Solved: Difference between SAP CRM Security and SAP ECC 6....

Former Member · ‎05-26-2008

Hi

I have extensively worked on SAP ECC security but haven't have chance to work on CRM Security.

Can anyone please let me know the difference between CRM security compared to ECC security.

Thanks...

Former Member · ‎05-27-2008

Aside from the obvious differences of different system so different tcodes. And depending upon which elements of CRM are implemented, there are a couple of big differences.

1. A lot of functionality is executed via BSPs (business server pages) that are run on a browser, but authorizations are still in the backend. What that means for security is that you can rely on a tcode defaulting the auth objects.

2. Depending upon what and how things are implemented, there are often RFC calls to another system like ECC from CRM - so you may actually need to build ECC roles as well.

There are CRM specific security guides available from SAP - https://websmp102.sap-ag.de/SECURITY

You will need an OSS id.

Edited by: JC on May 27, 2008 8:57 AM

Former Member · ‎05-27-2008

Aside from the obvious differences of different system so different tcodes. And depending upon which elements of CRM are implemented, there are a couple of big differences.

1. A lot of functionality is executed via BSPs (business server pages) that are run on a browser, but authorizations are still in the backend. What that means for security is that you can rely on a tcode defaulting the auth objects.

2. Depending upon what and how things are implemented, there are often RFC calls to another system like ECC from CRM - so you may actually need to build ECC roles as well.

There are CRM specific security guides available from SAP - https://websmp102.sap-ag.de/SECURITY

You will need an OSS id.

Edited by: JC on May 27, 2008 8:57 AM

Former Member · ‎07-02-2008

i couldnt find CRM security guide on the above link. can you please get the exact link. will appreciate with points. thanks

Former Member · ‎07-02-2008

>


> i couldnt find CRM security guide on the above link. can you please get the exact link. will appreciate with points. thanks

You didn't post the thread so you can't give points. The CRM guide is where I said it was in my previous post - look in the detail guides section & under the CRM folder are a couple of CRM security guides - I checked them myself.

Former Member · ‎07-02-2008

> will appreciate with points. thanks

Even if you had asked the question, offering points and asking for points, along with interview questions and copy&pasting answers or generally just creating unnecessary noise in the forum are now illegal activities in Germany and several other countries as well. You can even be fined (divide 4 by 2 for example).

Former Member · ‎07-02-2008

my appologese.....I guess.

Former Member · ‎07-02-2008

Thanks... the points topic seldom happens here, so we get excited when it does

There is however a very good cause behind this: please see [the rules thread|; which was also updated today again => there is a maximum number of 10 unresolved threads per user limit.

Bernhard_SAP · ‎07-03-2008

Hi,

small remark....

I suggest to use http://service.sap.com/security instead of choosing a dedicated server like websmp102, which might be down.....

b.rgds, Bernhard

Bernhard_SAP · ‎07-03-2008

Hi ,

just to make sure, that you can find the guides, if you haven't until now....

at service.sap.com/security, first open 'Security in Detail' in the left navigation hierarchy, then go to 'Security Guides'. Scroll down until you find the CRM section....

b.rgds,

Bernhard

Former Member · ‎07-03-2009

I am sorry to say, but instead of giving the guy a decent answer you are starting a fight or discussion about stupid forum points...

really sad.....

The big difference between SAP ECC and SAP CRM Security (up to release 5.0) was the following:

1) For sure there are very different transaction codes in SAP CRM as compared to SAP ECC in the first place

2) If you are familiar with R/3 or ECC authorizations; then you know that already on transaction code level, the 'allowed activity' is controlled on tcode level , whereas in SAP CRM , in most cases the 'allowed activity is not controlled by the Transaction code, but on authorization object level....

E.g. transaction code BP allows you to create/change/display any type of Business Partner (e.g; sold-to/ship-to/contact person/employee/customer) which is based on the business partner ROLE concept.... anyway...you can control the allowed activity based on different authorization objects.....

another example is business transaction processing...which can be launched by:

a very generic transaction code: CRMD_ORDER
transaction category related transaction codes :e.g.

> CRMD_BUS2000126 for activity management

> CRMD_BUS200115 for Sales processes

Again...allowed activity is not controlled by the tcode, but on authorization object level...

3) As of the new WEBCLIENT UI (which is valid as of release CRM2006s/CRM2007/CRM7.0) SAP also invented an extra authorization layer, which is UI COMPONENT LEVEL and logical links.... controlled by object UIU_COMP.

However, they also introduced the BUSINESS ROLE Concept (e.g; SALESPRO/MARKETINGPRO/...) which defines actually the functionalities, navigation bar, screen configuration, logical links you can use/see within the new WEBclient UI.

Another thing is that instead of using TRANSACTION CODES, as of these new releases, you are actually using 'external services'....so you do not authorize on tcodes basically....but the logic between tcodes and external services in relation to the authorization objects that are checked is more or less the same....

STANDARD authorization setup in the new WEBUI client is therefore controlled by both backend authorizations (not UIU component related) and the UIU_COMP (restricting access to workcenters/logical links/...)

4) Additionally SAP also provides a concept called ACE (which stand for ACCES CONTROL ENGINE)....

This requires a bit of customizing...and the rest is more or less pure customer development, as you will create your own methods where you'll define a logic which dynamically will verify what kind of access you have for an object....

You should now that ACE is actually implemented on top of your 'normal' sap crm security setup....

cheers

Davy Pelssers

Former Member · ‎07-03-2009

Yeah well, if "Friend" had not hijacked this old thread... and had an S-account...

In future I will correct the links when I find them, and delete "hijackers"...

Thanks for your contribution though. I will take a look into it.

Cheers,

Julius

ps: Is ACE a CRM specific thing? The (external auditing) ACE tool I know does not pass a Code Inspector Check (transaction SCI) and should not be allowed in a productive system in my opinion.

pps: There is a maximim limit of 2500 characters per post (except code in special cases). If it is exceeded, the formatting is lost, currently.

Former Member · ‎07-03-2009

Hi Davy, not sure where you got the points fighting bit about. Points are definitely not why most of us post here and people assuming that the offer will make a difference obviously don't understand the forum.

"Friend" was asking a question which I had answered for them previously, that they had to search through a directory was obviously too much hard work for them.

Cheers

Alex

Former Member · ‎07-06-2009

Hi Julius,

I know ACE to be SAP CRM specific, as it was initially introduced by SAP to allow a more 'dynamic' security setup in order to access objects within the CHANNEL Management Scenario.

Initially it was only available for PCUI (people centric user interface) but by now you can also use it in other UI's such as the new WEB UI in CRM.... and also is available for more generic scenario's such as Ecommerce....

but as I do not really follow up that much on ECC authorizations, it might also have been introduced over there....

cheers

Davy

Former Member · ‎07-06-2009

Unfortunately ACE hasn't ported over to ECC yet. I'm no expert in it, but it does seem to have some useful applications.

Difference between SAP CRM Security and SAP ECC 6.0 security