CRM SecurityPFCG Roles in CRM

PFCG Roles in CRM

A CRM user needs both a business role and security role to function. The business role determines the the CRM functions which appear in the user’s UI. The security role contains the backend authorizations which are needed to execute the different CRMapplications that are exposed to the user through the business role.

Since, the security roles are meant to authorize the components of the business roles, the business roles must be completely defined before we can start work on creating the PFCG roles. Another pre-requisite is that SU24 entries are already maintained for the CRM applications (Please refer to the posts on SU22, SU24 and SU25 for a basic idea on check indicators and their maintenance). Unlike in ECC, the CRM applications are not transactions but BSP applications which in turn map to external services. Hence when looking up the SU24 entries for them we choose external service as shown in the screen below.

SU24 entries for SAP CRM UI components
SU24 entries for SAP CRM UI components

The actual check indicators for a CRM UI component is shown below in the detailed screenshot. SAP CRM comes with a new authorization object UIU_COMP. This authorization object is checked when a new CRM application/ web service is launched and corresponds to the S_TCODE object for transactions. The different fields of the object COMP_NAME, COMP_PLUG and COMP_WIN serve to identify a single CRM application service. In addition to the UIU_COMP object, other authorization objects will be checked depending on the application being secured.

SU24 - Check Indicator for UIU_COMP object
SU24 - Check Indicator for UIU_COMP object

Although, its technically possible to manually add individual services to the role menu and maintain the authorizations for the components in role maintenance, SAP has provided us with a tool to create a PFCG role once the Business Roles are completely defined. The tool is in the form of a program CRMD_UI_ROLE_PREPARE which can be launched through SE38 transaction. The selection screen for the report is shown below

Report CRMD_UI_ROLE_PREPARE
Report CRMD_UI_ROLE_PREPARE

During customization of Business Role we have seen that each business role is tied to a single security role. We can use either the business role or the security role to run the report. The report internally checks the definition of the business role to create a text file with the appropriate menu links for the security role. The text file is saved in the standard sap work directory on the presentation server (user’s PC). The report also generates the log file shown below.

Report CRMD_UI_ROLE_PREPARE - Log
Report CRMD_UI_ROLE_PREPARE - Log

To create the menu of the new security role, we just go into the menu tab of the role and import the text file which was just created bny the report. With the menu created, the authorizations can be maintained as in the case of any other security role.

17 thoughts on “PFCG Roles in CRM

  • Gaurav Shrivastava

    Aninda,

    Suggest you to add Facebook like, E-mail this topic, Like, ratings etc buttons on your topic. That wud help us to share your posts with our friends and colleagues in SAP Security.

    Reply
    • Aninda

      Hi Gaurav,

      Thanks for your comments. I just added the Facebook integration to my blog. Also we have a new facebook page for the blog at “http://www.facebook.com/pages/SapSecurityPages/302372806457814”.

      Regards,
      Aninda

      Reply
  • Gaurav Shrivastava

    Really Great.
    Soon will see you there.

    Reply
  • kath williamson

    We have just set up CRM and when I go in and look at the roles, the objects sales organisation, distribution channel etc. are not appearing in the organisational levels list in PFCG. They have been pulled into the role, but don’t seem to appear as organisation levels. As a result I won’t be able to use master-derived on the sales org and dist channel.

    Is there something wrong with the tables in CRM or should it be like this?

    Thanks, Kath

    Reply
    • Aninda

      Hi Kath,

      This appears to be a general question and not expressly dealing with CRM. A lot of authorization fields delivered by SAP are not org levels in the default set up. The sure way to check is to look at the entries in the USORG table( these are the fields which are set up as org levels in your client). Depending on your requirements you can always convert an authorization field to an org level by using the standard program PFCG_ORGFIELD_CREATE. However, a few precautions need to be taken before and after running the program. Please do you a quick search for the program in google and its documentation before running it. Hope this helps!

      Regards,
      Aninda

      Reply
  • Hi Aninda,

    I have struggle in finding the custom component in authorizaiton default UIU_COMP.

    I came to know there will be a report when we run all the custom components are found when you search in Authorization default UIU_COMP.

    Please let me know if you know the table name or any other procedure.

    Reply
    • Aninda

      The values in UIU_COMP are derived from the CRM UI links. So in all probability there will be CRM functional reports for the same. From security standpoint, you can look up the object UIU_COMP for External Services in SU24. That would give you all the component names where UIU_COMP is checked and what values are needed in the role to authorize the access.

      Reply
  • Hi,

    i would like to know how would we update the PFCG role once the business role is updated. i created a PFCG role by importing the text file created after running the CRMD_UI_ROLE_PREPARE program, but now the business role has been updated with more functionality, how can i update the PFCG role with that functionality, do i have to again create a new role menu through the program and update PFCG role menu by importing the file. or is there any other way ? thanks.

    Reply
    • Hi Javed,

      For changes to an existing role, you can just add the services (UI applications) that were added to the business role to the security role. The SU24 defaults for these new services would be automatically pulled into the role when you try to maintain the authorization for the role.

      Otherwise you can continue to use the CRMD_UI_ROLE_PREPARE program and basically build the role for scratch. However, this looks like more work to me.

      Regards,
      Aninda

      Reply
      • you have to reimport the file into the Menu tab, as the Component name will not be known. But when generating the Profile, use MERGE option, so that previous profile is retained

        Reply
  • The blog is great and love it.

    Just wondering if there is a way/report that can check for all vacant positions with Security Roles assign to it. As I am trying to clean up all my security risk by take off all security roles attached to the position which no longer occupied.

    Sorry thi is question is not relate to CRM.

    Thanks,
    Kim

    Reply
    • Hi Kim,

      I am not aware of a standard SAP report to perform this job. However, you can find the vacant positions from table HRP1007 and the roles assigned to positions from table HRP1001. You can export these tables to excel/access and analyse the data. A simple join should get you the data you need. Otherwise you can try creating a join for the two tables in SQVI.

      Regards,
      Aninda

      Reply
  • Hi Aninda
    I love your blog about SAP Security.
    Together with a team of other SAP consultants I have also created a blog with useful articles about SAP CRM; SAP Authorizations, SAP ABAP and other SAP related topics ..
    the site is http://www.sapuniversity.eu
    If you like , you can always join us in blogging. If you prefer to use your own blog, If you like I can also create your post at my site using your Author profile, so you get all the credit of your work? let me know if you would like to collaborate as I think you do a great job!
    davy

    Reply
    • Aninda

      Hi Davy,

      Thanks for the offer. Right now I don’t even get time to update my own blog. Hence joining your website as one of its authors won’t make too much sense.

      Wishing all the best for your success!

      Aninda

      Reply
  • Prathima

    Hi Aninda,
    This is a really good blog, it helps a lot.
    I have a question, we have some Z* components created and these were added manually to the UIU_COMP object in COMP_NAME fields along with other required fields.
    We now want to clean up the role so that we have objects maintained from SU24.We want to add the services related to these additional components from Role Menu.

    Issue: No SU24 entries for these UIU Components.No entries in USOBHASH table either.I would like to know how to find out the external service mapped to these user defined components.

    I have searched for this and all I could find out is that for USOBHASH table to get populated we need to run the service once.But we do not have the service name.

    Reply
    • Hi Prathima,

      I would contact the developer who built the components. Otherwise what’s the guarantee that what you have maintained in the role is correct.

      Thanks,
      Aninda

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *