1/18/2016PFCG Role creation in SAP CRM Home Home About Us SAP TRAINING About Us SAP TRAINING Authors Authors Become an Author Become an Author Other SAP Resources Other SAP Resources Contact Contact Home » SAP Authorizations » PFCG Role creation in SAP CRM Search PFCG Role creation in SAP CRM 19 September 2012 | Davy Pelssers | 20 Comments | SAP Authorizations, SAP CRM About time I could free up some time to write a useful article about this topic. I will try to explain things as good as I can …let’s see . Who is this article intended for? People that have some or a lot of experience with SAP Authorizations, but have little to no experience with SAP CRM Authorizations. Transaction codes versus External Services Ok, when I started working in SAP back in 2000 most people (endusers) using SAP were actually working in SAP using transaction codes. The SAP Authorization concept was based on: Grouping relevant tasks (performed using transaction codes) and grouping them together in single authorization roles Multiple single roles were joined in composite authorization roles A transaction code was checked on the authorization object S_TCODE and other authorization objects allowing to further distinct access based on e.g. document type/material type/sales org/company code... just to name some well known examples Typically, in SAP ECC you had (and still have) different transaction codes based on the allowed activity (create /change/display ) which mostly was translated into a Transaction Short code ,followed by the allowed activity. (e.g. VA01/VA03/VA03 or XD01/XD02/XD03) > Categories Geen categorie SAP CRM SAP basic knowledge SAP SD SAP FICO SAP HCM SAP BW/BI SAP Authorizations SAP ABAP When I started working with SAP CRM (at that time it was 3.0 and 4.0 release) endusers were still SAP BASIS working with the SAP GUI and therefore evidently also using transaction code based access. SAP Career SAP Workflow The big difference from an authorization point of view was that SAP CRM did not really know the concept of separate transaction codes by "allowed activity" as compared to SAP ECC. Disclaimer Some examples: SAPUNIVERSITY.EU is not affiliated or related to any division or subsidiary of SAP® AG. The transaction code BP was used to create/change/display any business partner in the system (ranging from Customers/Employees/Contact persons/..). It was on authorization object level SAP, SAP R/3, R/3 software, R/2 software, ABAP/4 that we had to make the distinction on the allowed activity. programming language, BAPI programming interface, BWI software, AcceleratedSAP methodology, and and any other SAP trademarks are registered trademarks of SAP AG CRMD_ORDER was used to create/change/display any business transaction (ranging from activities/leads/opportunities/sales and service order http://sapuniversity.eu/pfcgrolecreationinsapcrm/ 1/10 Rather the SAP CRM WEBUI makes use of external services of the type UIU_COMP. they are actually no longer using transaction codes. In such a case I am referring to endusers (so not the consultants who still use certain SAPGUI transaction codes from an administration point of view). Where in the older CRM releases you would typically check SU24 settings (the relationship between your transaction code and their corresponding authorization objects) you now will use SU24 to analyse the relationship between an external service and it’s relevant authorization objects. where people work in the WEB UI. In the newer SAP CRM releases.1/18/2016 PFCG Role creation in SAP CRM The transaction code COMMPR01 was used to create/change/display products within SAP CRM. Example of SU24 for transaction code BP Executing this selection shows us: Example of analysing an external service for the component BP_HEAD_MAIN http://sapuniversity.eu/pfcgrolecreationinsapcrm/ 2/10 . http://sapuniversity.eu/pfcgrolecreationinsapcrm/ 3/10 . click on the button “Other”.1/18/2016 PFCG Role creation in SAP CRM Result: What you see below is that all these external services use a certain naming convention: How can you add such an external service in a PFCG Role? Step 1: create a new PFCG role using the transaction code PFCG Step 2: In the menu tab. and see the relevant authorization objects for this external service (as they are currently maintained within SU24). which you also can lookup using the input help. Step 4: If we now go to the tabpage “Authorizations”. we can generate a profile name.eu/pfcgrolecreationinsapcrm/ 4/10 . Select “External Service” with as type “UIU_COMP”.1/18/2016 PFCG Role creation in SAP CRM Step 3: Select “Authorization Default Values for Services”. In the field Service. you now can add the “External Service Name”. http://sapuniversity. More about Davy Pelssers 0 http://sapuniversity. Clicking on the navigation link "create Individual account" will navigate to the following page: I wish you all the best and speak to you soon! By the way if you like this article. as the external service I added is the one used to create new business partners in the system of the type “INDIVIDUAL ACCOUNT”.1/18/2016 PFCG Role creation in SAP CRM After manually entering a profile name or generating a default one. and next clicking on the button “Change Authoriation Data” you’ll see the following: The authorization objects automatically addded in the above example are related to Business Partner Security. but as of 2002 he has mainly worked as functional SAP CRM consultant and SAP Authorizations consultant.eu/pfcgrolecreationinsapcrm/ 5/10 . please leave a comment or click on one of the social media buttons it keeps me somehow motivated to share my knowlegde! cheers Davy Pelssers Davy has been working as an SAP Consultant since 2000 and started working in the SAP ISU Module . Like · Reply · Jan 16.Its very refreshing to see such a quality documents and it is a really good initiative .. United Arab Emirates Good Mahaveer.1/18/2016 PFCG Role creation in SAP CRM 17 Tweet 6 Like Share 6 Comments Sort by Oldest Add a comment.... Like · Reply · Jan 16. 2013 11:20pm Srinivas Nalabotula · Sr Consultant at IBM it's really excellent.. Like · Reply · Jan 15.. perhaps in a future some day. IT at Ras Girtas Power Company nice one. 2013 12:52am Srinivas Nalabotula · Sr Consultant at IBM hi what about crm mobile security? pls provide any posts related to crm mobile security&athorizations.! Like · Reply · Sep 25. thank you very much boss... India your article is very informative. thank you very much boss.. Comment By Gaurav on 6 October 2012 at 17:57 CRM Security contents are very limited on web. I have a question on this article... Like · Reply · 2 · Sep 24. 2013 9:05am Kuntal Panda · Kolkata... so far I have not had the chance to work in the mobile solution. Like · Reply · Feb 4. Like · Reply · Jan 20. In the example you had provided. Like · Reply · Jan 18. 2013 6:18am Davy Pelssers · Senior SAP Consultant at DASAP consulting Hi srinivas. wuld help us to know more in depth. 2012 8:13am Srinivas Nalabotula · Sr Consultant at IBM it's rally asome. 2013 5:50am Srinivas Nalabotula · Sr Consultant at IBM thank you Davy..eu/pfcgrolecreationinsapcrm/ 6/10 ... and as such no experience yet in setting up mobile security.. 2012 11:58pm Praveen Kumar Cheenepalli · Abu Dhabi. 2013 10:05pm Facebook Comments Plugin 20 thoughts on “PFCG Role creation in SAP CRM” By Francis Deveen on 21 September 2012 at 16:20 Great article Comment By tripti on 24 September 2012 at 06:54 nice article. how did you know the appropriate external service for the "Individual account"? I'm trying to find the relationship between the workcenters and their contents and the corresponding external http://sapuniversity. Mahaveer Sharma · Engineer.. Comment By zakster on 14 November 2012 at 23:17 Excellent article! Thank you for taking the time to do this.! abt PFCG. sales orders etc.. or his data and his team’s data or to everything Accounts in Territory Management * Authorizations to define what accounts are available for use in business transactions using the value help.. Either I am quickly able to identify the relevant component using a method explained in a previous post: http://sapuniversity.eu/howtogetthetechnicalinformationfora screenview/ OR I can use ST01 authorization tracing! Also have a look at my latests post about: identifying the UIU_COMP values for workcenters and navigation links.. But here is what you should be able to do with it (regarding Account authorizations): Territory based authorizations can be turned on / off in business transactions such as opportunities.. Keep up the good work! Zack Comment By Davy Pelssers on 14 November 2012 at 23:55 Hi Zack I basically use several options for this purpose. they are basically very useful for this purpose too! you will see that with those queries I can easily find out for example the relevant Component Name; WindowName & Inbound Plug for a specific workcenter defined within the navigation bar profile assigned to my business role.. A user may be given access to only his data. Can we have the authorization related to territory for the user to restrict on master data. I have not elaborated any article on Territory management so far.eu/pfcgrolecreationinsapcrm/ 7/10 . the external service naming convention is actually composed of these 3 elements. *Depending on Customizing maintained for a particular business http://sapuniversity..1/18/2016 PFCG Role creation in SAP CRM services so I can look the security needed for that screen in SU24. Now as you saw in THIS post. If so can you please send me the article it to my mail Id. so this should get you started