Like SAP HR, SAP CRM also supports organizational management. Org Management allows the assignment of Business Roles to OM objects (like positions, org units, etc). The transaction to maintain OM structure in CRM is PPOMA_CRM. PPOMA_CRM allows us to search for particular OM objects and create new ones. The below screen shows a typical org hierarchy.
As you can see from the above, PPOMA_CRM is very similar to the ECC transaction PPOMA. Since we have already talked at length about Org Management in SAP HCM, I would not repeat the same here. Please feel free to have another look at the posts for Org Management under SAP HCM security.
For a user to work on CRM processes, the user needs to be assigned to a business partner. In the example above, we have the BP HR00160008 assigned to the Position 30002593.
SAP CRM allows role assignment in two basic ways, indirectly through Business Roles in PPOMA_CRM or directly through security roles assigned to user masters in SU01.
Indirecty role assignment is recommended by SAP as for large organisations with many CRM users and business roles it can lead to significant reduction in maintenance effort. For indirect maintenace, the Business Roles are maintained on a position for a user.
To maintain the business role for an OM object like a position, we select the position in PPOMA_CRM and the menu path goto>detail object>Enhanced Object Description which opens transaction PP01.
From the initial PP01 screen, we can maintain the appropriate value for Business Role for the chosen position.
With the position linked to a user and a business role assigned to the position we are now in a position to assign a security role to the user. While its also possible to directly assign a security role to the user at this stage, SAP provides the report CRMD_UI_ROLE_ASSIGN to make our job easier.
The report can be run for both users or user groups. It basically looks up positions linked to the respective users, checks the business roles assigned to these positions and finally assigns the security roles corresponsing to them to the user masters. The report log after role assignment is shown below
It is also possible to directly assign a security role to a user rather than go through these intermediate steps outlines above. To make this work, in addition to the security role the user parameter CRM_UI_PROFILE needs to be maintained with the correct business role as part of the user master. This removes the need of maintaining the Business Role on the position. However, since all CRM users need to be part of OM structure, it makes sense to use the indirect assignement rather than the direct one.
A CRM user needs both a business role and security role to function. The business role determines the the CRM functions which appear in the user’s UI. The security role contains the backend authorizations which are needed to execute the different CRMapplications that are exposed to the user through the business role.
Since, the security roles are meant to authorize the components of the business roles, the business roles must be completely defined before we can start work on creating the PFCG roles. Another pre-requisite is that SU24 entries are already maintained for the CRM applications (Please refer to the posts on SU22, SU24 and SU25 for a basic idea on check indicators and their maintenance). Unlike in ECC, the CRM applications are not transactions but BSP applications which in turn map to external services. Hence when looking up the SU24 entries for them we choose external service as shown in the screen below.
The actual check indicators for a CRM UI component is shown below in the detailed screenshot. SAP CRM comes with a new authorization object UIU_COMP. This authorization object is checked when a new CRM application/ web service is launched and corresponds to the S_TCODE object for transactions. The different fields of the object COMP_NAME, COMP_PLUG and COMP_WIN serve to identify a single CRM application service. In addition to the UIU_COMP object, other authorization objects will be checked depending on the application being secured.
Although, its technically possible to manually add individual services to the role menu and maintain the authorizations for the components in role maintenance, SAP has provided us with a tool to create a PFCG role once the Business Roles are completely defined. The tool is in the form of a program CRMD_UI_ROLE_PREPARE which can be launched through SE38 transaction. The selection screen for the report is shown below
During customization of Business Role we have seen that each business role is tied to a single security role. We can use either the business role or the security role to run the report. The report internally checks the definition of the business role to create a text file with the appropriate menu links for the security role. The text file is saved in the standard sap work directory on the presentation server (user’s PC). The report also generates the log file shown below.
To create the menu of the new security role, we just go into the menu tab of the role and import the text file which was just created bny the report. With the menu created, the authorizations can be maintained as in the case of any other security role.
After a long time, I am finally getting around to updating the blog. Plan to start on a set of posts on CRM Security. Also created a facebook page for the blog. Hopefully this will help visitors keep track of updates on the site.
We have already come across the navigational bar in the first post introducing the standard CRM UI. The links (workcenters/logical links/direct link groups) in the navigational bar controlled by the Navigational Bar Profile. Configuration for the Navigational Bar Profile is carried out through the crmc_ui_nblinks tcode. Also, even though we are looking at the customizing of a navigational bar profile after looking at the business roles, customizing the navigational bar profile is the earlier step. The screen below shows the initial selection screen for customizing nav bar profiles.
The left pane provides options for creating workcenters/logical links/Direct link groups and assigning these to navigational bar profile. For example the screens below allows us to assign workcenters and direct link groups to a Navigational Profile respectively.
Business Roles are used in CRM to describe the user interface of a user. The navigational bar with all its workcenters, logical links and direct link groups are customized as part of the navigational bar profile. A navigational bar profile is assigned to a user via a business role. Customizing for business roles are carried out through transaction CRMC_UI_PROFILE. The screen below shows the initial screen for the transaction. You will notice the different links on the left pane in the screen. These allows further customizations of a business role.
We select a single business role from the list above and click the display button. This gets to the next screen where we can check out the different entries maintained for a business role. You will notice that a Businee Role is tied to both a Navigational Bar Profile and a PFCG role.
Selecting the Adjust Direct Workcenter Link Groups option from the left pane allows us to configure the menu structure for the navigational bar profile as shown below. For example we have a choice to making a link visible or to make it available in the second level menu.
SAP Customer Relationship Management or SAP CRM is a part of SAP Business Suite of applications and is being increasingly used by a number of SAP customers. I have been planning on a set of posts on CRM as the CRM security model for the CRM UI is signinficantly different from the other SAP solutions. So here goes………..
SAP CRM 2006 onwards SAP has come up with a new model for security for the CRM business application. In this new model, end users do not log into SAP GUI. Instead they work on the CRM UI which is built using SAP’s Business Server Pages (BSP) model and is accessed through a web browser. Its also possible to integrate the CRM UI with an Enterprise Portal solution. SAP GUI is still needed by administrators and configurors of the system. As a consequence, the security for this backend transactions follow the same logic as in the other SAP systems (like ECC). Since my set of posts are primarily about the uniquiness of the CRM security model, I will start with a description of the CRM UI as it will appear to a normal CRM user.
The basic CRM UI screen can be subdivided into three areas. These are the Header Area, the Navigational Bar, and finally the Work Area. The navigational bar contains number of links to the different CRM applications. The chosen application will open in the work area. The navigational bar is tied to the Business Role that a CRM user is assigned to. Customizing allows us to change the number of links available in the navigational bar for a business role. The navigational bar has a two level menu structure. The top level menus are distinguished by a right arrow. These are called workcenters. The workcenters contain logical links which point to the actual CRM application. Below the two level menu system, we have a set of logical links which allows the CRM user to directly create CRM business objects. These links are called the direct link group andcan be customized separately. Since the navigational bar basically controls what all applications a person a user has access to in CRM, it is very important to have a basic understanding of the configuration for the different aspects of the navigational profile. However at the same time, the actual configuration for the navigational profile will in all probability be done by functional CRM consultant with security consultants only working on the pfcg roles controlling backend access.