Maintenance of Authorization for transactions in CRM 5.0.

Hi Experts .
We are using CRM 5.0 with PCUI.
TheBusiness  requirement is to maintain authorization for own transactions.the users who is involved in transactions should only be authorized to  Open & see the transactions.Other users who are not involved in partner function like "Assigned to" & "Account responsible " should not be able to open &  see the transactions like Activity .Lead , Opportunity ,Sales orders.& Service orders.System should give error message saying no authorizations.
We tried with below authorization objects to achieve this
CRM_ORD_OP (your own documents)
- CRM_ORD_LP (organization levels)
- CRM_ORD_PR (transaction type)
- CRM_ORD_OE (sales area/service Org).
- CRM_ORD_RL
- CRM_ORD_RS
But still system allows to open transaction belong to others.
Is there any alternative to control this.
Helpful answers would be rewarded max points.
Thanks in Advance.
Regards,
Basavaraj Patil

Hello
in order to check authority object CRM_ORD_OE,
CRM_ORD_OP and CRM_ORD_LP must not give authority. Please see
online documentation for detailed information:
http://help.sap.com/saphelp_crm40/helpdata/en/e9/
b29a39e7aee372e10000000a11402f/frameset.htm
Under the chapter 'Process Flow of Authorization Check in Business
Transactions' you will find detailed explanations.
I hope that I could be of help with that information. 
Gerhard

Similar Messages

  • Cancel a SD invoice error message "no authorization for transaction FB08"

    Hi Gurus,
    I am trying to cancel a SD invoice and am receiving the error message " no authorization for transaction FB08" is coming. Never has this happened in past, i have checked all the security authorizations also and they are in place. Accounting document status is showing as not cleared. Also, as per my understanding cancellation of invoice happens through VF11 which does not calls FB08. Please point out reasons as to why this could be happening and the possible solution thereof.
    regards
    Anmol Pareek

    Hi Anmol
    Once you got the error screen, immediately after that goto T code SU53 and expand all link. Take the screen shot and send it to your BASIS team to provide you proper access.
    Yes you are correct cancellation is done through VF11 but sometime some programs internally calls other T codes.
    take help of your basis team.

  • Authorization for transaction VL09

    Hi Experts,
    I have a requirement to get authorization for transaction VL09 for specific user based on document type of the delivery. Please let me know is there any specific enhancement point or user exit to add authorization group for this.
    Thanks,
    Karthikeyan.

    Hi,
        Please check the below ...
    Enhancement
    V50S0001                                User Exits for Delivery Processing
    Business Add-in
    DELIVERY_ADDR_SAP                       Address Change in Delivery Processing
    DELIVERY_PUBLISH                        Announcement of delivery data during database update
    Regards,
    Srini.

  • Authorizations for transactions MIR6/MIR4

    Hi All,
    Need help to setup a security rights for transactions MIR6/MIR4.
    Here is the situation:
    We have setup an user profiles which allow the users to access
    transaction mir6 (provide a list of Invoide Documents(BELNR)which will
    lead into transaction MIR4, but we only want this group of users have
    the ability to Held the document NO POSTING RIGHTS. I have set user with role:
    MM_RELEASE_INVOICE users can access
    Please advice on how to go around with this security problem.
    Thanks in advance.
    Srii...

    Hi,
    one possible solution (though not tested personally) is via
    badi INVOICE_UPDATE and method CHANGE_AT_SAVE.
    Within this method you can do something like:
        CHECK sy-tcode = 'MIR4' OR sy-tcode = 'MIR6'.
    * Get OK-CODE of the main window
        CONSTANTS: c_okcode(17) TYPE c VALUE '(SAPLMR1M)OK-CODE'.
        FIELD-SYMBOLS: <fs_okcode> TYPE ANY.
        ASSIGN (c_okcode) TO <fs_okcode>.
        DATA: l_okcode LIKE sy-ucomm.
        CLEAR l_okcode.
        l_okcode = <fs_okcode>.
    * Read user authorizations with FM
    * SUSR_USER_AUTH_FOR_OBJ_GET
    IF USER NOT ALLOWED.
    * Do not allow posting
          CASE sy-ucomm.
            WHEN 'BU'.
              CLEAR <fs_okcode>.
              MESSAGE e061(zxxx) RAISING error_with_message.
          ENDCASE.
    ENDIF.
    Best regards.
    Edited by: Pablo Casamayor on Oct 31, 2008 7:51 PM

