In this article I will try to shed some light onto some tools /reports SAP provides us to facilitate the authorization role creation & assignment process in SAP CRM.
I will also give a critical (and personal) view on this process and appreciate your feedback if you have likewise or other experiences, opinions about this topic.
1. Report CRMD_UI_ROLE_PREPARE
I hope you already understand that the latest releases of SAP CRM are based on the CRM Business Role concept. If you do not, than make sure you read previous posts I made about this subject, as it is “mandatory knowledge”!
Now, the report SAP Provides us, allows you to create a Txt-file that contains all relevant “authorization objects” based on the input parameter that you used, being the Business role itself OR the PFCG authorization role (linked to your Business Role in Customizing).
In the above screenshot, we see that the name of the Business role is “SALESPRO”.
The corresponding PFCG authorization role is called SAP_CRM_UIU_SLS_PROFESSIONAL.
The PFCG Authorization role you will set here in Business Role Customizing should be UNIQUE, for 2 reasons:
- If you would like to create a PFCG authorization role (txt-file) using the report CRMD_UI_ROLE_PREPARE than this report will read all relevant customizing tables (especially those related to the assigned navigation bar profile) for a particular business role. Now it can only identify the business role based on either the business role name you enter yourself in the report OR by indirectly identifying the business role based on the PFCG role ID you enter in the report and as such the link between a business role and it’s PFCG role should be unique.
- You can assign a business role in 3 ways as I explained in a previous post. One of them is the PFCG authorization role assigned to your SU01 user master record. As an example, should you assign the standard PFCG role SAP_CRM_UIU_SLS_PROFESSIONAL to user X, than he will be able to logon with the business role SALESPRO, because there is a UNIQUE link between that particular PFCG authorization role and that business role which is maintained in Business role customizing.
2. Example of how to use the report: practical example
2.1. Copy existing business role
Now to quickly show you how this report works I made a copy of the business role SALESPRO and called in ZSALESPRO.
Attention: When I copy an existing business role, and just change the name of the business role during this copy process, and next press the enter button, you will notice that the system shows you a “warning message”.
This is just because of the fact that while making a copy of the business role SALESPRO into the ZSALESPRO he also tries to copy the PFCG role ID, which I just explained you should be unique!
Now, as it’s just a WARNING message, I can still press the ENTER button once again, to continue the copy process, and finally get to see some pop-up showing me that a certain number of entries have been copied into my new Business role.
I can next SAVE this new business role ZSALESPRO. Now, as obviously I want to avoid future problems I will now create a new (blank) PFCG role and assign this in customizing to this business role.
2.2. Create a new (blank) PFCG authorization role and assign this to the new Business Role in customizing
Using the transaction code PFCG I quickly create a new PFCG role called Z_SALESPRO and save it.
2.3. Assign new PFCG role to Business role in customizing.
As you can see I now assigned the empty PFCG role Z_SALESPRO to my new business role ZSALESPRO. Now there is a unique link between the both of them.
2.4. Run report CRMD_UI_ROLE_PREPARE based on the PFCG role or Business role name.
Case 1: based on business role name ZSALESPRO
A little patience and you should probably see a screen like this:
This means the report has run successfully.
On my computer it will store this txt-file Z_SALESPRO.txt in the following path:
C:\Documents and Settings\\SapWorkDir\
As you can see, the generated TXT-file always has the NAME of the PFCG authorization role that is assigned to your business role.
Not sure what the system will do if you would use Citrix for example..
If I take a look at the generated file, I see the following:
It’s actually a list of UIU_COMP external services and some GUID.
Now if you read a previous post of mine, called “PFCG Role creation in SAP CRM” you already understand that an external web service is something comparable to an SAP transaction code, but as we do no longer use them in the CRM WEBUI, they are somewhat replaced by these external services. Each external service (type UIU_COMP) has it’s relevant authorization object linked to it in SU24 (as you did for the transaction code that we use in the SAPGUI). So what this report did is build a list that will be the foundation of your SAP Menu, but in the WEBUI we refer to this as the “Navigation Bar”
I hope you’re still with me..
Case 2:create the txt-file based on the PFCG authorization role.
To demonstrate this, I quickly renamed the previously generated file into Z_SALESPRO_OLD.txt.
In this case have chosen to use my PFCG authorization role name (the ‘empty’ one that I created earlier),and press the execute button.
It generated the file once again, and it could do so, because there is a unique link between the PFCG role and my business role.
So this means I can use either of them to generate my txt-file AS LONG AS the PFCG role used in business role customizing is UNIQUE.
2.5. Maintain the PFCG authorization role by uploading the generated txt-file created using CRMD_UI_ROLE_PREPARE
The last step left now is to actually use the generated file to maintain the PFCG authorization role values based on the “external services” that now will be uploaded into this role.
In order to do this, I just open the empty pfcg role Z_SALESPRO I created earlier and in the “menu tab” I select “Import from file”.
I then select the folder where the TXT –file was generated earlier.
I click “open” and next the system starts reading the txt-file data. You will see that once finished, a menu structure has been created containing “ Work Centers” and navigation links based on relevant external services.
The next logical step would be to create the authorization profile, and maintain all relevant authorization object Values!
Now if you already end up here, then I assume there’s nothing new. Here you are supposed to know or figure out what authorization objects are used for what purpose/object in the SAP CRM system, and next restrict and/or, deactivate those objects necessary based on your authorization requirements.
The SAP University Team – SAP Articles by and for SAP Users.