sap crm business partner authorizations_ crm_bprole versus b_bupa_rlt
DESCRIPTION
Authorization in SAP CRM Business PartnerTRANSCRIPT
-
Home SAP Authorizations SAP CRM Business Partner authorizations: CRM_BPROLE
versus B_BUPA_RLT
10 December 2012 | Davy Pelssers | 5 Comments | SAP Authorizations,
SAP CRM
As I have gotten a lot of questions on how you can secure business partner authorizations in SAP
CRM heres a small explanation that might benefit you.
In SAP CRM we have quite some authorization objects related to SAP CRM Business
Partners such as:
Authorization
object Description
B_BUPA_ATT
Authorization Types: With this authorization object, you can
define authorizations for any number of input fields in business
partner maintenance. You determine which business partners may
be maintained, depending on the field values. In Customizing you define an
authorization type and specify the names of the fields that should be checked.
(SAP GUI only)
B_BUPA_FDG
Field Groups: With this authorization object you can define authorizations for
individual field groups in business partner maintenance. You thereby define
which fields in business partner maintenance can be maintained or viewed by a
user. (SAP GUI only)
B_BUPA_GRP
Authorization Groups: With this authorization object you define which business
partners can be edited on the basis of the authorization group. (SAP GUI &
WEBUI)
B_BUPA_RLTRoles: With this authorization object you define which Business Partner roles can
be edited. SAP GUI only (unless you implement OSS note 1259940)
B_BUPR_BZTRelationship Categories: With this authorization object you establish which
relationship categories can be processed. SAP GUI - & CRM WEBUI
B_BUPR_FDG
Relationship Field Groups: With this authorization object you can define
authorizations for individual field groups in business partner relationship
maintenance. You thereby define which fields of the business partner relationship
can be maintained or viewed by a user. (SAP GUI ONLY)
CRM_BPROLE
Using this authorization object you can define which business partner roles
can be edited. CRM WEBUI ONLY (see OSS note 1129682 - Authorization
for BP roles in CRM5.2 WebClient UI)
A lot of those authorization objects did work in the SAP GUI (they were BDT based) but no longer
work in the CRM WEBUI. (see also OSS note Note 1392467 - UIU: Wrong value proposals for
BP related authority objects for more information).
If you want to know how they work(ed) you can still read my ebook about SAP CRM
authorizations which I previously made available.
Now - to come back to the explanation on usage of the authorization objects CRM_BPROLE
versus B_BUPA_RLT, both used in the context of the CRM WEBUI- you should know the
following:
Depending on the SAP CRM Release you are working in, this object will be available by default or
not.
Please read OSS note 1129682 - Authorization for BP roles in CRM5.2 WebClient UI for more
information.
As most of you are already working in one release 6 or 7 this should be available.
Now, this authorization object is actually used to check whether a user will be able to maintain a
Business Partner role for a given business partner in the SAP CRM system. It only influences the
fact that the end user will for example be able to set /delete a business partner role in the
Search
>
SAP CRM
SAP basic knowledge
SAP SD
SAP FICO
SAP HCM
SAP BW/BI
SAP Authorizations
SAP ABAP
SAP BASIS
SAP Career
SAP Workflow
SAPUNIVERSITY.EU is not affiliated or related to
any division or subsidiary of SAP AG.
SAP, SAP R/3, R/3 software, R/2 software,
ABAP/4 programming language, BAPI
programming interface, BWI software,
AcceleratedSAP methodology, and and any other
SAP trademarks are registered trademarks of
SAP AG
Sign Me Up Now!
SAP CRM Business Partner authorizations: CRM_BPROLE versus ... http://sapuniversity.eu/sap-crm-business-partner-authorizations-crm_bp...
1 of 4 13/05/2014 15:58
-
assignment block "Roles".
From a technical point of view, this is where by setting a specific business partner role such as
"Prospect - BUP002" or "Sold-to-Party -CRM000) the table BUT100 will be updated with the
relevant business partner role.
From a Business Point of view, let's take a practical use case:
The pre-sales department might be allowed to create prospects (B2C or B2B) in the SAP CRM
system. They should also be allowed to create activities/Leads & Opportunities & quotations for
those prospects in the system. However, as soon as the prospect becomes a real customer, the
business partner role CRM000 should be maintained for the prospect and this is something that
only the sales manager should be able to do. In that case the customer will be replicated to your
SAP ECC system and additional accounting related data should be updated by the finance
department.