  • Authorization for transaction created in se80

    Hi all , i have created few transaction in se80 , now i want my transaction to run only if the person authorised for that is using that , means authorization for these  transactions so can i do this in this way, pls reply if anyone know the procedure

    Hi Ado,
    You also have disable other Auth. Objects (CRM_ORD_LP CRM_ORD_OP,CRM_ORD_TE), because they work together.
    Please, see screenshot under Business Transaction  ->Authorization Check in Business Transactions  -> Process Flow of the Authorization Check in Business Transactions:
    http://help.sap.com/saphelp_crm70/helpdata/EN/f6/57fa3ab5573919e10000000a114084/frameset.htm
    Regards,
    Vadim.

  • Authorizations for transactions MIR6/MIR4/MIR7

    Dear Reader
    Need help to setup a security rights for transactions mir6/mir4/mir7.  
    Here is the situation:                                                 
    We have setup an AP user profiles which allow the users to access      
    transaction mir6 (provide a list of outstanding PARK document)which will
    lead into transaction MIR4, but we only want this group of users have  
    the ability to park/view the document NO POSTING RIGHTS. I have set the
    security on object M_RECH_WRK to 3 (display only) than it will cause the
    the other problem which is the user can not access transaction MIR7, BUT
    if I grant access 77 (pre-enter) to object M_RECH_WRK than the users can
    access transaction MIR7 AND HE HAS RIGHTS TO POST IN TRANSACTION MIR4. 
    Please advice on how to go around with this security problem.
    Thanks in advance.
    Regards
    Tony

    Have you got answer to this question, can you try to restrict the user based on authority object "F_BKPF_KOA", Its being checked while trying to post.

  • Region based authorization for user in crm

    hi
    In our project, there is a requirement that CRM users should be able to access master & transactional data related to a region for which they are responsible.
    I was told that it can be achieved using PPOMA. I have defined org units for region and assigned positions to it. But I don't know how to proceed further.
    Please help me in resolving this.
    thanx & regards
    hits

    i'm fairly sure that solely using PPOMA/E will not do the trick. what you can do there is implement the structure of your organization and attach roles to either org units or positions. after that you attach users to the positions so that they will have the access to the authorizations that stick to that position. additionally you might want to put some roles to the org units to establish an interitance from org unit to position to user. this is very nice for the 'overall' basis role everybody needs.
    but now for your question. the elements that represent your 'regions' must be someplace in the role - preferably in the organizational levels of that role - like say: a plant or purchasing group or sales unit or such - the relation from that organization level to the user will be drawn manually by your attaching the role to a position (or org unit). the emphasis here is with 'manually' - so you do it.
    so. this all goes for ERP, but not necessarily for CRM. since i know next to naught about CRM it might be different there but i very much doubt it, since you could ALE-distribute your users/org-scheme to - say: a CRM system belonging as a child to a CUA so necessarily it would have to follow the same structure. mind you: i might be wrong ...

  • Authorization for transaction SE11 & SE12

    Hi experts,
    I need to assign authorization to SE12, but not to SE11.  I did find the authorization objects for SE12 & SE11 & found S_DEVELOP is marked to be checked in both from SU24.
    In my Role the activity is set as change, display.
    But I am able to access both SE11 & SE12.
    Could you let me know where is the control to exclude access to SE11 & only grant SE12?
    Thanks,
    Pri

    >
    Anne Pri wrote:
    > Could you let me know where is the control to exclude access to SE11 & only grant SE12?
    >
    > Thanks,
    > Pri
    Hi Pri,
    The way I read your question it sounds like you want to not give access to the full transaction of SE11 and only to SE12.
    The authorization object that controls that is S_TCODE.
    Most likely you have the value * in the field TCODE.
    What you need to do is to create a range that excludes the transaction(s) you do not want.
    As example:
    from 0*         to SE10
    from SE12    to Z*
    However, there are many more transactions that you should not hand out to developers.
    Just some transactions as example
    SU01 User management
    SCC4 Client maintenance
    SCC8 Client deletion
    I would also like to point out that it is a wiser way of working to give access to functions that should be accessed, rather than to take away authorizations of functions that should not be accessed.
    Best regards
    Fredrik

