
  in db it's "TM " or "™" or ... ?
  Original (Coming - output):  "<PAY_TXT>PAYκ Contact your bank or financial institution to make this payment from your cheque, savings, debit or transaction account.</PAY_TXT>"
  Something like XAE or "K" after PAY Value in the xml tag and continued the text value.  (Tag value is not getting copied exactly here - i am sorry for that )
  that's ok. i need to see the problem not the data as is
  Expected (output):  "Here it needs to produce the "PAY TM" (Here "TM" should be super scripted to "PAY" Value in tag).
  as super scripted in xml?
  as idea - you can have <PAY_TXT>PAY TM</PAY_TXT> and in publisher set TM as super
  Designing XSL Subtemplates - 11g Release 1 (11.1.1)

• Pop-up screen not showing while accessing transactions in SAP CRM WEB-UI

  When we are logging on SAP CRM WEB UI, for transactions like Lead, Complaints and Activities-
  Sometimes Pop up screen is showing for selecting transaction types, but sometimes it is not showing.
  We have tried it on different work stations with same user id and standard business roles , but we are not able to trace the problem. Also with same id sometimes error shows, "No business roles attached, not allowed to logon,
  after that when we tried on other workstation with same id we were able to access all transactions.
  Please suggest what would be the problem. 
  Rishikesh

  This is sporadically occurring issue hence I cannot pin point one single reason. Since sometimes you are able to logon and some time not certainly it could not be a Role authorization issue.
  Just check if your business role is properly configured. Thats all i can say.
  Regards
  Kavindra

• Sap CRM 2007 Security related issue

  Hi All,
  I am working on SAP CRM 2007 security.
  I have scenario, which we are trying to fix.
  There are two users A and B.
  A is assigned to role X
  B is assigned to role y
  Business Partner 123 is created for user A
  Business Partner 456 is created for user B
  These Business Partners are assigned to Authorization Groups.
  See below:
  1)Authorization Group (LK01) is assigned to Business Partner --123.
  2) Authorization Group (LK02) is assigned to Business Partner --456
  3) Authorization groups LK01 is assigin to user A in PFCG role X
  4) Authorization groups LK02 is assigin to user B in PFCG role Y
  a) User A assigned with PFCG role X>Authorization Group (LK01)>BP 123.
  b) User B assigned with PFCG role Y>Authorization Group (LK02)>BP 456.
  Note:
  1) Authorization Groups are assigned to BPs under the Control tab.
  2) These Auth Groups are assigned in Authorization Object in PFCG role.
  Now, USER 'A' should not be able to work under the BP 456 as this BP is assigned to authorization group LK02.
  The issue is when we open the WEB UI and login with user A role X, He can search for the BP 456 assigned to Auth Group LK02.
  User A can open the Interaction History and edit the Service Order created using the BP 456.
  He can Edit the following in Service Order details:
  1) General Data Status (from created to complete), Contact person, Sale Rep name.
  2) Organization Data like Sales Office, Sales Org Unit, Distribution Channel
  3) Business Partner.
  However, one good thing is he cannot edit the Account details like Account ID, House No, Employee Resposible, the message he get is "No authorization to change partner with authorization group"  which is a
  good thing.
  I have tried to be precise, please let me know if you require more information.
  Regards,
  Dave.

  I suggest the following:
  Please, check whether the system works if you activate the implementation BUPA_F4_AUGRP.
  In addition check the notes 559662, 674869 and 782927. Maybe the notes are already implemented but you can try then the implementation of the BADI (SE19). It should resolve your issue.
  I have implemented this Badi solution before, and after activation; the search help ; nor search result list did NOT show any Business partners anymore that had an authorization group I was not allowed to see.
  kind regards
  Davy Pelssers
  SAP CRM/Security consultant

• New JAVA application with data from SAP CRM and R/3

  Hi All,
  We have a requirement to create a new application which will have CRM BP Master data and D&B Data from R/3 and based on authorization different roles be able to edit some of the fields and workflows to confirm the new data .Once users edit the fields in the application the new data will be replicated back into BP Master Data in CRM.
  In our company we are using CRM 7.0 and R/3 4.7 system if we decided to create the application using JAVA can you please let me know the architecture(servers etc) we might need because of the JAVA application.
  How to connect Java application to SAP CRM 7.0. Can you please guide me the data flow structure
  I am not sure if this is the right forum if not please suggest appropriate forum.
  Thanks a lot ,
  Kitcha.