cheers Davy Comment By Revanth on 17 December 2012 at 11:42 Nice article. Comment By Davy Pelssers on 17 December 2012 at 13:33 Hi. *Territory based authorizations can be defined at the header level of a document as well as at the item level *Territory based authorizations help you Ensure that the employee responsible of the document is also assigned to the territory of the document Ensure that the account assigned to a document is also assigned to the territory of the document Ensure that the product assigned to a document is also assigned to the territory of the document *The level of access to the data can be also restricted used on Territory based authorizations. Usually you start creating the 1 single authorization role based on the configured business role as mentioned in the article above. Basically I normally do NOT work with such 1 large single role as it gives me no flexibility or efficient manner to give different authorizations to different users. Thank You! Comment By Arunkumar on 9 May 2013 at 11:46 Very good article .. Hence. So for CRM security with respect to PFCG roles is it always the role that is tied to a Business role or do we create separate PFCG roles also? If so can you let us know how would the reqirements be for building a private PFCG role? Comment By Davy Pelssers on 6 January 2013 at 17:46 Hi. “My Team’s Accounts”. the result list is already filtered and only contains those accounts which belong to a user as per his/her territory assignments.1/18/2016 PFCG Role creation in SAP CRM document. Thanks. * If the user enters an account manually by deleting the defaulted value help while creating a business document. Comment http://sapuniversity. I mean deleting external services from this large role and putting them in separate new single roles. I next start creating an authorization matrix based on the authorization requirements I received during the blueprint phase or implementation phase. “All Accounts” while creating business transactions. the user is able to search for “My Accounts”.eu/pfcgrolecreationinsapcrm/ 8/10 . So when I mention splitting things up. I personally then start splitting this large role up into multiple single roles . Comment By Help on 5 January 2013 at 22:04 Hi Davy I have a question. so that the territory ID is already prefilled while doing the accounts search. the value help for accounts in the business transactions is enhanced. especially with regards to business transaction processing. an authorization check shall be performed so that a user can only use those accounts during document creation which belong to a territory that is being associated with that business document. and business partner access. * Depending on the user’s role. Comment By Alex Z on 22 March 2013 at 11:17 Very good post Davy! Thank you Comment By vijay on 11 April 2013 at 13:15 Nice article Comment By Ann W on 15 April 2013 at 18:29 Very helpful article. for your information. the OSS notes I was talking about is the following: 1106781 PFCG profile not generated because of S_SERVICE auth. thank you Comment Leave a Reply Comment http://sapuniversity. And obviously. thank you so much! Your materials are easy to read and full of useful information. thanks for your effort! Comment By ajay on 22 August 2013 at 16:04 Hi Davy.1/18/2016 PFCG Role creation in SAP CRM By Kiryl on 21 May 2013 at 13:06 Davy.. you are born teacher. I am sending it to several pals ans also sharing in delicious.. object Comment By pannag bhusan kanungo on 17 July 2014 at 05:53 Mr Davy your all articles are awesome ..and i have one doubt in SAP CRM Security.eu/pfcgrolecreationinsapcrm/ 9/10 . KEEP UP THE GOOD WORK!!! Comment By learning with fun and news pics on 21 June 2013 at 16:40 Great web site. Thank you so much for sharing valuable information. Lots of helpful information here. Comment By Anurag Jain on 31 May 2013 at 14:39 Very Informative Post. Why we need to deactivate S_SERVICE object in CRM roles. the reason that you need to deactivate this object is because it: is no longer used (was initially used by SAP.what impact if we do not deactivate this object in CRM Roles.but obsolete at this moment) check on OSS for the object S_SERVICE and you will find a note about this! you can not generate the pfcg role without deactivating the object due to too many entries cheers Davy Comment By Davy Pelssers on 9 January 2014 at 13:23 Hi. I have not found this information on any other place... Comment By Davy Pelssers on 1 September 2013 at 11:15 Hi Ajay. Thanks In Advance.. 1/18/2016 PFCG Role creation in SAP CRM Name * Email * Post Comment Home About Us http://sapuniversity.eu/pfcgrolecreationinsapcrm/ SAP TRAINING Authors Become an Author Other SAP Resources Contact 10/10 .
Report "IMP WebUI_auth_SAP CRM - How to Assign to User Id"