  • Authorization for transaction types in webui

    Hi,
    we would like to set authorizations to create and edit only certain transaction types for some users.
    I tried with object CRM_ORD_PR
    activity 01,02
    transaction type Z1,Z2
    but on the webui all the transaction types are still available...
    what's wrong?
    Thanks, Ado

    Hi Ado,
    You also have disable other Auth. Objects (CRM_ORD_LP CRM_ORD_OP,CRM_ORD_TE), because they work together.
    Please, see screenshot under Business Transaction  ->Authorization Check in Business Transactions  -> Process Flow of the Authorization Check in Business Transactions:
    http://help.sap.com/saphelp_crm70/helpdata/EN/f6/57fa3ab5573919e10000000a114084/frameset.htm
    Regards,
    Vadim.

  • Authorization for Transaction in BDC

    Dear All,
    We are facing a problem in our implementation. We have developed a Custom Program an in that we are using a BDC of Transaction FB60. However, the requirement is that if the user wants to run T.Code FB60 from SAP GUI straightaway; he/she should be stopped doing it. But if he/she uses that Custom Program (Z-Program), it should not stop them.
    Does anybody have the idea as to how the Authorization strategy can be devised for this kind of issue?
    Thanks,
    Shalin Shah

    Hi Shalin,
    Don't assign user the transaction code FB60  (S_TCODE should not have FB60). This will prevent the user to run the FB60 directly, however, you will have to add the required authorization objects manually so that the BDC program runs. (a quick authorization trace (ST01) would give you the auth objects checked)
    SU24 for FB60 : these should be added manually to user's roles.
    F_BKPF_BEK
    F_BKPF_BES
    F_BKPF_BLA
    F_BKPF_BUK
    F_BKPF_GSB
    F_BKPF_KOA
    F_FAGL_SEG
    Cheers !!
    Zaheer

  • Missing authorization for transaction VC/2 (Sales summary)

    Hi Expert,
    I am running transaction VC/2, but I get the message VB500 "the list is incomplete due to missing authorizations".
    Via transaction SU53, I see that it is object M_INFO_MCB with auth. field MCINF which is missing.
    Do you know what this object field is about?
    Thank you.
    Kind regards,
    Linda

    Hi,
    First goto SUIM T.Code.
    click on "Authorisation Objects".
    Select "Authorization Objects by Complex Selection Criteria".
    Enter "M_INFO_MCB" as "Authorization object".
    Execute.
    It shows that this is related to "Evaluation: Evaluation Structure".
    The path is:
    SPRO>Logistics General>Logistics Information system(LIS)>Flexible Analyses>Select layout reports for evaluation structures.
    Maintain values here.
    Save.
    Regards,
    Krishna.

  • Authorizations for BP in CRM 2007

    Hello Experts,
    The requirement is that certain Users should not have access to BPs starting with 4 series no (eg 400100) and another set of users shouldnt have access to BP starting with 6 series no (eg 600001). These two no. ranges are also linked to seperate Account groups. I tried restricting the Roles, Acct group etc in PFCG (B_BUPA_ATT, B_BUPA_RLT) but still when the user searches for the BPs all of them are displayed in theSearch result.
    Any help would be highly appriciated.
    Regards
    Suhel

    Suhel,
    Please refer to notes 1392467 and 1129682 to read about supporting this authority objects in new CRM versions.
    As alternative variant I can offer implementing ACE, you can read more information about this here:
    /people/boris.dingenouts/blog/2006/09/18/the-concept-and-implementation-of-crm-ace
    /people/ravikiran.chittum/blog/2007/09/19/configuration-implementation-of-crm-access-control-engine-ace-part-1
    /people/ravikiran.chittum/blog/2007/10/01/configuration-implementation-of-crm-access-control-engine-ace-part-2
    BR, Arthur.

