PFCG Role creation in SAP CRM
About time I could free up some time to write a useful article about this topic. I will try to explain things as good as I can …let’s see. Who is this article intended for? People that have some or a lot of experience with SAP Authorizations. but have little to no experience with SAP CRM Authorizations.
Transaction codes versus External Services
Ok, when I started working in SAP back in 2000 most people (end-users) using SAP were actually working in SAP using transaction codes. The SAP Authorization concept was based on:
- Grouping relevant tasks (performed using transaction codes) and grouping them together in single authorization roles
- Multiple single roles were joined in composite authorization roles
- A transaction code was checked on the authorization object S_TCODE and other authorization objects allowing to further distinct access based on e.g. document type/material type/sales org/company code. just to name some well known examples
- Typically, in SAP ECC you had (and still have) different transaction codes based on the allowed activity (create /change/display ) which mostly was translated into a Transaction Short code ,followed by the allowed activity. (e.g. VA01/VA03/VA03 or XD01/XD02/XD03)
When I started working with SAP CRM (at that time it was 3.0 and 4.0 release) end-users were still working with the SAP GUI and therefore evidently also using transaction code based access.
The big difference from an authorization point of view was that SAP CRM did not really know the concept of separate transaction codes by “allowed activity” as compared to SAP ECC.
- The transaction code BP was used to create/change/display any business partner in the system (ranging from Customers/Employees/Contact persons/..). It was on authorization object level that we had to make the distinction on the allowed activity.
- CRMD_ORDER was used to create/change/display any business transaction (ranging from activities/leads/opportunities/sales and service order
- The transaction code COMMPR01 was used to create/change/display products within SAP CRM.
In the newer SAP CRM releases, where people work in the WEB UI, they are actually no longer using transaction codes. Rather the SAP CRM WEBUI makes use of external services of the type UIU_COMP. In such a case I am referring to end-users (so not the consultants who still use certain SAPGUI transaction codes from an administration point of view).
Where in the older CRM releases you would typically check SU24 settings (the relationship between your transaction code and their corresponding authorization objects) you now will use SU24 to analyse the relationship between an external service and it’s relevant authorization objects.
Example of SU24 for transaction code BP
Executing this selection shows us:
Example of analysing an external service for the component BP_HEAD_MAIN
What you see below is that all these external services use a certain naming convention:
How can you add such an external service in a PFCG Role?
Step 1. create a new PFCG role using the transaction code PFCG