headershadow

The SAP CRM Business Role Concept

Print Friendly

Let’s take a closer look at the SAP CRM Business role concept.

SAP CRM Business roles are defined in customizing. SAP delivers a great number of business roles that are defined based on a logical grouping of tasks and functionalities an end-user should be able to perform within the SAP CRM system, based on his “function” within the organization.

Therefore it makes sense that SAP actually provides standard CRM business roles such as:

  • SALESPRO
  • SERVICEPRO
  • MARKETINGPRO
  • IC_AGENT

These are the ones I personally used most, but there are many more !!

As I said, business roles are defined in customizing.

You can either use the navigation path in customizing:

SPRO >> Customer relationship management >> UI Framework >> Business Roles>>Define business roles

Or

directly access these customizing settings using the transaction code CRMC_UI_PROFILE

If we take a look at 1 specific business role, e.g. SALESPRO, we see the following:

 

For today, it’s important that you remember that each business role has a “Navigation Bar Profile” assigned, in this case SLS-PRO.

Now, to really enable me to explain what aspects you really should comprehend, let’s first take a dive into the system.

When I log on to the SAP CRM WEBUI, after having entered my User ID and password I see the following screen:

What you actually see in the above screenshot is a list of Standard SAP CRM delivered business roles.

The reason I see this large list is because I set the User Parameter CRM_UI_PROFILE with value * in my User Master Record, just for illustration purposes.

When I click on such a link, I will actually logon with a specific business role, so the one I selected.

I this example  I will choose SALESPRO (which is not visible in the screenshot – but it was somewhat down in the list).

Now during the few seconds that I am now actually waiting, before I actually get to see the landing page of that particular business role, the system is reading through several customizing tables, especially those related to the Business Role definition. The system will verify which navigation bar is assigned to this business role. Furthermore it will also check all the PFCG roles that are assigned to my User ID!

And there it is – I now can see my default landing page called “the Home page” and on the left I also see a navigation bar, that consists out of multiple Work Centers.

Behind several workcenters, I can also find several navigation links on its turn.

Lesson 1: the fact that I am able to see these workcenters is actually defined by the navigation bar assigned to the business role I have logged on with.

If for example I would have logged on with another business role like e.g. SERVICEPRO, my navigation bar might be pretty different.

I hope it’s clear that within the SERVICEPRO business role, you have by default access to more“service” related workcenters and navigation links. (e.g. Service Orders/Service Contracts).

In my SALESPRO business role I have workcenters like “Sales Cycle” and “Sales Operations”.

If you read my article “Overview of the SAP CRM User Interface” you will understand what I mean by work centers, navigation links and direct create links.

Now let’s do a short quiz!

  1. Suppose you would have the authorization profile  SAP_ALL. Do you think you would be able to see ALL the workcenters and navigation links that are combined in both these 2 business roles? This is actually the logic that we see for example in SAP ECC when combining authorizations using our PFCG roles. Add 1 single role that allows create access for transaction code VA01 for document type XYZ, and combine this with a single role having access to VA01 for document type ZZZ, results in having access to VA01 for both document types.

Answer: NO ! It is really the business role definition (especially based on the assigned navigation bar profile) that will determine what you can SEE in the CRM WEBUI. If the workcenter “Service Orders” is not made available in the navigation bar profile belonging to the business Role SALESPRO, I will never ever be able to see that particular workcenter, and the navigation links behind it.

2. If I logon with the standard business role SALESPRO, I am always going to see let’s say the work center “Sales Cycle”?

Answer: NO! The business role determines actually what you “MIGHT” be able to see. But in essence it is the combination of my assigned Business Role together with my assigned PFCG roles that really determine what I can see and do within SAP CRM. In this particular question I am referring to the fact that you also have an authorization object called UIU_COMP. With this object you can actually control if a user has access to certain Work Centers, navigation links and/or certain buttons in the CRM WEBUI, assuming that this access was already made available by your navigation bar profile (and therefore your SAP CRM Business Role) in the first place.

So what should you remember from this article?

A business role already limits your access to what has been defined in the navigation bar profile that is assigned to it. Workcenters , navigation links that are not contained in the navigation bar profile itself, will NEVER EVER be visible to the user that logs on with that particular business Role.

 

3. In the screenshot below, you can see that multiple business roles can actually USE the same navigation bar profile.

Does this mean that when I logon with both business roles I therefore will see the same workcenters and/or navigation links?

