headershadow

SAP CRM Business Partner authorizations: CRM_BPROLE versus B_BUPA_RLT

Print Friendly

As I have gotten a lot of questions on how you can secure business partner authorizations in SAP CRM here‘s a small explanation that might benefit you.

In SAP CRM we have quite some authorization objects related to SAP CRM Business Partners such as:

 

Authorization object     Description
B_BUPA_ATT Authorization Types: With this authorization object, you can define authorizations for any number of input fields in business partner maintenance. You determine which business partners may be maintained, depending on the field values. In Customizing you define an authorization type and specify the names of the fields that should be checked. (SAP GUI only)
B_BUPA_FDG Field Groups: With this authorization object you can define authorizations for individual field groups in business partner maintenance. You thereby define which fields in business partner maintenance can be maintained or viewed by a user. (SAP GUI only)
B_BUPA_GRP Authorization Groups: With this authorization object you define which business partners can be edited on the basis of the authorization group. (SAP GUI & WEBUI)
B_BUPA_RLT Roles: With this authorization object you define which Business Partner roles can be edited. SAP GUI only (unless you implement OSS note 1259940)
B_BUPR_BZT Relationship Categories: With this authorization object you establish which relationship categories can be processed. SAP GUI - &  CRM WEBUI
B_BUPR_FDG Relationship Field Groups: With this authorization object you can define authorizations for individual field groups in business partner relationship maintenance. You thereby define which fields of the business partner relationship can be maintained or viewed by a user. (SAP GUI ONLY)
CRM_BPROLE Using this authorization object you can define which business partner roles can be edited. CRM WEBUI ONLY (see OSS note 1129682 - Authorization for BP roles in CRM5.2 WebClient UI)
A lot of those authorization objects did work in the SAP GUI (they were BDT based) but no longer work in the CRM WEBUI. (see also OSS note Note 1392467 - UIU: Wrong value proposals for BP related authority objects for more information).
If you want to know how they work(ed) you can still read my ebook about SAP CRM authorizations which I previously made available.
Now - to come back to the explanation on usage of the authorization objects CRM_BPROLE versus B_BUPA_RLT, both used in the  context of the CRM WEBUI- you should know the following:

Authorization object CRM_BPROLE

Depending on the SAP CRM Release you are working in, this object will be available by default or not.
Please read OSS note 1129682 - Authorization for BP roles in CRM5.2 WebClient UI for more information.
As most of you are already working in one release 6 or 7 this should be available.
Now, this authorization object is actually used to check whether a user will be able to maintain a Business Partner role for a given business partner in the SAP CRM system. It only influences the fact that the end user will for example be able to set /delete a business partner role in the assignment block "Roles".
CRM_BPROLE authorization object
From a technical point of view, this is where by setting a specific business partner role such as "Prospect - BUP002" or "Sold-to-Party -CRM000) the table BUT100 will be updated with the relevant business partner role.
From a Business Point of view, let's take a practical use case:
The pre-sales department might be allowed to create prospects (B2C or B2B) in the SAP CRM system. They should also be allowed to create activities/Leads & Opportunities & quotations for those prospects in the system. However, as soon as the prospect becomes a real customer, the business partner role CRM000 should be maintained for the prospect and this is something that only the sales manager should be able to do. In that case the customer will be replicated to your SAP ECC system and additional accounting related data should be updated by the finance department.
So restricting the setting of the Sold-to-party role might be required, and therefore can be achieved by only giving display access to the pre-sales officer for object CRM_BPROLE for the BP role CRM000.

Authorization object B_BUPA_RLT

Now let's give a use case for my authorization object B_BUPA_RLT. 
Assume that as soon as the business partner role CRM000 has been maintained by the sales department, your customer is replicated to your SAP ECC system. Depending on your setup, it might be the case that as of that moment SAP ECC should be the leading system for all further changes that are being made on your "Customers".
As such you do NOT want any employee to change customer master data for all business partners that in SAP CRM have been maintained as Sold-to-Party (CRM000).
In order to achieve this, you COULD choose to activate the BADI that is predelivered but "inactive" according to SAP OSS note 1259940  & 1129682.
In customizing (SPRO) choose:
Customer Relationship Management -> Master Data -> Business Partner -> (Accounts and Contacts) -> Business Add-Ins
Activate the BADI related to filtering of BP roles by authorization check.
Once this badi is activated, a check is also performed in the SAP CRM WEBUI for the authorization object B_BUPA_RLT.
For my requirement I therefore would only give the following access for this object:
ACTVT = 03 (display)
RLTYP  = CRM000
All users would be getting only display access for business partners for which the business partner role CRM000 (sold-to-party) has been maintained. This would imply that they would not be able to change customer master data for these accounts anymore.
Remark: the downside with this approach however is that ALL assignment blocks (also relationships/contacts/attachments etc.) are no longer editable for such a customer in SAP CRM in that case, which might not be suitable for your business needs.
kind regards
Davy Pelssers
the SAP University Team

Davy has been working as an SAP Consultant since 2000 and started working in the SAP IS-U Module , but as of 2002 he has mainly worked as functional SAP CRM consultant and SAP Authorizations consultant.
More about

10 thoughts on “SAP CRM Business Partner authorizations: CRM_BPROLE versus B_BUPA_RLT


Comment author said

By Hari on 18 April 2013 at 14:23

Hi Davy, nice article indeed.
But, the purpose is not served.. right?
My question is, is there any automagic ! way of converting Prospect to Sold - to Pary?
Rgds
Hari

 

Comment author said

By RJ on 9 December 2013 at 13:59

Hi Davy,

In Standard functionality you can enter what ever business partners in the Partner Functions at the Transaction level.

My Requirement is say I want to allow business partners who belong only to ZCUS001 for Sold-To-Party Parnter Function.

Tell me how I can achieve this. I thought of using COM_PARTNER_BADI. But I want to know if it can be achieved via config.

Best Regards,
RJ

 

Comment author said

By Davy Pelssers on 10 December 2013 at 21:06

RJ, I am not aware of your requirement being possible to achieve with pure config...I think this would need custom development...but perhaps you might pose this question on SDN/SCN.

although, when only searching for 1 minute via google I found back some threads where they also mention the Badi you mentioned, so that's most likely the way to go.

cheers
Davy

 

Comment author said

By Valentina on 16 January 2014 at 16:50

Hi Davy,

We already have implemented functionality s per note 1259940 and it works fine, but unfortunately only from the web ui. We also use web services to modify the BP data and in that case the the authorization object is not checked. Do you know if similar check can be implemented for the SAP GUI as well? Thanks!

Regards,

Valentina

 

Comment author said

By Davy Pelssers on 18 January 2014 at 13:23

I am not sure about the webservice part, but what would come to my mind is that changes to a sales order done via a webservice might actually be performed by a system user/RFC user instead of a real normal dialog user. The RFC /system user probably has more extended rights, by which the authorization check would not be restricted anymore. Check on table level , e.g. CRMD_ORDERADM_H what is the CHANGEDBY user id when you change an order using the webservice. If it's not a regular dialog user, that would explain much I guess.

good luck
davy

 

Comment author said

By Kamal on 18 August 2014 at 12:07

Hello Davy,

It’s an amazing article. I just have a question on your remark... how can we achieve this, can we achieve both the conditions. 1)Account details not editable 2)assignment blocks editable with security authorizations.

"Remark: the downside with this approach however is that ALL assignment blocks (also relationships/contacts/attachments etc.) are no longer editable for such a customer in SAP CRM in that case, which might not be suitable for your business needs."

 

Comment author said

By Rain on 13 July 2016 at 04:22

Smc-dakab what I was looking for-ty!

 

Comment author said

By Davy Pelssers on 1 October 2014 at 12:20

Yes, technically this can be achieved, BUT not without custom development unfortunately.

As a matter of fact I am currently doing a complete redesign of my current customer's SAP CRM 7.0 authorization concept, where I also have these kind of requirements :-)

But to get you started:
You can influence the button 'EDIT' in e.g BP_HEAD/AccountDetails by enhancing this component and code your own check in the DO_PREPARE_OUTPUT method.

check following articles for example:

http://wiki.scn.sap.com/wiki/display/CRM/Modifying+button+properties

and

http://blog.acorel.nl/2012/01/how-to-hide-buttons-for-unauthorized.html

this should help you get started.

Attention; this does NOT influence the OneClickActions , so the edit and delete button next to e.g. a record of the contactperson in the assigment block contactpersons.
E.g; this can be infuenced in the method GET_OCA_T_TABLE. Check for this method in e.g. class CL_BP_DATA_ACCOUNTCONTACT_CN01 and you see what I mean.

cheers
Davy

 

Comment author said

By Shashank on 26 February 2015 at 07:43

1. I have two organizations in one company. One is Bangalore and other one is Hyderabad. I want to restrict the sales employee of Bangalore and Hyderabad. I don’t want the Bangalore sales employee to see what the Hyderabad sales employee does in a particular BP or account; and the vice versa. So, it’s just restricting the view of particular account for both of them. Is it possible in CRM? If yes, how do you do that?

 

Comment author said

By Davy Pelssers on 27 February 2015 at 17:58

Your requirement is not very clear, but it sounds like you might need to implement ACE (access control engine) of which you can also find 2 blogposts on this site.

cheers
Davy

 

Leave a Reply


*