  • Authorization For transaction

    Hi All
    I have an issue with authorization.
    Actually basis people blocking Standard trnsaction 'MB1A' and i am using in my report through call Transaction in BDC and when i am excuting report Authorization Error coming.
    Means i am not able to acess Transaction throuogh Report because its blocked by basis.
    So, Is it basis issue or ABAP issue?
    If basis issue please Provide me solution How basis Person can block Transaction Access directly but it should access through report.

    Check out the below notes:
    [SAP Note# 358122|https://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=0000358122&nlang=E]
    [SAP Note# 515130|https://websmp108.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=515130&_NLANG=E]

  • Authorization for customized transaction

    Hi,
         In our system, developers create one transaction ZSIDUPDATE.
    Whenever I (Basis Admin) hit this transaction, error "No Authorization for Transaction" is occurred. I don't understand why the error is for authorization for this customized transaction because I have SAP_ALL & SAP_NEW profile.
       Can anybody give the solution?
    Regards,
    Rajesh

    Hello Rajesh,
    Check the report behind ZSIDUPDATE. I suppose there must be some kind of code which will allow only certain user to execute it based on their user ids. Either the user ids will be hardcoded or else they are being picked up from some table. This is not a classical authorization error. You may set a trace also but debugging is best. it will crack it open in seconds.
    Regards.
    Ruchit.

  • No authorization for company code in MRBR

    Transaction MRBR is currently wide open. Anyone with authorization to this transaction can unblock invoices in any company code.
    Standard security profiles can only restrict users at universal (*) or purchasing group level. We require control on company code.
    OSS 399953 suggests creating validation rule (GGB0) to test user authorizations for transaction MRBR and authorization object F_BKPF_BUK.
    Can anyone supply the validation coding to solve this security problem?
    Is anyone familiar with this problem ? Do you have a solution ? also None standard SAP solutions are welcome
    Thanks in advance
    Greetings,
    Vincent

    Hi Vincent
    Another option could be to implement an authorization check in the BAdI MRM_RELEASE_CHECK - this is, of course not Standard.
    The code could look somthing like this:
    DATA: wa_rbkp_blocked TYPE mrm_tab_rbkp_blocked.
      LOOP AT i_rbkp_blocked INTO wa_rbkp_blocked.
        AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                 ID 'BUKRS' FIELD wa_rbkp_blocked-bukrs
                 ID 'ACTVT' FIELD '02'.
        IF sy-subrc EQ 0.
          APPEND wa_rbkp_blocked TO e_rbkp_blocked.
          CLEAR wa_rbkp_blocked.
        ENDIF.
      ENDLOOP.
    Regards
    Morten Nielsen

Maybe you are looking for

  • Upgrading from 8.6 to 9.2.2

    We have a solid workhorse at our Publishing firm that our editor does not want to get rid of. So to get the 'blood out of the stone' I need to max it out as possible. 1. Where is the best and affordable place to get memory for an iMac 233MHz? 2. Wher

  • No error message, but no mail sent - need help troubleshooting

    I'm having a problem with sending email since I moved my site to a new server. Trying to get to the bottom of it. Question: if I do props.put("mail.debug", "true") to turn on debugging, where does this output debug statements to? I'm on a linux serve

  • Can't get Officejet Pro 8500A to print using a Bigpond wireless network

    I phoned Bigpond for assistance and was told that the HP OfficeJet Pro 8500A needs to use a wireless router.  Is this the case?  I reinstalled the HP software on the computer but when I selected the Router/Wireless connection wasn't able to detect th

  • How do I create holes through multiple layers?

    I'd like to use boxes to punch holes into the layered artwork below them. I want the result to look exactly like this image, but with the white boxes being transparent holes. This seems so simple, but I can't find any combination of layers/pathfinder

  • [SOLVED] Fastest way to convert entire music library to ogg?

    Hey, I have a music library of about 100gb on my server, and since I'm starting to run out of space, I have been considering converting all the music (currently in mp3 format) to ogg vorbis to save some space, but not loose quality. I installed the m