headershadow

Logon is not possible because you have not been assigned to a business role; please contact your system administrator

Print Friendly

Hi :-)  I am sorry, but I thought this title would be funny to use. Whenever I start working/participating in a new SAP CRM project implementation, a lot of people just starting to work with SAP CRM usually ask me -Hey Davy - I got a User account and I managed to logon via the SAPGUI...but when I try out the URL (the link to the CRM WEBUI) that was given to me by the project implementation team, I get this message? What's the problem and can you solve this for me? 

Whenever you see this screen when you try to logon in the SAP CRM WEBUI, it means you have not been assigned a SAP CRM Business role:

Logon is not possible because you have not been assigned to a business role; please contact your system administrator

If you do not know yourself how to solve this,then make sure you start leaning more about the SAP CRM Business role concept.

If you read my previous posts you normally already grasp the basic principles of the SAP CRM Business role Concept. If not, please read them first:

 

In essence there are basically 3 possibilities by which a User can start using 1 or multiple SAP CRM Business roles (only 1 at a time of course).

I could also have called this blogpost " Business Role Determination Logic" as this is what I am about to explain.

The SAP CRM Business Role Determination Logic

Business role Assignment to a User can be done directly or indirectly. The determination logic is actually determined in the class CL_CRM_UI_PROFILE_DETERM

If you want, you are welcome to debug this class, but if you functionally know how this works, than you might not even bother.

 

From a functional point of view, these are the things you should remember:

  • The User Parameter CRM_UI_PROFILE
  • A User's assignment in the organizational model
  • The PFCG role a user has assigned to his SU01 User master Record, that corresponds the PFCG Role which is maintained/Assigned to a specific Business Role in Business Role Customizing.

CRM_UI_PROFILE

The User parameter CRM_UI_PROFILE is something most users (that have acces to the SAP GUI at least) will be able to change themselves using the transaction code SU3.

CRM_UI_PROFILE

In the above screenshot, you see that I put a * (asterisk) as parameter Value. This means I can access ALL available SAP CRM Business Roles. This implies that whenever I logon to the SAP CRM WEBUI, I get after having entered my User ID and password I get a selection screen, where I must choose the Business role I would like to logon with.

Instead of putting the value *, you can also specify a concrete SAP CRM Business role, such as SALESPRO ; SERVICEPRO and so on. That would skip the selection screen, and immediately log you on with that particular business role.

Normally, this approach of business role assignment is used by SAP Consultants, who want to test out the functionalities that are delivered by SAP standard Business Roles. Based on their research, they then usually have a good idea which standard business role should serve as the basis of their custom made business role. They 'll usually make a copy of the standard business role and next start tweaking things such as the navigation bar profile, technical profile, ... and also deactivate unnecessary work centers and navigation links.

It is also very useful when you encounter a bug, BSP error or shortdump when performing unit and acceptance testing using your customer made business role. Let's assume at a certain point you get a shortdump when performing a certain action on e.g. the Account Overview Screen. Now in order to assure this is either a real SAP Standard Bug, or is caused by custom coding you will want to test the SAP Standard, and therefore logon with a standard SAP Business role, and even "Switch off customer enhancements".

Inheriting the Business role by your assignment in the Organizational Model

I hope you already know what an organizational model is, what is used for and what the basic elements of such a model are. The organizational model in SAP CRM is also one of the key elements as it used for many purposes, like:

  • organizational data determination (in business transaction processing)
  • indirect authorization role assignment
  • indirect business role assignment
  • can be used within the context of territory management
  • ....

Relevant for you is that you know a SAP CRM Business role can be assigned to an:

  • Organizational Unit (O object)
  • Position (S object)

What's best..not sure..depends on how you are actually structuring your organization model...at my current customer in 90% of the cases we did this on the level of the organizational units...in some cases also on position level.  Why did we use Org unit level...well because the org units were representing departments such as:

  • the Call Center (they were using some copy of the IC_AGENT business role -with CTI integration)
  • the Backoffice Complaint Management department (using an enhanced version of the IC_AGENT business role, but without CTI integration)
  • The Contract Department (using some tweaked copy of the SALESPRO business role)

How do you assign a business role to a organizational unit or position?

Launch the transaction code PPOMA_CRM to start maintaining the org model.

Search for the object (org unit) to which you would like to assign a SAP CRM Business Role. (e.g. ZALL_USERS) which I created during my previous post.

