This website is not affiliated with, sponsored by, or approved by SAP AG.

SAP CRM security

CRM related discussion only

Moderators: Snowy, thx4allthefish, Lost Identity

SAP CRM security

Postby DPELSSERS » Thu May 28, 2009 1:00 pm

Just some input I wanted to share____

As of CRM2006s and later versions such as CRM2007(6.0) and 7.0 the concept has changed slightly yes. Several objects which were BDT based and as such only worked in the SAPGUI do no longer work in the WEBUI (also did not work in the IC Webclient (4.0/5.0) release for that matter. But the biggest changes now are these:

1) as of CRM2006s and later versions, SAP states that end-users no longer should work in the SAPGUI, also because the SAPGUI is no longer supported for the normal business processes. Only administration task are still performed in the SAPGUI.

2) as of CRM2006s CRM uses the concept of SAP Busines Roles. These Business Roles actually define what you get to see in the WEBUI from a functionality point of view. This is of course directly impacted by the linked Navigation bar profile, which already determines if for example you can use Marketing & campaign management, versus lead and opportunity management or not. So the thing you should understand here, is that even with SAP_ALL you could never create a marketing campaign using the WEBUI if the navigation link is not available in the first place.

3) Secondly this also works the other way around: suppose in my business role I have access to all navigation links , but my backend authorisation role does not allow to use opportunity management (where as an example at least you would need to have authorisation for object CRM_OPP) you will not be able to display nor create any opportunity in the system. (well this statement is not entirely correct as CRM_ORD_OP might still give you access but anyway :-)

4) Depending on the complexity and number of users at your customer you will use a different approach when setting up authorisations:* you could choose to create multiple business roles/navigation bar profile combinations to already limit access* you could choose to reuse several business role/navbar profile combinations but depending on the userGroup assign different backend authorisation roles where you also can limit access to a navigation link using authorisation object UIU_COMP and then ofcourse access and other authorisation objects Let me put it this way: it definately has become more complex as of the new WEBUI and one thing that from my point of view is that a change in project mentality will be necessary - at least if you care about Security in SAP CRM.

Why? because at most customers/projects, authorisations is something that typically is addressed at the very end of a after realisation of configuration/developments in the CRM system. Now, as your security concept now really depends on the approach you will use, it means that customizing of one or more navigation bar profiles and or business roles might be necessary, which I consider an aspect critical to a succesfull authorisation concept.This means that your typical CRM consultant now should be made aware of this fact and as such think alongside the authorisation administrator how and what you're gonna approach this topic.

Davy Pelssers
Kind regards
Davy Pelssers
SAP CRM and Security Consultant
Posts: 24
Joined: Wed Nov 26, 2008 7:57 am
Location: Belgium

Return to CRM :: SAP CRM

Who is online

Users browsing this forum: No registered users and 2 guests

This website is not affiliated with, sponsored by, or approved by SAP AG.