Skip to Content

Authorization check when searching CRM business transactions

The process flow of the authorization check in business transactions is also followed when searching. The authorization check is executed among each object as structured.

  CRM_ORD_OP

     >CRM_ORD_LP

        >CRM_ORD_OE

           >...

Only if the user is not authorized for the upper level object, the next authorization object is checked.

Detailed information can be found in Process Flow of the Authorization Check in Business Transactions.

During search, the authorization check can be switched off for a better performance. There are 2 ways to switch it off:

  1. Implement BADI CRM_ORDER_AUTH_CHECK method CRM_RFW_MODIFY_QUERY, then set the parameter EV_EXECUTE_STANDARD to blank in the implementation will skip the standard process flow of authorization check. It is also possible to add customer's own authorization check logic here.
  2. It can be controled by some parameter settings, too. To switch off the authorization check for single user, use user pamameter CRM_RF_PERFORMANCE with value A in SU3; to switch off the entire authorization check for all user groups, use parameter SETTINGS_REPORTING_FRAMEWORK in table SMOFPARSFA with value A. (SAP Note 615670 has more detailed explaination about the parameters)

Sometimes the authorization check during search does not work as expected. Some hints for trouble shooting:

  1. Check the authorization check settings in the user's PFCG profile. Are they configured correctly?
  2. Is the authorization check switched off by BADI implementation or the parameters?
  3. Debug the search process, a good starting point would be break point in FM CRM_BSP_OIC_1O_SEARCH_FROM_RF.

Detailed technical information which might be helpful for debugging.

- The parameters are checked in class CL_CRM_REPORT_QUESTION method CONSTRUCTOR line 98, the parameter value is passed to gv_acc_settings.

   ... ...

    IF gv_acc_settings <> gc_report_mode-old AND
     gv_acc_settings <> gc_report_mode-single AND
     gv_acc_settings <> gc_report_mode-dynamic_without_auth.

   ... ...

- BADI CRM_ORDER_AUTH_CHECK implementation is checked in FM CRM_REPORT_RF_CHECK_AUTHORITY line 286:

  ... ...

    IF gv_auth_badi IS BOUND.
      CALL METHOD gv_auth_badi->crm_rfw_modify_query
        EXPORTING
          iv_user                     = iv_user
          iv_type                     = iv_type
          iv_only_check_partner_2nd   = iv_only_check_partner_2nd
        IMPORTING
          ev_can_not_used_partner_2nd = ov_can_not_used_partner_2nd
          ev_execute_standard         = lv_execute_standard
        CHANGING
          lt_query                    = lt_query
        EXCEPTIONS
          OTHERS                      = 0.
*   in case no standard modification should be done => exit
      IF lv_execute_standard IS INITIAL.
        RETURN.
      ENDIF.
    ENDIF.
  ENDIF.

  ... ...

- Authorization settings for each authorization object in the user's PFCG role is built up as search criterias in FM CRM_REPORT_RF_CHECK_AUTHORITY.  The actural search is performed in class CL_CRM_REPORT_ACC_DYNAMIC method DATABASE_ACCESS. The parameter IT_WHERE contains all the seach criterias, are the search criterias for authorization check correctly set?

- Call Stacks:

   Event Type    Event                                                                 Program

   FUNCTION    CRM_REPORT_RF_CHECK_AUTHORITY    SAPLCRM_REPORT_CHECK_AUTHORITY

   METHOD       CONSTRUCTOR                                              CL_CRM_REPORT_QUESTION========CP

   FUNCTION    CRM_BSP_OIC_1O_SEARCH_FROM_RF     SAPLCRM_BSP_OIC_1O_SEARCH

Tags: