SAP CRM Authorization Objects demystified (SAP CRM 7.0)

SAP CRM Authorization e1495643043510

First we will start with the list of main SAP CRM Authorization Objects (version 7.0). Then we will detail some important Customer RelationShip Authorization Objects and Checks (CRM_ORD_LP, CRM_ORD_PR, CRM_ORD_OE) . In the last part, we will be looking of the different levelss for?Authorization Check Stack in SAP CRM 7.0 for Business Transaction.?

SAP CRM Authorization Objects List

Let’s start by the list of SAP CRM Authorization Objects:

CRM Auth. Obj CRM Auth. Obj
CRM_ACTCRM_INCDNT
CRM_APPRVLCRM_ISUITY
CRM_AUTHSCCRM_KNOART
CRM_BRF_RTCRM_LEAD
CRM_CATEGOCRM_OPP
CRM_CLMCRM_ORD_LP
CRM_CMPCRM_ORD_OE
CRM_CO_BRCRM_ORD_OP
CRM_CO_PDCRM_ORD_PC
CRM_CO_PUCRM_ORD_PO
CRM_CO_SACRM_ORD_PR
CRM_CO_SCCRM_OUTL
CRM_CO_SECRM_PRJ
CRM_CON_SECRM_PROBLM
CRM_ERMS_PCRM_PSL
CRM_GAGCRM_RBAG
CRM_GAPCRM_SAO
CRM_GCLCRM_SE_ENT
CRM_IBASECRM_SEO
CRM_INCDNTCRM_TXT_ID
CRM_ISUITYCRMCONFMOD

CRM_ORD_LP

Using authorization object CRM_ORD_LP, the system checks which organizational levels are relevant for processing by the user, in reference to the business transactions created in the system. The system then defines which activities can be executed for the relevant organizational levels.
This authorization check controls other checks, such as the authorization check for the business transaction type, so that when the user fulfills the above mentioned criteria, he or she can also process the document if he or she does not have authorization for the corresponding business transaction type and activity. (source: wiki.scn.sap.com)

The authorization object checks the following fields:

  • CHECK_LEV Scope of Processed Objects only one value can be created per profile
  • PR_TYPE Business Transaction Type
  • ACTVT Activity

CRM_ORD_PR

Using authorization object CRM_ORD_PR, the system controls which business transaction types the user can process.

The authorization object checks the following fields:

  • PR_TYPE business transaction type
  • ACTVT activity

CRM_ORD_OE

Using authorization object CRM_ORD_OE, the system checks in which distribution chain the user can process business transaction. (source: wiki.scn.sap.com)

The authorization object checks the following fields:

  • SALES_ORG sales organization
  • SERVICE_OR service organization
  • DIS_CHANNE distribution channel
  • SALES_OFFI sales office
  • SALES_GROU sales group
  • ACTVT activity

Check more detail on?Authorization Objects Overview?

SAP Authorization Check levels in CRM 7.0

When Accessing SAP CRM Business Transactio, there is level is managed by the Objects (Source: Authorization Check levels in CRM 7.0)

1- Access to your Document: This level of check is managed by the object?CRM_ORD_OP
2- Access depending of Organization of Employee: the object begin this check level is CRM_ORD_LP
3- Access based on Activity the user is allowed to do : Object concerned is CRM_ORD_TE
4- Combine all the above Check level ( you can set all the SAP Authorization Check Objects together)

SAP Authorization Check Level Illustration

In order to illustrate these level, check the following picture made by sap

Process Flow of the Authorization Check in Business Transactions
Process Flow of the Authorization Check in Business Transactions

Authorization Check Stack in SAP CRM 7.0 for Business Transaction

1. Authorization BADI CRM_ORDER_AUTH_CHECK->CRM_ORDER_ALTERN_AUTH_CHECK
This allows for skipping standard authorization checks
2. Std Check – Own document, user owns a role
3. Std Check – User assigned to same Org level of document
4. Std check – territory(if enabled in customizing)
5. Std check – Business object type (Eg. BUS2000111)
6. Std check – Process type
7. Std check – Sales/div channel
8. Authorization BADI CRM_ORDER_AUTH_CHECK->CRM_ORDER_ADD_AUTH_CHECK
This allows for additional checks if user has passed all std checksFollowing the sequence 1 to 7, if any of the step OKs the user, the rest of the steps are skipped. The step 8 is still carried out if the user has passed. So, you may want to analyze your situation further. Maybe, you have to implement the BADI method mentioned in step 8 and do a further check based on user role. The CL_CRM_UI_PROFILE->Get_profile will give you the PFCG role. (source: BADI CRM_ORDER_AUTH_CHECK?)