cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization objects for transactions in SAP CRM

Go to solution
Former Member

on ‎05-27-2011 11:25 AM

0 Kudos

Dear Experts,

For transaction, the authorization check is run according to the following procedure:

1.Your own documents (authorization object CRM_ORD_OP)

2.Visibility in the organizational model (authorization object CRM_ORD_LP)

3.Territory check in claims management (authorization object CRM_ORD_TE)

4.Combination of several authorization objects (CRM_ACT, CRM_OPP, CRM_SAO, CRM_SEO, CRM_CO_SE, CRM_CON_SE, CRM_LEAD, CRM_CMP, CRM_CO_SA, CRM_CO_SC)

5.Authorization object CRM_ORD_PR

6.Authorization object CRM_ORD_OE

For CRM_ORD_OP - I have disabled the delete option.

For rest of the auth object, I have given full authorization. But the system is not considering the auth object: CRM_ORD_OP. The user is still able to delete the transaction.

However, if I disable the delete option for auth objects - CRM_ORD_PR & CRM_ORD_OE, its working fine i.e. user cannot delete the transaction.

Actually, our requirement is to govern the visibility of transaction document using auth object CRM_ORD_OP. But the system is not considering the auth object during authorization check.

Any inputs will be highly appreciated.

Thanks!

Best Regards,

Roshan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

robert_kunstelj
Active Contributor
‎05-27-2011 7:06 PM
0 Kudos

All auth. objects are considered in auth. check process (privileges are summarized). So if you for example say in CRM_ORD_OP define that user can't delete own objects but on other hand define in object CRM_ORD_PR that he can delete object ZXXX, he will still be able to delete all his own objects of type ZXXX, but other own object he will not be able to delete.

Regards.

Show replies
Show replies
Former Member
‎06-02-2011 9:05 AM
0 Kudos

Hello Robert,

Actually, the user is able to delete his own object. The user is assigned as employee resposible to the document. But he still can delete it.

My understanding was using the auth object: CRM_ORD_OP, we can control the authorization only to his onw documents.

For example if the user has "change" and "delete" authorization to his own documents, then these authorization are applicable only to his own document and he shouldnt be allowed to change or delete other documents, Right?

Is it by default that this auth object is not cosidered during authorization check?

Do we have to implement any BADI to read this auth object?

Best Regards,

Roshan

robert_kunstelj
Active Contributor
‎06-02-2011 9:51 AM
0 Kudos

No, it is checked in standard authorization procedure. Check again your settings and also refresh buffers before testing with /$sync.

Answers (0)

Ask a Question