To illustrate this, I quickly created a new organizational unit, position and assigned myself as an Employee to that particular position.

As you can see, I double clicked on the organization unit called "SAP University Department". I did this to ensure that I will be using the right organizational element, when assigning my business role ZALL_USERS.

Now in the menu, click on "Goto --> Detail Object --> Enhanced Object Description".

This will show me the details (with relevant infotypes) belonging to the O-object which I am currently viewing.

Assign Business Role

Now scroll down a bit in the list of Infotypes untill you reach the "Business Role". Next click on the button "CREATE".

In the field "business role" I can manually type in the name , or select it using the input help button..

After having entered the relevant business role, make sure to press the SAVE-button.

You now see a green flag next to the field, indicating that a business role has been assigned.

Now, this means that when I would logon, I now am able to logon with the business role ZALL_USERS. (note that you should not use the User Parameter in that case, as this overrules this).

Inherit a business role via your PFCG role assigned in the SU01 User Master Record

Last but not least..I guess that when you already had a closer look at business role customizing you'll notice that normally a PFCG role is assigned to it!

This PFCG role should be Unique as it serves basically two purposes:

  • it allows you to quickly create a a PFCG role based on the Business role assigned to it (using the report CRMD_UI_ROLE_PREPARE)  I'll explain this in a later post!
  • it can be used to indirectly assign a business role (if at least that business role has assigned the same PFCG role to it in business role customizing).

Let's quickly look at what I mean:

PFCG Role assigned to SAP CRM Business Role

In the above screenshot you see that in the Standard delivered Business Role SALESPRO, the standard PFCG Role SAP_CRM_UIU_SLS_PROFESSIONAL is assigned to it. Now if a user would get this PFCG authorization role assigned to him, he would also inherit access to this specific business role SALESPRO.

Remember: the PFCG role you enter here must therefore be UNIQUE, as otherwise the system can not know which business role it should take!

Now, in my User Master Record this would look like this:

SU01 User Master Record

In the above screenshot you see I have two PFCG Roles assigned:

  • SAP_CRM_UIU_SLS_PROFESSIONAL (this  I need to have access to the workcenters and navigation links that are basically defined in the business role customizing settings made in the SALESPRO business role (also relevant for my UIU_COMP authorization object values).
  • SAP_CRM_UIU_FRAMEWORK (consider this role a basic role that each and every user should GET in order to be able to start working within the WEBUI...basically it contains the object PLOG.. Without this role, you can not start the CRM WEBUI in a proper way!

SAP_CRM_UIU_FRAMEWORK

I should now actually tell you about the priority logic, but as I do not remember my testcases on this matter by heart I"ll leave this for a potential future post..

take care and speak to you soon!

Davy

The SAP University Team

 

 

Davy has been working as an SAP Consultant since 2000 and started working in the SAP IS-U Module , but as of 2002 he has mainly worked as functional SAP CRM consultant and SAP Authorizations consultant.
More about

17 thoughts on “Logon is not possible because you have not been assigned to a business role; please contact your system administrator


Comment author said

By Jatin Pursnani on 31 October 2012 at 20:13

Wonderful and really helpful post Davy... Keep it up..

 

Comment author said

By Alex Ayers on 5 November 2012 at 13:02

Very nice description Davy.

 

Comment author said

By Terry on 4 March 2013 at 05:18

Hi Davy, really great post! is the post about priority logic out now? Thanks!

 

Comment author said

By Davy Pelssers on 11 March 2013 at 23:20

The priority can be checked in the coding if you want..check class CL_CRM_UI_PROFILE_DETERM ...or you can do the 3 testcases manually..

 

Comment author said

By Janantik on 1 April 2013 at 06:06

Davy, your posts on CRM security are very insightful.
I'm a little confused about the third option that you have narrated here "Inherit a business role via your PFCG role assigned in the SU01 User Master Record". Does this mean that if I assign a PFCG role to the User via SU01, the corresponding Business role also gets assigned to the User ? I understand that SAP Standard report CRMD_UI_ROLE_ASSIGN helps in the assignment of PFCG role based on the Position User is assigned to and based on the Business role that is assigned to that Position in the Organizational Model. But, how does assignment of PFCG role take care of Business role assignment. Can you please clarify my doubt.

Thanks, JJ.