  Hi,
  You can connect to SAP Systems by consuming the RFCs.
  you can use the JCO API to connect to R/3. the [documentation |http://help.sap.com/saphelp_nw04/helpdata/en/6f/1bd5c6a85b11d6b28500508b5d5211/content.htm]
  alternatively  you can use SAP Enterprise Connector to generate JCO Proxies : [The Documentation|http://help.sap.com/saphelp_nw04/helpdata/EN/ed/897483ea5011d6b2e800508b6b8a93/frameset.htm]
  and somr more helps:
  http://help.sap.com/saphelp_nw04/helpdata/en/89/8a185c148e4f6582560a8d809210b4/frameset.htm
  Regards,
  Naga

• Difference between SAP CRM Security and SAP ECC 6.0 security

  Hi
  I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.
  Can anyone please let me know the difference between CRM security compared to  ECC security.
  Thanks...

  I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...
  really sad.....
  The big  difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:
  1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place
  2)  If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....
  E.g. transaction code BP allows you to create/change/display  any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....
  another example is business transaction processing...which can be launched by:
  a very generic transaction code: CRMD_ORDER
  transaction category related transaction codes :e.g.
        > CRMD_BUS2000126 for activity management
        > CRMD_BUS200115 for Sales processes
  Again...allowed activity is not controlled by the tcode, but on authorization object level...
  3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links....  controlled by object UIU_COMP.
  However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.
  Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....
  STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)
  4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....
  This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....
  You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....
  cheers
  Davy Pelssers

• Authorisation in SAP CRM 7.0

  Hello gurus
  How to work on Authorisation in SAP CRM 7.0
  1)If we want to deactive the Buttons like  Show configuable area,configure page ,Personlize which we see on the right top of the screen in WUI
  Your support is appreciated

  Hi,
  In CRM 2007, CRM7.0, SAP delivers standard roles which helps to run the business smoothly.
  However, if customer wants to change any standard business role, it is suggested to copy it to Zrole and change the authorizations for the corresponding PFGC roles. To change any standard authorizations of PFCG roles, one has to go to PFCG transaction in SAPGUI and should do the required changes.
  Please find more info in the following links:
  Customizing Business roles: http://help.sap.com/saphelp_crm70/helpdata/EN/6e/aab73e83764b4c897efce7020d562f/frameset.htm
  Maintaining Authorizations:
  http://help.sap.com/saphelp_crm70/helpdata/EN/52/671617439b11d1896f0000e8322d00/frameset.htm
  Hope this helps!
  Regards,
  Chethan

• Issue in Migrating Attachments from Siebel to SAP CRM

  Hi All,
  We are doing Data Migration for Attachments into SAP CRM from Siebel. and have an issue for migrated attachments showing blank pages while opening in SAP CRM.
  We  have used all the formats of converting the data into binary and loading the attachments from Application Server.
  But the PDF/File open with blank pages.  The no. of pages in the original attachment and the migrated file from application server matches.
  May i know the best approach of meeting the above Requirement .. Its prioritized issue !!
  Thanks a lot !!

  Go to sm58-->Select IDOC_INBOUND_ASYNCHRONOUS this function module, in menu mar select edit--> execute LUW.
  or take help from sap basis team, can you please check user in the source system have authorizations profile. 'S_BI-WX_RFC' for this u can refer sap note :150315.
  if you need more information refer this document:
  How to check a BW - SAP source system connection - SAP NetWeaver Business Warehouse - SCN Wiki

• Authorization check in CRM ISA

  Dear All,
  I need some small help.
  We have SAP CRM ISA MSA 5.0 SP8. We need to create some roles for the end users who access the system via the CRM Webshop. But we are not able to trace what authorization a user requires or lack. Like when I give a role which doest not contain the required object, few functions in the CRM webshop does not work. But we are unable to trace it, do we have something similar to su53 or a a trace (st01/st05). I tried actiavating the trace, but it does not work.
  How do I know which object is checked/missing when user clicks something in a webshop?
  Please help me in this.
  Will surely reward points if I find anything which helps me.
  Thanks.
  Rajeet

  Hi Rajeet,
  The following links would help you to some extent.
  http://help.sap.com/saphelp_nw70/helpdata/en/03/37dc4c25e4344db2935f0d502af295/frameset.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/43/3ab19fa272376de10000000a422035/frameset.htm
  Cheers
  Soma

• Needed SAP CRM Data model with Object, Entity and Attribute level details

  Hello all,
               We are working on a huge IS-U / CRM implementation and we are still in the data gathering phase. The client has a whole load of legacy systems that will be replaced with IS-U and CRM. Right now we are in the process of developing data models using Excel first and then presenting them to the client to go forward from there. For this we need to have all the business objects, entities and their attributes.
  I know about the SD11 transaction, but we don't have a CRM system yet. My colleagues have access to a German ERP system and they were able to get models for HR, FI and Asset management. I tried for the Business partner / customer in there, but the models were not proper.
  So, once again, I need the specific data models out of SD 11 for  CRM business partner. If anybody has the information, please do pass it on to me as I need them urgently. It would be a great help if somebody can do so.
  Regards
  Rajesh

  I suggest the following:
  Please, check whether the system works if you activate the implementation BUPA_F4_AUGRP.
  In addition check the notes 559662, 674869 and 782927. Maybe the notes are already implemented but you can try then the implementation of the BADI (SE19). It should resolve your issue.
  I have implemented this Badi solution before, and after activation; the search help ; nor search result list did NOT show any Business partners anymore that had an authorization group I was not allowed to see.
  kind regards
  Davy Pelssers
  SAP CRM/Security consultant

• Configurations required for  PME and SCE in SAP-CRM 2007

  Hi Friends
  How to configure the PME and SCE in SAP-CRM 2007.
  If u have any documentation avilable for those two topics regading the implementation of e-Commerce application.
  Waiting for ur reponse..
  Regards
  Satish.

  Hi Mia,
  Authorization group is available in the old versions and basically this help in defining new authorization groups and you can define what can be done with these authorization groups as what can be edited and what cannot be and this is done on SPRO. These authorization groups are entered in the authorization group and the user who has this authorization object will be able to work on the account.
  So the business role in CRM 2007 has a PFCG role and the authorization profile that you created are assigned to the business role and users are assigned to the business role.
  There are also few authorization objects to maintian the BP relationship and see if you can use these combination to check if it meets your requirement.
  Hope it clarifies and if useful please reward points
  Thanks
  Srini

• Authorization restriction for CRM 2007

  Dear Experts,
  We are in process of defining the authorization matrix for CRM 2007 for end users who will be using Web UI.
  Here my requirement is the service orders created by USER1 should not be displayed by USER2 and vice-versa when they do a search in both Web UI and GUI in Tx CRMD_ORDER for service orders.
  Please let me know how can I acheive this and what is the auth. object for the same.
  Thanks & Regards,
  Sharath

  Dear babu,
  If I understood your request, you want that, only one user will be able to access the document. If you want to do that, this is the answer:
  At tcode PFCG you shoud set:
  First you must set what type of document will be avaible to the user, in this case Z020.
  CRM_ORD_PR: PR_TYPE 'Z020',ACTVT '*'
  Next you must set which activities they will be able to do (notice, you must set the same field in the previsou object(
  CRM_ACT: ACTVT u2018*u2019
  And then you set which partner function or partner category are able to access the document, here is the main point !
  In this example I set that only users who has Partner Category (not partner function) Employee Responsible (std partner category 0008) are able to access the document
  CRM_ORD_OP: ACTVT '', PARTN_FCT '', PARTN_FCTT '0008'
  Here you can notice again field ACTVT, here you will set what user are able to do, "*" means everything, "1" = create, "2" = modify, etc. (I can see the list at PFCG, adding the auth. object to the PFCG profile).
  I notice only std partner function or partner category works with this object. I sent a message to sap support, and they confirm that, so if your user has Z partner funcition or category it is not possible to do that.
  Summary, your user must be present in the partner list of the document, and they must have a partner function or partner category std. It is possible to set together both values PARTN_FCT  and PARTN_FCTT, but I think it is not necessary.
  The easy way to do that is, user who will be able to access the document, must be the employee responsible.
  This help is very usefull
  http://help.sap.com/saphelp_crm60/helpdata/en/4a/b9f63a8ab2c745e10000000a114084/frameset.htm
  Regards,
  Lalas
  ps.: As you should know, only one partner function must have partner category Employee Responsible, in the partner det. procedure, otherwise, you will get error message in your application.