Show TOC

Identity Management for SAP CRM: Central Creation of UsersLocate this document in the navigation structure

Use

SAP NetWeaver Identity Management is used to automatically create and update identities with corresponding authorizations for employees in SAP Customer Relationship Management (SAP CRM). SAP NetWeaver Identity Management can be used with or without SAP ERP Human Capital Management (SAP ERP HCM).

If you are using SAP ERP HCM, employee data is sent to SAP CRM using Application Link Enabling (ALE). Corresponding identities are created automatically in SAP NetWeaver Identity Management and are subsequently assigned to the relevant employees (business partners) in SAP CRM.

If you are not using SAP ERP HCM, an administrator creates identities in SAP NetWeaver Identity Management. Based on the identity data, employees are created automatically in SAP CRM. The relevant user accounts for your employees are automatically assigned in SAP CRM.

Prerequisites

  • You have installed SAP NetWeaver Identity Management 7.1.

  • You have installed SAP CRM 7.0.

  • The PFCG roles available for business roles in SAP CRM have been loaded into SAP NetWeaver Identity Management.

  • You have assigned your users to business roles according to the procedure described in the activity in Customizing for Customer Relationship Management under Start of the navigation path  UI Framework Next navigation step Business Roles Next navigation step Overview End of the navigation path.

  • To ensure that the employee is created in SAP CRM, and to avoid the assignment of employees to nonexistent user accounts in SAP CRM, you have performed the following configuration of the ALE inbound process in SAP CRM:

    You have defined the table T77S0 in the Customizing activity Set Up Integration with Organizational Management in Customizing for Customer Relationship Management under Start of the navigation path Master Data Next navigation step Business Partner Next navigation step Integration Business Partner-Organization Management End of the navigation path. To prevent the creation of a relationship between employee and user in SAP CRM, in the group Create Relationship to User (HRALX-USRAC) in table T77S0, you have set the value to SPACE.

  • To start the identity data exchange the role SAP_CRM_BUPA_IDM_INTEGRATION is required.

Features

In SAP CRM, the combination of a user account, a business partner, and a central person is needed so that SAP CRM processes can handle users correctly. The central person is required to establish the relationship between a user account and a business partner, and is assigned to both the user account and the business partner to link them together.

The combination of a user account, a business partner, and a central person is created automatically, as in the following two cases:

  • With SAP ERP HCM

    When an administrator creates a new employee in SAP ERP HCM, the data is replicated to SAP CRM using ALE. The data that is transferred includes the complete organizational data of the employee. You can display the data in SAP CRM, but you cannot change it.

    The corresponding identity is created automatically in SAP NetWeaver Identity Management. An administrator must then assign the correct business role to this identity, so that the user has the correct authorizations to start working in the CRM WebClient UI.

    In SAP CRM, a user account, an employee, and a central person are created from the data received from SAP ERP HCM and SAP NetWeaver Identity Management, and the user account is assigned to the employee based on the matching personnel number.

    PFCG roles are required for the user account created in SAP CRM and enable the user to have access to the CRM WebClient UI. The PFCG roles available for business roles in SAP NetWeaver Identity Management must be the same as those available for the corresponding business roles in SAP CRM.

    If a business role has been assigned to the identity in SAP NetWeaver Identity Management, the correct PFCG roles required for the business role in SAP CRM are automatically determined. The PFCG roles of the business role assigned in SAP NetWeaver Identity Management are automatically assigned to the user account in SAP CRM, including the relevant authorizations.

    Example

    If an identity is assigned to the SALESPRO business role in SAP NetWeaver Identity Management, the user acquires the accompanying PFCG roles for SALESPRO in SAP CRM, along with the authorization to use this role.

    The employee created will be assigned to an organizational unit and subsequently will have address data and communication data. The employee will then get placed in organizational management.

    Changes to the employee in SAP ERP HCM or to the identity in SAP NetWeaver Identity Management (for example, the assignment of a new business role) are updated automatically in SAP CRM. This occurs through a similar process as in the initial creation, but results in changes to the existing employee or user account rather than the creation of new employees or user accounts.

  • Without SAP ERP HCM

    When an administrator creates a new identity in SAP NetWeaver Identity Management and assigns business roles to this identity, this data is sent to SAP CRM. Based on this identity data, a user account, an employee, and a central person are created in SAP CRM.

    The employee data does not include address data or communication data, but contains the following:

    • First name

    • Last name

    • Title

    • Academic title

    • Name prefix

    • Name supplement

    The user account acquires the relevant PFCG roles and authorizations by the same process as in the first use case when using SAP ERP HCM. The business role is created without using SAP ERP HCM, but the same PFCG roles are required for the user to access the CRM WebClient UI in both use cases.

    The employee is not assigned to an organizational unit. Without address data and communication data, the employee is created without any automatic assignment to organizational management, but a business role is still assigned to the user in SAP CRM.

    Changes to the employee in SAP ERP HCM or to the identity in SAP NetWeaver Identity Management (for example, the assignment of a new business role) are updated automatically in SAP CRM. This occurs through a similar process as in the initial creation, but results in changes to the existing employee or user account rather than the creation of new employees or user accounts.

To assign users to business roles, you must first assign the PFCG role to the business role in Customizing for Customer Relationship Management under Start of the navigation path UI Framework Next navigation step Business Roles Next navigation step Define Business Roles End of the navigation path. In the business role definition table, you assign the PFCG role to the business role in the field PFCG Role ID. For example, if you have a business role for managers called Z_BR_MAN with a corresponding PFCG role called Z_PFCG_MAN, in the business role definition table, you enter Z_PFCG_MAN in the field PFCG Role ID for business role Z_BR_MAN. When you create a manager user, you assign the PFCG role Z_PFCG_MAN to him or her in SAP NetWeaver IDM. SAP NetWeaver IDM creates the user with the PFCG role Z_PFCG_MAN in the SAP CRM system. If the user logs on to the CRM WebClient UI, the system detects from the PFCG role Z_PFCG_MAN that this user has business role Z_BR_MAN.

You can use the Business Add-In (BadI) CRM_BADI_FILTER_EMPLOYEE in SAP NetWeaver Identity Management to ensure that the identities are transferred to SAP CRM.

More Information

For more information, see SAP Library for SAP Customer Relationship Management on SAP Help Portal at http://help.sap.com.