Answer: NO!  The screenshot you saw was actually “Business Role Customizing”.  Within this configuration I can actually define that I do not want certain work centers and/or navigation links to be visible for that particular business role.

The definition of a navigation bar profile itself is also done in customizing; either via the customizing path:

SPRO >>Customer relationship Management >>UI Framework >> Technical Role Definition >>Define Navigation Bar Profile

Or

Using the transaction code CRMC_UI_NBLINKS

If I look at what work centers are ‘assigned’  to the navigation bar profile SLS-PRO I see the following:

Here you see that in standard SAP , for this navigation bar profile there are actually 11 work Centers assigned (available) by default.

This somewhat corresponds to the screenshot I already showed you earlier,having logged on with the business role SALESPRO.

What I am missing in this screenshot is the Work Center “E-mail Inbox”, as I only count 10 work Centers in the above screenshot.

Now this is, because in business role customizing itself, this workcenter has been set to “Inactive”.

I hope you understood the above explanation. If not – let me know, but definitely keep following my posts as things can only become more clear by getting and absorbing more information and examples.

All the best

Davy

 

 

Davy has been working as an SAP Consultant since 2000 and started working in the SAP IS-U Module , but as of 2002 he has mainly worked as functional SAP CRM consultant and SAP Authorizations consultant.
More about

34 thoughts on “The SAP CRM Business Role Concept


Comment author said

By tripti on 24 September 2012 at 07:00

very informative

 

Comment author said

By Wayne on 2 November 2012 at 09:44

I want to send you an award for most hepflul internet writer.

 

Comment author said

By Chase on 14 November 2012 at 09:43

Very informative - thank you. I have a question: If I'm a business user, with multiple business roles - is there a way that I can access all of my profiles without having to log out and log back into the other profile? e.g. I created two PFCG roles: Display All and Sales Order creation. When I am in Sales Order creation, I can't seem to go into display mode without logging off and logging back onto the display role. Maybe I need to assign multiple navigation bar profiles to each business role?

 

Comment author said

By Davy Pelssers on 14 November 2012 at 12:53

Hi Chase
* you can NOT have access to all your business roles at the same time. That is, you can for sure logon in SAP CRM using 2 different sessions in Internet Explorer and in one session use Business Role X , and in the other sessions use Bus.Role Y. That works. I understand your question, but here is the thing:
- altough you have 2 PFCG roles combined (relevant for your backend authorization objects for BP access and business transaction access) and also the auth.object UIU_COMP it is STILL your business role customizing that really determines wheter you would e.g see a particular work center and/or navigation link in the first place. If it's not defined in your assigned navigation bar profile, you could even have SAP_ALL and still not see this.

What you could do to solve your issue is:
- create a 3d business role that has the functionality of both other business roles combined, meaning also create a new navbar profile which you assign to your new Bus. Role.
- you could also create just 1 Bus.Role and Nav Bar Profile, and steer everything based solely on your authorizations based on backend aut.object & UIU_COMP.

This means you have Two Functions:
1 can only see the Display All Functionality
1 has Display all as well as Sales Order Creation

for function 1 you just create 1 pfcg role that has only display activity for the sales orders and other stuff.. (you combine this display access in 1 pfcg role or in multiple single roles and then in 1 composite role -depending on how you elaborate your auth. matrix.

for Function 2 you just can add the create/change sales order authorizations (e.g by creating a new pfcg role for this purpose and adding this to the 2nd composite role.

makes sense?
cheers
D

 

Comment author said

By Kumar on 28 December 2012 at 08:43

Hi Davy,

Again and again, thanks so much for providing useful information in a clear format.

 

Comment author said

By Chris on 9 January 2013 at 17:09

Hi Davy,

when selecting a business role after login: Is it possible to hide the technical name like IC_Agent and to display only the description like "Default IC Agent"? I remember that you can do it, but I have forgotten where.

Thanks
Chris

 

Comment author said

By Davy Pelssers on 9 January 2013 at 18:05

Hi Chris
I am not aware of a specific setting you can make yourself in order to hide the technical name or ID of the business role in the selection screen where you can choose between multiple business roles. HOWEVER, I just tested this phenomenon, and I think the reason why you see the technical ID's is because you are using the User Parameter CRM_UI_PROFILE with value *.
If you do so, you get both the technical name and description. If you would not use this parameter, but instead use business role assignment via org model or PFCG authorization role, you'll only see the description.

