cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorizations for CRM 2007 Web UI (ACE, PFCG Role, Business Role, etc.)

Former Member

on ‎10-29-2008 1:59 PM

0 Kudos

Hi,

Implementing authorizations for CRM 2007 Web UI is not that easy in my opinion. Therefore I would like to use this thread to collect best practices for authorizations and to discuss upcoming questions.

Access Control Engine (ACE)

+ with ACE you can realize dynamic authorizations based on objects

+ the defined rights effect the actions read, write, delete

_ you can not deal with the create action

+ ACE can limit search results based on complex authorization scenarios

+ ACE restricts access before PFCG-authorizations take affect. So you can limit access even to users with the profiles SAP_ALL, SAP_NEW assigned.

_ you have to write your own ABAP coding

PFCG-Role

+ you can define the allowed CRM components with the authorization object "UIU_COMP"

_ not all authorization objects take effect in Web UI (e.g. "B_BUPA_ATT")

_ you can not limit access for complex scenarios (e.g. by relationship "employee responsible")

Business Role

+ limit access by defined Work Centers and Logical Links

_ not a real access control: you can access some links via other components (e.g. if you like to remove the ability to create corporate accounts, you can remove the Logical Link in the Work Center Account Management, but the user may still access it via the search result list header)

Organization Assignment

+ controls access for Pipeline Performance (e.g. only my own opportunities are shown)

_ does not effect the search results (e.g. all opportunities are listed in the search result table)

Component Coding

+ access control for fields can only be realized by coding (e.g. the content of the drop-down-box "Grouping" for business partners limited by the assigned organization unit)

Please correct me, if I am wrong.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎10-29-2008 2:26 PM
0 Kudos

A concrete scenario I have to deal with:

The scope for all business partners and transactions should be limited to central Europe.

The relevant field for this authorization is the id (number range) respectively the business partner grouping.

- I would use ACE rules to filter the relevant business partners by their ID or grouping and relevant transactions by their account-assignment

- I would set up ACE rights to limit access for the actions read, write and delete

- to handle the create authorization, I have to define a PFCG role and limit access to certain CRM components

The user should be allowed to read Corporate Accounts,

to read, edit, create Contacts,

is not allowed to deal with Opportunities,

is allowed to create, read all activities and to read, edit, delete own activities (if he is the creator),

is not allowed to deal with any report or pipeline performance.

- ACE role/right to read Corporate Accounts

- PFCG role to restrict create access for the BP_HEAD component

- (ACE role/right to limit search results for opportunities)

- PFCG role to restrict create, search, overview access for the BT111M component

- Business role without Work Centers or Logical Links to opportunities

- ACE role to limit access to read activities

- ACE role to limit access to read, edit, delete activities which the user has created

- PFCG role to restrict access to all pipeline performance components

- remove PFCG roles for report access (e.g. SAP_CRM_OR_USER)

Show replies
Show replies
Former Member
‎11-20-2008 11:38 PM
0 Kudos

Hi Michael,

Could you please have a look at my thread

Im also setting up authorizations and with some problems...

I cannot see which values are missing to access to a certain object, lik we did it in the old days with the SU53.

Any input will be very welcome.

Thanks

Hugo

Ask a Question