cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CRM 7 ehp 6 security issue for BP in UI

former_member96398
Participant

on ‎10-27-2014 7:52 PM

0 Kudos

In CRM 7 we are trying to restrict users from seeing BP's they are not authorized.  We currently only have three but are going to be bringing in allot more.

So far we have Employee BP's, Sold-To's and prospects. The only way we've been able to secure someone from displaying or editing a BP they are not supposed to have access to is to assign those BP's to an authorizaton group.

Is there some reason or error in SAP code that doesn't allow for either the B_BUPA_RLT - role type or CRM_BPROLE - role type to restrict someone from being able to see only those role types allowed?

I have end users that need to be able to display prospects and sold-to's but only edit sold-to's.

The support team should be able to see everything except employee bp's and another end user group only see's and edits prospects.

This is a very common and valid scenario, if you have to put every BP type into a authorization group for access to that brings up two questions.

What is the best way to automatically assign a bp of a certain type to a auth group (custom code)?

I guess that means that the B_BUPA_RLT and CRM_BPROLE are useless objects but the only ones being checked?

And please don't point me toward the old sap notes for the badi implementation, that didn't work on fulfilling the above requirement.

Regards,

Curtis

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

mvoros
Active Contributor
‎10-28-2014 7:20 AM
0 Kudos

Hi,

on current project we use authorization group to control access to BPs. We enhanced WebUI to populate authorization group when BP is created in WebUI. We also have external systems that use our custom API to create BPs. Here we can easily control authorization group populated on BP.

I am not a CRM expert but I don't think that business role is a useless object. It's just not suitable for basic authorization check. If I am not mistaken one big difference is that a BP can have multiple roles but only one authorization group. As you are aware there is standard BADI that is triggered after every update of BP. So you could use it to force authorization group based on role but you will have to somehow resolve multiple roles to one group.

CRM also has Access Controle Engine (ACE). My understanding is that this is more flexible concept and you should be able to use it for your scenario to create more flexible access control than using authorization groups.

Cheers

Show replies
Show replies
former_member96398
Participant
‎11-19-2014 6:14 PM
0 Kudos

Thanks for the response (My frustration was definitely showing)

We have a note in with SAP but here is the current scenerio:

For example: During Duplicate Check - The authorization B_BUPA_GRP is checked to see if there is one, if there is a value it is restricted and if not then the BP is displayed and editable by the user.

This is an issue since the employee's are also loaded as BP's in the system and show up in the duplicate check even though we are trying to limit what is displayed during dup check.

I'm just surprised that neither B_BUPA_RLT or CRM_BPROLE are not called to limit results during these functions.

Ask a Question