Is CRM business roles creation - a CRM security consultant's job or CRM functional consultant's job ?
The person who asked me the question assumed the answer to this question was the following:
My answer would be, YES, CRM business role creation is a Security admin's job with requirements from the functional team. In simpler terms,
security will create CRM business roles with technical details (Navigation, functional profiles, layout profiles etc) of the business roles supplied by the functional team. I am guessing that functional people will customize and configure the above technical profiles (like configuring the Account identification profiles & assigning these parameters to the functional profile) and give those details to the security team so that we can build the custom CRM business roles incorporating the technical details with proper naming convention. Am i am thinking right?
Also, is most of the stuff from your ebook and presentations related to CRM Functional team or security team or depends on the business requirements? Would you please explain me in detail. The last reply i got from you clearly tells me that business roles are created by functional team and that contradicts my thinking being a security consultant (& also because the concept of CRM business roles was explained in couple of books published by SAP under authorization section). Thanks Davy, i really appreciate your time.
My personal answer is the following:
everything I talk about in the Ebook is "relevant" when defining your authorization concept. However, it does not necessarily mean that every potential task is therefore meant to be performed by the security consultant.
To answer your question: Is CRM business roles creation - a CRM security consultant's job or CRM functional consultant's job ?
NO - the creation of business roles is principally the TASK of the functional SAP CRM consultant and NOT that of the security consultant. But then again, I suppose this also depends on the knowledge a consultant has.
On a lots of projects you have consultants that are both functional and technical . Therefore you often see that functional consultants that perform customizing taks also do some smaller ABAP developments. Some companies however decide to have a strict separation between people that perform functional tasks such as customizing and rather technical tasks such as implement OSS notes/create abap developments/â€¦.
From a security point of view: let's take SAP ECC. In order to secure access to materials through MM01/MM02/MM03 the requirement might be to have authorization setup based on material type, which is controlled by the authorization object M_MATE_MAR. In fact this object will check if an authorization group is assigned to a material type, and based on the authorizations a user has for that particular authorization group, the user will be able to have access to materials belonging to that particular material type. The question here is: will the security consultant or the functional consultant perform this customizing step: defining the authorization groups. From my point of view this is the task of the Functional consultant! But the security consultant will be there to explain how MM01 can be controlled through certain authorization objects, and potentially also indicate where in customizing certain things can be setup that are needed to achieve the authorization requirements.
To come back on the specific SAP CRM authorization topic:
1) It is important that the security consultant is aware of what business role creation involves, meaning that also on this level you can remove unnecessary workcenters and navigation links if those are not necessary for the end -users daily job. Why is this necessary? Typically the functional consultant will start creating his OWN Z-business role by taking initially a copy of a standard SAP business roles such as SERVICEPRO / SALESPRO/â€¦
When copying those, you will therefore copy all the workcenters and navlinks from the standard business role, a lot of those that are unneeded in your customers processes and end-users tasks.
2) Secondly, when defining your authorization concept, you can have different approaches, which I will explain by an example:
Suppose your customer is implementing Sales (Lead-to-Order) and Service processes. Therefore the functional consultant will probably start creating two new Z-business roles ;both a copy of respectively the standard SALESPRO and SERVICEPRO business role. Now suppose in both areas, you have two "Functions defined".
SALES : Sales manager and Sales Rep
SERVICE: Service Manager and Service Engineer
Within the Sales related business role you may have BI reports integrated , and some dashboards that should not be accessed by the sales rep, but only by the sales manager. In that sense , you might decide to create 2 sales related business roles OR only 1 , but in the latter case you limit the sales rep's authorizations by limiting his access to UIU_COMP object so he does not see the workcenter BI reports and some other navlinks.
3) Business roles are mentioned in SAP books related to authorizations because they inherently define WHAT the end user will be able to see when logging on in SAP CRM WEBUI. By this I mean that if in your business role customizing you do not have a workcenter access defined for LEADS , than even if you would have SAP_ALL, you are NOT going to have access to leads information.
In the older version of SAP CRM, it were merely your SAP Authorizations roles assigned to the user, that would define a persons access in the system to perform certain task. Within the WEBUI this has changed in that sense giving people acces to tasks/objects is defined by:
- The business Role(s) he has access to
- The restrictions made on the object UIU_COMP (workcenter access/navlink access/..)
- The non-ui related authorization objects restricting his access to e.g. only specific transaction types, only giving access to certain accounts based on authorization groups,â€¦
During the discussions on how to model your authorization concept, these aspects should become clear to:
- The business
- the functional CRM consultant
- the security consultant
One of the consequences on the selected approach for example may be the setup of your organisational model: if you decide to have only 1 business role for the SALES department, than you can assign your business role to the organisation unit (being the sales department) where below you will have the two positions mentioned earlier, being the sales manager and sales rep. All users assigned to 1 of these two positions would then inherit that business role.
It would be through your authorization roles that you would assure that only the sales manager has access to the workcenter BI reports..