headershadow

SAP CRM Authorizations: creating your PFCG Authorization role based on the configured SAP CRM Business Role

Print Friendly

In this article I will try to shed some light onto some tools /reports SAP provides us to facilitate the authorization role creation & assignment  process  in SAP CRM.

I will also give a critical (and personal) view on this process and appreciate your feedback if you have likewise or other experiences, opinions about this topic.

1. Report CRMD_UI_ROLE_PREPARE

I hope you already understand that the latest releases of SAP CRM are based on the CRM Business Role concept. If you do not, than make sure you read previous posts I made about this subject, as it is “mandatory knowledge”!

Now, the report SAP Provides us, allows you to create a Txt-file that contains all relevant “authorization objects” based on the input parameter that you used, being the Business role itself OR the PFCG authorization role (linked to your Business Role in Customizing).

Example:

In the above screenshot, we see that the name of the Business role is “SALESPRO”.

The corresponding PFCG authorization role is called SAP_CRM_UIU_SLS_PROFESSIONAL.

The PFCG Authorization role you will set here in Business Role Customizing should be UNIQUE, for 2 reasons:

  • If you would like to create a PFCG authorization role (txt-file) using the report CRMD_UI_ROLE_PREPARE than this report will read all relevant customizing tables (especially those related to the assigned navigation bar profile) for a particular business role. Now it can only identify the business role based on either the business role name you enter yourself in the report OR by indirectly identifying the business role based on the PFCG role ID you enter in the report and as such the link between a business role and it’s PFCG role should be unique.
  • You can assign a business role in 3 ways as I explained in a previous post. One of them is the PFCG authorization role assigned to your SU01 user master record. As an example, should you assign the standard PFCG role SAP_CRM_UIU_SLS_PROFESSIONAL to user X, than he will be able to logon with the business role SALESPRO, because there is a UNIQUE link between that particular PFCG authorization role and that business role which is maintained in Business role customizing.

2. Example of how to use the report: practical example

2.1. Copy existing business role

Now to quickly show you how this report works I made a copy of the business role SALESPRO and called in ZSALESPRO.

Attention: When I copy an existing business role, and just change the name of the business role during this copy process, and next press the enter button, you will notice that the system shows you a “warning message”.

This is just because of the fact that while making a copy of the business role SALESPRO into the ZSALESPRO he also tries to copy the PFCG role ID, which I just explained you should be unique!

Now, as it’s just a WARNING message, I can still press the ENTER button once again, to continue the copy process, and finally get to see some pop-up showing me that a certain number of entries have been copied into my new Business role.

I can next SAVE this new business role ZSALESPRO. Now, as obviously I want to avoid future problems I will now create a new (blank) PFCG role and assign this in customizing to this business role.

2.2. Create a new (blank) PFCG authorization role and assign this to the new Business Role in customizing

Using the transaction code PFCG I quickly create a new PFCG role called Z_SALESPRO and save it.

2.3. Assign new PFCG role to Business role in customizing.

As you can see I now assigned the empty PFCG role Z_SALESPRO to my new business role ZSALESPRO. Now there is a unique link between the both of them.

2.4. Run report CRMD_UI_ROLE_PREPARE based on the PFCG role or Business role name.

Case 1: based on business role name ZSALESPRO

A little patience and you should probably see a screen like this:

This means the report has run successfully.

On my computer it will store this txt-file Z_SALESPRO.txt in the following path:

C:\Documents and Settings\\SapWorkDir\

 

As you can see, the generated TXT-file always has the NAME  of the PFCG authorization role that is assigned to your business role.

Not sure what the system will do if you would use Citrix for example..

If I take a look at the generated file, I see the following:

It’s actually a list of UIU_COMP external services and some GUID.
Now if you read a previous post of mine, called PFCG Role creation in SAP CRM you already understand that an external web service is something comparable to an SAP transaction code, but as we do no longer use them in the CRM WEBUI, they are somewhat replaced by these external services. Each external service (type UIU_COMP) has it’s relevant authorization object linked to it in SU24 (as you did for the transaction code that we use in the SAPGUI). So what this report did is build a list that will be the foundation of your SAP Menu, but in the WEBUI we refer to this as the “Navigation Bar”

I hope you’re still with me..

Case 2:create the txt-file based on the PFCG authorization role.

To demonstrate this, I quickly renamed the previously generated file into Z_SALESPRO_OLD.txt.

In this case have chosen to use my PFCG authorization role name (the ‘empty’ one that I created earlier),and press the execute button.

