SAP CRM Authorization

SAP CRM Authorization Objects demystified (SAP CRM 7.0)

First we will start with the list of main SAP CRM Authorization Objects (version 7.0). Then we will detail some important Customer RelationShip Authorization Objects and Checks (CRM_ORD_LP, CRM_ORD_PR, CRM_ORD_OE) . In the last part, we will be looking of the different levelss for Authorization Check Stack in SAP CRM 7.0 for Business Transaction. 

SAP CRM Authorization Objects List

Let’s start by the list of SAP CRM Authorization Objects:

CRM Auth. Obj CRM Auth. Obj
CRM_ACT CRM_INCDNT
CRM_APPRVL CRM_ISUITY
CRM_AUTHSC CRM_KNOART
CRM_BRF_RT CRM_LEAD
CRM_CATEGO CRM_OPP
CRM_CLM CRM_ORD_LP
CRM_CMP CRM_ORD_OE
CRM_CO_BR CRM_ORD_OP
CRM_CO_PD CRM_ORD_PC
CRM_CO_PU CRM_ORD_PO
CRM_CO_SA CRM_ORD_PR
CRM_CO_SC CRM_OUTL
CRM_CO_SE CRM_PRJ
CRM_CON_SE CRM_PROBLM
CRM_ERMS_P CRM_PSL
CRM_GAG CRM_RBAG
CRM_GAP CRM_SAO
CRM_GCL CRM_SE_ENT
CRM_IBASE CRM_SEO
CRM_INCDNT CRM_TXT_ID
CRM_ISUITY CRMCONFMOD

CRM_ORD_LP

Using authorization object CRM_ORD_LP, the system checks which organizational levels are relevant for processing by the user, in reference to the business transactions created in the system. The system then defines which activities can be executed for the relevant organizational levels.
This authorization check controls other checks, such as the authorization check for the business transaction type, so that when the user fulfills the above mentioned criteria, he or she can also process the document if he or she does not have authorization for the corresponding business transaction type and activity. (source: wiki.scn.sap.com)

Check also   Demystify The SAP CRM Data Exchange ToolBox

The authorization object checks the following fields:

  • CHECK_LEV Scope of Processed Objects only one value can be created per profile
  • PR_TYPE Business Transaction Type
  • ACTVT Activity

CRM_ORD_PR

Using authorization object CRM_ORD_PR, the system controls which business transaction types the user can process.

The authorization object checks the following fields:

  • PR_TYPE business transaction type
  • ACTVT activity

CRM_ORD_OE

Using authorization object CRM_ORD_OE, the system checks in which distribution chain the user can process business transaction. (source: wiki.scn.sap.com)

The authorization object checks the following fields:

  • SALES_ORG sales organization
  • SERVICE_OR service organization
  • DIS_CHANNE distribution channel
  • SALES_OFFI sales office
  • SALES_GROU sales group
  • ACTVT activity

Check more detail on Authorization Objects Overview 

SAP Authorization Check levels in CRM 7.0

When Accessing SAP CRM Business Transactio, there is level is managed by the Objects (Source: Authorization Check levels in CRM 7.0)

Check also   SAP CRM Modules

1- Access to your Document: This level of check is managed by the object CRM_ORD_OP
2- Access depending of Organization of Employee: the object begin this check level is CRM_ORD_LP
3- Access based on Activity the user is allowed to do : Object concerned is CRM_ORD_TE
4- Combine all the above Check level ( you can set all the SAP Authorization Check Objects together)

SAP Authorization Check Level Illustration

In order to illustrate these level, check the following picture made by sap

Process Flow of the Authorization Check in Business Transactions
Process Flow of the Authorization Check in Business Transactions

Authorization Check Stack in SAP CRM 7.0 for Business Transaction

1. Authorization BADI CRM_ORDER_AUTH_CHECK->CRM_ORDER_ALTERN_AUTH_CHECK
This allows for skipping standard authorization checks
2. Std Check – Own document, user owns a role
3. Std Check – User assigned to same Org level of document
4. Std check – territory(if enabled in customizing)
5. Std check – Business object type (Eg. BUS2000111)
6. Std check – Process type
7. Std check – Sales/div channel
8. Authorization BADI CRM_ORDER_AUTH_CHECK->CRM_ORDER_ADD_AUTH_CHECK
This allows for additional checks if user has passed all std checksFollowing the sequence 1 to 7, if any of the step OKs the user, the rest of the steps are skipped. The step 8 is still carried out if the user has passed. So, you may want to analyze your situation further. Maybe, you have to implement the BADI method mentioned in step 8 and do a further check based on user role. The CL_CRM_UI_PROFILE->Get_profile will give you the PFCG role. (source: BADI CRM_ORDER_AUTH_CHECK )

Check also   SAP CRM Data Model Diagram in PDF and JPG

Leave a Reply

Your email address will not be published. Required fields are marked *