I assume this is what you might be referring too?
cheers
Davy

 

Comment author said

By srinivas on 25 January 2013 at 10:23

Hi Davy,
WE Have to go to implementation project.but i am new to crm security. Please help me to build the Business role &PFCG roles.
Please can you explain the step by step process to build the role matrix and roles.
it is emergency to start the project.
Thanks,
srinivas

 

Comment author said

By Davy Pelssers on 29 January 2013 at 12:11

Hi Srini
As I do have a full time job as a consultant I hope you understand I can not just provide help and/or training to each individual. I do however provide remote consulting from time to time, so your company or end-client is welcome to contact me if they need assistance.

 

Comment author said

By PJG on 1 March 2013 at 16:41

Hi Davy,

nice explanation! I do have one question on this. I assume it's also possible to hide certain options from the navigation bar by using authorizations(?). For example the menu option to create accounts should not be visible to anyone. i've been playing around with the UI components but can't seem to get this to work. Any tips on that?

Kind regards,

PJ

 

Comment author said

By PJG on 1 March 2013 at 16:47

Or is that something you can only do by creating different business roles?

 

Comment author said

By hari on 22 March 2013 at 14:24

Useful

 

Comment author said

By Praveen on 9 May 2013 at 09:37

Hi Davy,

We are on CRM5.2 ABAP stack.
In SU01 for the parameter CRM_UI_PROFILE with value *
given , the user not able to get on all defined business roles on UI(Webpage).

Any idea why all business roles defined are not displayed to user inspite of assigning CRM_UI_PROFILE with value * ?

Regards
Praveen

 

Comment author said

By Davy Pelssers on 9 January 2014 at 13:33

Check if the user has DEBUG display rights (for authorization object S_DEVELOP, and check again..

might be causing the issue.

cheers
D

 

Comment author said

By umesh on 4 August 2013 at 13:27

Hi Davy,
could you pls help to solve my query regarding authorization key in status profile how this authorization key is asign to PFCG ROLE For particular status and user,
thanks
umesh

 

Comment author said

By Davy Pelssers on 9 January 2014 at 13:42

in customizing you define authorization keys for a status profile. Next in the status profile itself you can assign an authorization key to a certain user status.

then in your PFCG role you would use the authorization objects B_USERSTAT and B_USERST_T to achieve your requirement(s).

Typically, if users can e.g. create sales orders having a status profile XYZ, in your objects you put the following values:
STSMA Status Profile --> XYZ
OBTYP Object Category --> COH and/or COI
BERSL Authorization key --> ' ' (dummy)
ACTVT Activity --> *

This protects setting the status that has been protected with an authorization key in customizing for the status profile XYZ assigned to the document type for Sales Orders.

 

Comment author said

By haitao on 16 March 2014 at 09:50

Can you please kindly explain the differences between business role types:CRM on-demand business role,IC Web client business role,CRM web client business role? How can I determine which one I should use? And anything special if I choose "No clasification"?
Thank you.

 

Comment author said

By laxman on 15 June 2014 at 12:14

Hi Davy,
Actually issue is when i login into webui i see list of business roles by dividing 2 to 3 line but i need one business role in one line as you explained above also its getting 2 lines for each business role but that is not case.Please kindly help to resolve my issue.

Waiting for your kind reply.

Thanks you.

 

Comment author said

By Davy Pelssers on 20 June 2014 at 12:50

that 's probably due to the fact that you see the name of the position or org unit to which the user is assigned to in the org model.
If the name is long, you will see more lines for 1 business role at logon where you can choose between the assigned business roles.

 

Comment author said

By SudhaYadav on 29 December 2014 at 17:39

Dear Experts,

Greetings to All..

I have a subject, Sales and Service Related roles need to Assign one Business Role,
One business role need to assign to Authorization Person (DGM in the Company)

Ex
Multiple Roles (Sales and Service related JOBS)  One Business Role  This Business role to Assign DGM (in the Company)

Please guide me ..

 

Comment author said

By Davy Pelssers on 7 January 2015 at 19:47

I am sorry, but can you translate this chinese to plain English and at least take the effort to elaborate your question in a decent way? Perhaps then someone might take an effort to answer your question

 

Comment author said

By Michael on 7 January 2015 at 15:06

I want to see all users assigned to a specific business role is that prossible and if so how?