It generated the file once again, and it could do so, because there is a unique link between the PFCG role and my business role.

So this means I can use either of them to generate my txt-file AS LONG AS the PFCG role used in business role customizing is UNIQUE.

2.5. Maintain the PFCG authorization role by uploading the generated txt-file created using CRMD_UI_ROLE_PREPARE

The last step left now is to actually use the generated file to maintain the PFCG authorization role values based on the “external services” that now will be uploaded into this role.

In order to do this, I just open the empty pfcg role Z_SALESPRO I created earlier and in the “menu tab” I select “Import from file”.

I then select the folder where the TXT –file was generated earlier.

I click “open” and next the system starts reading the txt-file data. You will see that once finished, a menu structure has been created containing “ Work Centers” and navigation links based on relevant external services.

The next logical step would be to create the authorization profile, and maintain all relevant authorization object Values!

Now if you already end up here, then I assume there’s nothing new. Here you are supposed to know or figure out what authorization objects are used for what purpose/object in the SAP CRM system, and next restrict and/or, deactivate those objects necessary based on your authorization requirements.

Cheers
Davy Pelssers

The SAP University Team – SAP Articles by and for SAP Users.

Davy has been working as an SAP Consultant since 2000 and started working in the SAP IS-U Module , but as of 2002 he has mainly worked as functional SAP CRM consultant and SAP Authorizations consultant.
More about

22 thoughts on “SAP CRM Authorizations: creating your PFCG Authorization role based on the configured SAP CRM Business Role


Comment author said

By Lakshmi on 5 January 2013 at 10:07

Excellent illustration Davy. Thanks a lot for your help!!!!

 

Comment author said

By Janantik on 6 March 2013 at 05:02

Davy - this is a really helpful forum. I'm having some trouble in that I'm unable to locate the text file that gets generated upon execution of the CRMD_UI_ROLE_PREPARE report. I obtain "Display Log" with successful result but I'm unable to local the file in my system. Do you know if it is possible to set a path wherein the file will go and sit once generated. Can you please share your wisdom concerning this. Thanks, JJ.

 

Comment author said

By Davy Pelssers on 20 March 2013 at 17:18

Hi Janantik...the problem is that the exact path may differ from PC to PC - I don't know in which path exactly on your PC the folder "SapWorkdir" will be stored..
could be a C: or D: drive and different path..so the most efficient and easiest way for you to find out it to search on the name of the PFCG role that is assigned to your business role (which will be a txt.file)..

so when I execute the report for business role ZSALESPRO, to which in customizing the pfcg role Z_SALESPRO is assigned, I just do a search for documents on all drives on my pc for a file with the name Z_SALESPRO.txt and you"ll see the path in which the document is stored

cheers
Davy

 

Comment author said

By Delia on 13 July 2016 at 04:22

Felt so hopeless looking for answers to my quue.ionst..sntil now.

 

Comment author said

By Davy Pelssers on 20 March 2013 at 17:31

Normally, from what I could see it would typically be stored in:

A file is created and saved locally (e.g. on Windows: C:\Documents and Settings\\SapWorkDir)

but on my current "customer work laptop" the files are stored on D:\Data\SapWorkDir so as I said earlier, best to just perform a search on the file name which is the PFCG_role_Name.txt

 

Comment author said

By Janantik on 9 April 2013 at 17:06

Hello Davy, I'm using the SAP standard report CRMD_UI_ROLE_PREPARE to build PFCG role corresponding to the Business role. But the text file that gets generated only contains a Folder with the Business role name and does not list the UIU_COMP external services and GUID. So when I import the file to the menu of the PFCG role that is linked to the business role it does not bring in any external services in the menu and thus no the related authorization objects in the authorizations tab. This is a fresh system and I'm performing this activity for the first time in this system. Do you think there are any system configuration steps that I might be missing which is causing this. I have performed the first step of SU25 activity - Initial fill of customer tables. Is there anything else that I need to do. Please advise. Thank you very much.

 

Comment author said

By Davy Pelssers on 11 April 2013 at 09:29

Not sure about your issue; but check potentially the following OSS notes:
Note 1171286 - CRMD_UI_ROLE_PREPARE fails for some PFCG role names

Note 1583510 - Wrong SU22/SU24 written for UIU_COMP external service

Another issue I can think of would be that the PFCG Role you have assigned to the business role you are trying to create the PFCG role for, is NOT unique.

you can easily check this via table CRMC_UI_PROFILE..
In the field PFCG role, enter the name of your PFCG role that is assigned to your business role and press execute. If your result is more than 1 entry, and as a consequence indicate that your pfcg role is not unique, then this is the issue.

cheers
Davy

 

Comment author said

By Ruby on 7 May 2013 at 18:47

Hi Davy,

What's the best practice on linking a business role with a PFCG role? Should we map the business role to single roles, or composite roles?

 

Comment author said

By Davy Pelssers on 10 May 2013 at 09:08

Hi Ruby, personally, I usually use the report described above to generate 1 large single authorization role per configured business role..next I start stripping that large role apart into multiple single roles and at the end create my composite roles which I assign to the end-users.

Working with composite roles gives me the flexibility to have e.g; 1 business role defined for SALES where I have sales assistant/sales rep/sales manager all using the same business role, but due to authorizations (using UIU_COMP) and other objects, I remove access to certain work centers, navigation links etc. for e.g. sales rep vs sales manager.

 

Comment author said

By varma on 29 October 2014 at 19:17

This is exactly what I am trying to accomplish. Would you be able to provide any more detail on the same.

Appreciate it. Thanks

 

Comment author said

By Priya Ranjan singh on 9 March 2014 at 06:21

Hi Ruby,

I assume you have have created no. of PFCG roles in your system followed by Different steps !! And after that you have enclosed all in a composite role !! Now you are trying to link PFCG role to Biz Role in SPRO !! if you are going this way, i would advise link the composite role to Biz role as if in future there is any change in scenirio you will have to change the mapping agian !!

 

Comment author said

By benoy on 31 May 2013 at 16:34

I have all the required access to webui.but when I access Graphic modeler it gives the error authorization failed cannot read from database...and
one more issue I am unable to see a particular BP in web ui..please help

 

Comment author said

By Davy Pelssers on 31 July 2013 at 23:57

the best advice I can give you is to perform ST01 authorization tracing, but with a user that has the correct access! In this way you can see what authorization object values you are missing to perform /use the graphic modeler.

 

Comment author said

By Suresh on 30 June 2013 at 08:47

Davy - this is a really helpful forum. I have some requirement to create WEBUI PFCG role, but they only provided description of the services. how to find technical services details to setup roles by PFCG.

 


Comment author said

By Raj on 12 November 2013 at 19:35

My question - Is there a table the lists business role to single role relationships? Is there a way to see this information in ECC if there exists a separate instance for GRC?

 

Comment author said

By Davy Pelssers on 12 November 2013 at 22:04

Hi Raj
the only table that actually shows a direct relationship between a business role and pfcg role would be CRMC_UI_PROFILE but this would only make sense from a GRC analysis point of view if the SAP USERID only has this particular pfcg role assigned, which usually is NOT the case. A CRM authorization concept can become rather complicated as your Business role assignment only "covers" what you "MIGHT" be able to perform within the CRM WEBUI. Your actual PFCG authorizations however based on authorization object UIU_COMP and other auth. objects really determine what kind of access you actually have, assuming that this functionality is made available in your business role customzing in the first place.

 

Comment author said

By Bhaskar on 25 February 2014 at 11:14

After importing file generated by programme CRMD_UI_ROLE_PREPARE in pfcg role;PFCG role is populated with only s_service object other objects are not populated.
why is this so?please reply.

 

Comment author said

By Davy Pelssers on 25 February 2014 at 22:13

sorry but I do not have an immediate answer.please check for OSS notes or raise an OSS message at SAP itself for your issue.

 

Comment author said

By SAP Analyst on 11 April 2016 at 16:38

Hi Davy,

This is very helpful. Thank you very much for putting this together.

 

Comment author said

By Anna on 19 December 2016 at 14:06

Hi Davy,

as I´m new to this topic I don´t understand why you don´t only copy a predefined PFCG role, maintain it as requires and assign it to business role? Why you first use the download and upload functionality? Would this not be the same result?

Sorry if this is a bad question but I´m currently trying to understand...

Best regards,
Anna

 

Comment author said

By Davy Pelssers on 19 December 2016 at 15:35

This is merely an example. But the reason why you do not just copy the standard pfcg role, is because you probably are not just going the copy the business rol and not make adjustments. Probably you are going to strip unnecessary workcenters, and navigation links and probably add new ones.
Therefore the report will consider only the ones relevant based on your adjusted business rol and navigation bar.

 

Leave a Reply


*