So restricting the setting of the Sold-to-party role might be required, and therefore can be
achieved by only giving display access to the pre-sales officer for object CRM_BPROLE for the BP
role CRM000.
Now let's give a use case for my authorization object B_BUPA_RLT.
Assume that as soon as the business partner role CRM000 has been maintained by the sales
department, your customer is replicated to your SAP ECC system. Depending on your setup, it
might be the case that as of that moment SAP ECC should be the leading system for all further
changes that are being made on your "Customers".
As such you do NOT want any employee to change customer master data for all business partners
that in SAP CRM have been maintained as Sold-to-Party (CRM000).
In order to achieve this, you COULD choose to activate the BADI that is predelivered but
"inactive" according to SAP OSS note 1259940 & 1129682.
In customizing (SPRO) choose:
Customer Relationship Management -> Master Data -> Business Partner -> (Accounts
and Contacts) -> Business Add-Ins
Activate the BADI related to filtering of BP roles by authorization check.
Once this badi is activated, a check is also performed in the SAP CRM WEBUI for the authorization
object B_BUPA_RLT.
For my requirement I therefore would only give the following access for this object:
ACTVT = 03 (display)
RLTYP = CRM000
All users would be getting only display access for business partners for which the business partner
role CRM000 (sold-to-party) has been maintained. This would imply that they would not be able to
change customer master data for these accounts anymore.
Remark: the downside with this approach however is that ALL assignment blocks (also
relationships/contacts/attachments etc.) are no longer editable for such a customer in SAP
CRM in that case, which might not be suitable for your business needs.
kind regards
Davy Pelssers
the SAP University Team
Logging into SAP CRM without entering client and Language
SAP CRM Business Partner authorizations: CRM_BPROLE versus ... http://sapuniversity.eu/sap-crm-business-partner-authorizations-crm_bp...
2 of 4 13/05/2014 15:58
-
Davy has been working as an SAP Consultant since 2000 and startedworking in the SAP IS-U Module , but as of 2002 he has mainly worked asfunctional SAP CRM consultant and SAP Authorizations consultant.More about Davy Pelssers
Tweet
0
The SAP CRM Data Model
How To Read The Document Flow in SAP CRM: use case illustration
SAPSPrint Install
WebUI Table Personalization
1
LikeLike ShareShare
0
Facebook social plugin
Add a comment...
Hi Davy, nice article indeed.
But, the purpose is not served.. right?
My question is, is there any automagic ! way of converting Prospect to Sold -
to Pary?
Rgds
Hari
Comment
Hi Davy,
In Standard functionality you can enter what ever business partners in the
Partner Functions at the Transaction level.
My Requirement is say I want to allow business partners who belong only to
ZCUS001 for Sold-To-Party Parnter Function.
Tell me how I can achieve this. I thought of using COM_PARTNER_BADI. But
I want to know if it can be achieved via config.
Best Regards,
RJ
Comment
RJ, I am not aware of your requirement being possible to achieve with
pure config...I think this would need custom development...but perhaps
you might pose this question on SDN/SCN.
although, when only searching for 1 minute via google I found back
some threads where they also mention the Badi you mentioned, so
that's most likely the way to go.
cheers
Davy
Comment
Hi Davy,
We already have implemented functionality s per note 1259940 and it works
fine, but unfortunately only from the web ui. We also use web services toComment
SAP CRM Business Partner authorizations: CRM_BPROLE versus ... http://sapuniversity.eu/sap-crm-business-partner-authorizations-crm_bp...
3 of 4 13/05/2014 15:58
-
Name *
Email *
Comment
Post Comment
I am not sure about the webservice part, but what would come to my
mind is that changes to a sales order done via a webservice might
actually be performed by a system user/RFC user instead of a real
normal dialog user. The RFC /system user probably has more extended
rights, by which the authorization check would not be restricted
anymore. Check on table level , e.g. CRMD_ORDERADM_H what is the
CHANGEDBY user id when you change an order using the webservice. If
it's not a regular dialog user, that would explain much I guess.
good luck
davy
Comment
modify the BP data and in that case the the authorization object is not
checked. Do you know if similar check can be implemented for the SAP GUI
as well? Thanks!
Regards,
Valentina
SAP CRM Business Partner authorizations: CRM_BPROLE versus ... http://sapuniversity.eu/sap-crm-business-partner-authorizations-crm_bp...
4 of 4 13/05/2014 15:58