Authorization check when searching CRM business transactions
The process flow of the authorization check in business transactions is also followed when searching. The authorization check is executed among each object as structured.
Only if the user is not authorized for the upper level object, the next authorization object is checked.
Detailed information can be found in Process Flow of the Authorization Check in Business Transactions.
During search, the authorization check can be switched off for a better performance. There are 2 ways to switch it off:
- Implement BADI CRM_ORDER_AUTH_CHECK method CRM_RFW_MODIFY_QUERY, then set the parameter EV_EXECUTE_STANDARD to blank in the implementation will skip the standard process flow of authorization check. It is also possible to add customer's own authorization check logic here.
- It can be controled by some parameter settings, too. To switch off the authorization check for single user, use user pamameter CRM_RF_PERFORMANCE with value A in SU3; to switch off the entire authorization check for all user groups, use parameter SETTINGS_REPORTING_FRAMEWORK in table SMOFPARSFA with value A. (SAP Note 615670 has more detailed explaination about the parameters)
Sometimes the authorization check during search does not work as expected. Some hints for trouble shooting:
- Check the authorization check settings in the user's PFCG profile. Are they configured correctly?
- Is the authorization check switched off by BADI implementation or the parameters?
- Debug the search process, a good starting point would be break point in FM CRM_BSP_OIC_1O_SEARCH_FROM_RF.
Detailed technical information which might be helpful for debugging.
- The parameters are checked in class CL_CRM_REPORT_QUESTION method CONSTRUCTOR line 98, the parameter value is passed to gv_acc_settings.
IF gv_acc_settings <> gc_report_mode-old AND
gv_acc_settings <> gc_report_mode-single AND
gv_acc_settings <> gc_report_mode-dynamic_without_auth.
- BADI CRM_ORDER_AUTH_CHECK implementation is checked in FM CRM_REPORT_RF_CHECK_AUTHORITY line 286:
IF gv_auth_badi IS BOUND.
CALL METHOD gv_auth_badi->crm_rfw_modify_query
iv_user = iv_user
iv_type = iv_type
iv_only_check_partner_2nd = iv_only_check_partner_2nd
ev_can_not_used_partner_2nd = ov_can_not_used_partner_2nd
ev_execute_standard = lv_execute_standard
lt_query = lt_query
OTHERS = 0.
* in case no standard modification should be done => exit
IF lv_execute_standard IS INITIAL.
- Authorization settings for each authorization object in the user's PFCG role is built up as search criterias in FM CRM_REPORT_RF_CHECK_AUTHORITY. The actural search is performed in class CL_CRM_REPORT_ACC_DYNAMIC method DATABASE_ACCESS. The parameter IT_WHERE contains all the seach criterias, are the search criterias for authorization check correctly set?
- Call Stacks:
Event Type Event Program
FUNCTION CRM_REPORT_RF_CHECK_AUTHORITY SAPLCRM_REPORT_CHECK_AUTHORITY
METHOD CONSTRUCTOR CL_CRM_REPORT_QUESTION========CP
FUNCTION CRM_BSP_OIC_1O_SEARCH_FROM_RF SAPLCRM_BSP_OIC_1O_SEARCH