As I have gotten a lot of questions on how you can secure business partner authorizations in SAP CRM here‘s a small explanation that might benefit you.
In SAP CRM we have quite some authorization objects related to SAP CRM Business Partners such as:
||Authorization Types: With this authorization object, you can define authorizations for any number of input fields in business partner maintenance. You determine which business partners may be maintained, depending on the field values. In Customizing you define an authorization type and specify the names of the fields that should be checked. (SAP GUI only)
||Field Groups: With this authorization object you can define authorizations for individual field groups in business partner maintenance. You thereby define which fields in business partner maintenance can be maintained or viewed by a user. (SAP GUI only)
||Authorization Groups: With this authorization object you define which business partners can be edited on the basis of the authorization group. (SAP GUI & WEBUI)
||Roles: With this authorization object you define which Business Partner roles can be edited. SAP GUI only (unless you implement OSS note 1259940)
||Relationship Categories: With this authorization object you establish which relationship categories can be processed. SAP GUI - & CRM WEBUI
||Relationship Field Groups: With this authorization object you can define authorizations for individual field groups in business partner relationship maintenance. You thereby define which fields of the business partner relationship can be maintained or viewed by a user. (SAP GUI ONLY)
||Using this authorization object you can define which business partner roles can be edited. CRM WEBUI ONLY (see OSS note 1129682 - Authorization for BP roles in CRM5.2 WebClient UI)
A lot of those authorization objects did work in the SAP GUI (they were BDT based) but no longer work in the CRM WEBUI. (see also OSS note Note 1392467 - UIU: Wrong value proposals for BP related authority objects for more information).
Now - to come back to the explanation on usage of the authorization objects CRM_BPROLE versus B_BUPA_RLT, both used in the context of the CRM WEBUI- you should know the following:
Authorization object CRM_BPROLE
Depending on the SAP CRM Release you are working in, this object will be available by default or not.
Please read OSS note 1129682 - Authorization for BP roles in CRM5.2 WebClient UI for more information.
As most of you are already working in one release 6 or 7 this should be available.
Now, this authorization object is actually used to check whether a user will be able to maintain a Business Partner role for a given business partner in the SAP CRM system. It only influences the fact that the end user will for example be able to set /delete a business partner role in the assignment block "Roles".
From a technical point of view, this is where by setting a specific business partner role such as "Prospect - BUP002" or "Sold-to-Party -CRM000) the table BUT100 will be updated with the relevant business partner role.
From a Business Point of view, let's take a practical use case:
The pre-sales department might be allowed to create prospects (B2C or B2B) in the SAP CRM system. They should also be allowed to create activities/Leads & Opportunities & quotations for those prospects in the system. However, as soon as the prospect becomes a real customer, the business partner role CRM000 should be maintained for the prospect and this is something that only the sales manager should be able to do. In that case the customer will be replicated to your SAP ECC system and additional accounting related data should be updated by the finance department.
So restricting the setting of the Sold-to-party role might be required, and therefore can be achieved by only giving display access to the pre-sales officer for object CRM_BPROLE for the BP role CRM000.
Authorization object B_BUPA_RLT
Now let's give a use case for my authorization object B_BUPA_RLT.
Assume that as soon as the business partner role CRM000 has been maintained by the sales department, your customer is replicated to your SAP ECC system. Depending on your setup, it might be the case that as of that moment SAP ECC should be the leading system for all further changes that are being made on your "Customers".
As such you do NOT want any employee to change customer master data for all business partners that in SAP CRM have been maintained as Sold-to-Party (CRM000).
In order to achieve this, you COULD choose to activate the BADI that is predelivered but "inactive" according to SAP OSS note 1259940 & 1129682.
In customizing (SPRO) choose:
Customer Relationship Management -> Master Data -> Business Partner -> (Accounts and Contacts) -> Business Add-Ins
Activate the BADI related to filtering of BP roles by authorization check.
Once this badi is activated, a check is also performed in the SAP CRM WEBUI for the authorization object B_BUPA_RLT.
For my requirement I therefore would only give the following access for this object:
ACTVT = 03 (display)
RLTYP = CRM000
All users would be getting only display access for business partners for which the business partner role CRM000 (sold-to-party) has been maintained. This would imply that they would not be able to change customer master data for these accounts anymore.
Remark: the downside with this approach however is that ALL assignment blocks (also relationships/contacts/attachments etc.) are no longer editable for such a customer in SAP CRM in that case, which might not be suitable for your business needs.
the SAP University Team