First we will start with the list of main SAP CRM Authorization Objects (version 7.0). Then we will detail some important Customer RelationShip Authorization Objects and Checks (CRM_ORD_LP, CRM_ORD_PR, CRM_ORD_OE) . In the last part, we will be looking of the different levelss for Authorization Check Stack in SAP CRM 7.0 for Business Transaction. 

SAP CRM Authorization Objects List

Let’s start by the list of SAP CRM Authorization Objects:

CRM_ORD_LP

Using authorization object CRM_ORD_LP, the system checks which organizational levels are relevant for processing by the user, in reference to the business transactions created in the system. The system then defines which activities can be executed for the relevant organizational levels.
This authorization check controls other checks, such as the authorization check for the business transaction type, so that when the user fulfills the above mentioned criteria, he or she can also process the document if he or she does not have authorization for the corresponding business transaction type and activity. (source: wiki.scn.sap.com)

The authorization object checks the following fields:

• CHECK_LEV Scope of Processed Objects only one value can be created per profile
• PR_TYPE Business Transaction Type
• ACTVT Activity

CRM_ORD_PR

Using authorization object CRM_ORD_PR, the system controls which business transaction types the user can process.

The authorization object checks the following fields:

• PR_TYPE business transaction type
• ACTVT activity

CRM_ORD_OE

Using authorization object CRM_ORD_OE, the system checks in which distribution chain the user can process business transaction. (source: wiki.scn.sap.com)

The authorization object checks the following fields:

• SALES_ORG sales organization
• SERVICE_OR service organization
• DIS_CHANNE distribution channel
• SALES_OFFI sales office
• SALES_GROU sales group
• ACTVT activity

Check more detail on Authorization Objects Overview 

SAP Authorization Check levels in CRM 7.0

When Accessing SAP CRM Business Transactio, there is level is managed by the Objects (Source: Authorization Check levels in CRM 7.0)

1- Access to your Document: This level of check is managed by the object CRM_ORD_OP
2- Access depending of Organization of Employee: the object begin this check level is CRM_ORD_LP
3- Access based on Activity the user is allowed to do : Object concerned is CRM_ORD_TE
4- Combine all the above Check level ( you can set all the SAP Authorization Check Objects together)

SAP Authorization Check Level Illustration

In order to illustrate these level, check the following picture made by sap

Process Flow of the Authorization Check in Business Transactions

Authorization Check Stack in SAP CRM 7.0 for Business Transaction

1. Authorization BADI CRM_ORDER_AUTH_CHECK->CRM_ORDER_ALTERN_AUTH_CHECK
This allows for skipping standard authorization checks
2. Std Check – Own document, user owns a role
3. Std Check – User assigned to same Org level of document
4. Std check – territory(if enabled in customizing)
5. Std check – Business object type (Eg. BUS2000111)
6. Std check – Process type
7. Std check – Sales/div channel
8. Authorization BADI CRM_ORDER_AUTH_CHECK->CRM_ORDER_ADD_AUTH_CHECK
This allows for additional checks if user has passed all std checksFollowing the sequence 1 to 7, if any of the step OKs the user, the rest of the steps are skipped. The step 8 is still carried out if the user has passed. So, you may want to analyze your situation further. Maybe, you have to implement the BADI method mentioned in step 8 and do a further check based on user role. The CL_CRM_UI_PROFILE->Get_profile will give you the PFCG role. (source: BADI CRM_ORDER_AUTH_CHECK )