My requirement is simple. I have two set of users in my project.
Set A will be
1- Creating business partners with role Prospect
2- Changing PROSPECT business partners's master data
3- Display it
Set B will be
1- Changing and Displaying all business partners irrespective of their roles (prospect, sold to party, employee.)
When I grant access the authorization object B_BUPA_RLT with ACTVT 01, 02, 03 and BP Role BUP002 (Prospect) only (for Set A) to a PFCG role, the user who has that PFCG role can still change any business partner irrespective of the business partner's role.
Authorization object CRM_BPROLE is inactive in my PFCG role here, as per my understanding, it is used for checking if a user has authorization to assign a BP role to A BP (Not a big of concern here). Please correct me if I'm wrong.
I studied badi BADI_CRM_BP_UIU_AUTHORITY and enhancement implementation BADI_CRM_BP_FILTER_ATTRIBUTE but none of them seem to fit in to my requirement.
Do you have an idea/recommendation on how to proceed from here? Or am I missing something big which should be right in front of my eye?
Thanks for your time,
Hey Glenn, thanks for your input.
Here are my active assignments (and my ideas about the usage of authorization in parenthesis)
ACTVT: 03 Role: BUP002, CRM000, CRM002, CRM003, CRM004, ZCRM000 (the user is authorized to display six all roles)
ACTVT: 01, 02 Role: BUP002 (the user is authorized to create a business partner only in BUP002 role. He/she is authorized to change a business partner's data only if BP has role BUP002 assigned to)
ACTVT: 01, 02, 03 Role: BUP002 (If BP has BUP002 role only, user is authorized to change/display BP's data)
With that authorization info, the user can still change a BP who has CRM000 (and not BUP002 role). How can I achieve that the user should have the authorization to change the BP's with role BUP002, and not BP's with other roles?
Additional experience: In the situation below, user cannot change any BP's master data.
ACTVT: 03 Role: BUP002, CRM000, CRM002, CRM003, CRM004, ZCRM000 (
ACTVT: 01 Role: BUP002
ACTVT: 01, 02, 03 Role: BUP002
But when I grant B_BUPA_RLT ACTVT: 02 Role: BUP002 only, I happen to come the very first situation, as he/she can change all BP's master data.
Have you seen this note:
Note 1129682 - Authorization for BP roles
Within the account (or contact or employee) application You intend to restrict authorizations for users to maintain bp roles in assignment "Roles".
For this purpose, You define appropriate authorization values and generate authorization profiles for auth.-object B_BUPA_RLT. But in the account application the defined restrictions are not considered.
In SAPGUI maintenance of business partners resp. bp roles, the restricted authorizations are taken into account.
Reason and Prerequisites
Authorization object B_BUPA_RLT, as used for SAPGUI-maintenance of business partners, can't be used in CRM WebClientUI
Of course I read that note.
I've heard about the ACE functionality, but don't know how to start implementing it (for this purpose only).
It seems that role dependant authorization for maintaining BP master data is not possible in standart CRM Web UI functionality then, right?
Boy is that awful or what?
I spent a couple of days with a consultant (most to explain him which were our needs) and then, just by searching a little in the forum, I wrote different ACE classes! I m not a developer...so You can understand how easy is to implement ACE
It'll give you plenty of flexibilty (not to mention that once built one class you just need to adapt it to other objects)
If you can dedicate a week to this subject...you ll be rewarded a lot.