 

Comment author said

By Davy Pelssers on 2 April 2013 at 15:22

Hi,
please check the other article:
http://sapuniversity.eu/sap-crm-authorizations-creating-your-pfcg-authorization-role-based-on-the-configured-sap-crm-business-role/

here I explained the PFCG authorization role connection to the business role in more detail. In the example I setup a PFCG authorziation role Z_SALESPRO. If this PFCG role would be assigned to a user, he would inherit the business role that is uniquely assigned to that particular pfcg role.

cheers
Davy

 

Comment author said

By Janantik on 4 April 2013 at 22:52

So Davy when you say the User would inherit the business role that is uniquely assigned to the particular PFCG role, does that mean that I no longer need to assign this business role to a User's position in the Org. model once I assign the PFCG role and he/she would be able to access the WebUI with the business role. What I'm not able to understand is how does the system assign the business role to the User automatically once the PFCG role is assigned. I can understand that since we have maintained a one to one relationship between our PFCG and Business role, system can recognize the Business role but how does it get assigned or inherited automatically. I'm sorry but I'm unable to grasp this. Thanks, Janantik.

 

Comment author said

By Davy Pelssers on 5 April 2013 at 09:35

Hi Janantik;
basically, when you enter your UserID and password in the WEBUI logon screen, your User Master record is read, and your assigned PFCG authorization roles and stored in the buffer. Next the methods in class CL_CRM_UI_PROFILE_DETERM are also executed, and this is where is being determined IF you have any business role assigned to you either via:
* the user parameter CRM_UI_PROFILE
* your assignment in the org model (if a Bus.role has been assigned to the position/Org unit to which the employee is assigned)
* the PFCG authorization role assigned to your user Master record (it's being checked if the pfcg authorization roles assigned to the user match one of the pfcg authorization roles that are assigned UNIQUELY to a particular business role)

So the methods in this class are being executed BEFORE you actually get either:
* the message that you have not been assigned a business role (a result of this check)
* have the option to choose between 2 or more business roles
* directly logon in the WEBUI as you only were assigned 1 particular business role.

 

Comment author said

By Nishant Sourabh on 14 January 2015 at 11:53

Hi Davy,
First of all thank you for the series of nice articles on CRM security. I went through quite a few of those for my project requirement.

One thing that I noticed though is irrespective of user parameter (in my ex. SALESPRO) assignment, without the assignment of the PFCG role say Z_CRM_UIU_SLS_PROFESSIONAL, I just get a blank screen with no workcenters, navigation bars.

I think you might have already said that in one of your other blog so apologies if I reiterated the same point.

Again thanks for the wonderful articles. Helped me save lot of time going through CRM guides.

 

Comment author said

By Chris on 6 May 2014 at 13:55

I don't suppose you know how SAP works when it finds that a business Role is assigned via the Org AND via a PFCG profile ?
Which one wins ?

 

Comment author said

By Davy Pelssers on 7 May 2014 at 11:47

Hi chris
it's really just a matter of performing a quick test and you"ll know.
Assign a user 2 pfcg roles that are uniquely assigned to a business role in customizing.
Next assign the employee which is mapped to the USerID to a position in which you assign another 3d business role.
I think the user will see the 3 business roles in that case during logon.

cheers
Davy

 

Comment author said

By Victor on 10 September 2014 at 19:53

Hello, Davy.
Excellent article.
I have tried to apply the steps discribed in your article, but then I assign roles SAP_CRM_UIU_SLS_PROFESSIONAL and SAP_CRM_UIU_FRAMEWORK to new user and try logon into system as this user, I still have a "log on not possible" error. Could you, please, shed some light, on what else could be the reason of such error

All manipulations were produced in SAP CRM 7.0

Best regards!

 

Comment author said

By Davy Pelssers on 1 October 2014 at 12:08

Hi Victor
without looking into your system, and the business roles, the org model assignment, uniqueness of your Business role and corresponding PFCG authorization role in business role customizing, it's impossible to know the cause.

 

Comment author said

By Davy Pelssers on 15 January 2015 at 18:26

Hi Nishant Sourabh ,
as I explained you NEED the PFCG role containing your authorizations including the UIU_COMP authorizations Always, regardless of how you would be assigning a business role to a user. without it, you will see no workcenters or navigation links in your navigation bar!

cheers
Davy

 

Leave a Reply


*