 

Comment author said

By Davy Pelssers on 7 January 2015 at 19:44

Hi Michael, look at for my next post which will probably help you out a lot!

cheers
Davy

 

Comment author said

By Davy Pelssers on 15 January 2015 at 18:31

Michael,
Remember that there are actually 3 methods by which a user might be able to have access to 1 or more business roles. So regarding your question, are you just referring to the business role assignment through the org model, via the pfcg role, or via the user parameter CRM_UI_PROFILE?

cheers
Davy

 

Comment author said

By VV on 30 January 2015 at 04:43

Davy,
Is it possible to restrict the tabs in the work area of a workcenter by providing object names corresponding to the tabs in the corresponding UIU object.

Regards,
VV

 

Comment author said

By VV on 12 February 2015 at 21:42

Hi Davy,
I had updated a comment sometime back but it looks like it went to my SPAM. Could you please help to know if it is possible to disable the links in the application blocks in the work area for a particular work center using security profiles and authorization objects?

Thanks and Regards,
VV

 

Comment author said

By Davy Pelssers on 15 February 2015 at 10:23

Hi VV, if you are referring to "removing" workcenters, navigation links or direct create links from the navigation bar using pfcg authorisations, then yes ,that is possible without any problem. Just look through my 3 posts on UIU_COMP.

If you are referring to something else, then please drop me an email with screenshots of what your exact requirements are.

cheers
davy

 

Comment author said

By Abhishek on 22 May 2015 at 01:38

Hi Davy,

Firstly, this is best place on the internet for SAP CRM Security and thanks a bunch for putting this together. Kudos!

I am new to CRM Security (but an experienced SAP Security consultant). I have few question regarding CRM Security.

1. If a user has a Business Role assigned, then would the user also need access to the particular Services (S_SERVICE) to access CRM Web UI? Or is the Business Role sufficient?

2. If a User has a Business Role assigned, what other authorization will he need via PFCG role, to access CRM Web UI?(S_SERVICE, UIU_COMP, both of them, anything else?)

3. What is the relationship between Business Role and the CRM Services?

4. I used Report - CRMD_UI_ROLE_PREPARE to generate a text file for a particular Business Role. But it did not add any Services to the text file. So, when I imported teh text file in my PFCG Role Menu, it did not ad any Authorization values. What might be the reason for this?

Thank you again.

-Abhi

 

Comment author said

By Davy Pelssers on 5 June 2015 at 11:27

Hi Abhi,
1) S_SERVICE is actually an old and obsolete authorization object and actually needs to be DEACTIVATED in your pfcg roles. Just look on OSS for the work S_SERVICE and you will the note.

But you need access to a business role which can be 1 of following ways :
- user parameter CRM_UI_PROFILE
- pfcg role (which is linked to the business role in customizing
- org model

Additionally the user also needs to have the corrrect pfcg authorizations , so PFCG roles

2) please first check ALL articles on the website as I wrote a lot of them and they explain this question
3) a business rol calls external services when you navigate to objects /views and UIU_COMP allows you to grant access to navigational links (outbound plugs)
4) did you have anything at all in the text file?
Are you sure that the pfcg role that is linked to the Businenss rol in customizing is unique and not linked to other business roles.. again..I wrote a separate article on this topic

please read first all articles..
cheers
D

 

Comment author said

By Anjan on 2 July 2015 at 13:11

Hi Davy,

Excellent post. However I had a question, what is the role of technical profile in this entire structure of controlling screens and authorizations. I have a scenario where accessing Detective role is giving a error message "Security settings are not maintained, contact your system administrator". CUrrently technical profile assigned is "DEFAULT_ICM", however if we change the technical profile to "Default", we are successfully able to access the next screens. Please help.

Thank you.
Anjan Pandey

 

Comment author said

By kk on 27 November 2015 at 02:04

Hi Davvy,
i have currently installed crm 7.0 ehp2 as a university project and while running crm_ui t-code and login in it several roles are displayed for for roles like servicepro , marketinpro etc. although i have assigned only 2 roles in su01 to that particular user. i want only servicepro or marketingpro to be displayed on web ui when i login into it. could you tell me where i am going wrong??

thanks in advance.
kk

 

Leave a Reply


*