Process Flow of Authorization Check in Business Transactions (SAP Library - Authorization Check in the Business Transaction)

Process Flow of Authorization Check in Business Transactions

Purpose

Business transaction processing in SAP CRM is protected by an authorization check based on alternatives, so that only authorized users can create, change display, or delete a transaction.

The authorization check follows a specific sequence, that is, the check runs through several levels. This means that the authorization can be granted at each level, and therefore no check is necessary in the subsequent levels. If, for example, an employee is entered in a document as the employee responsible, he is allowed to process this document regardless of whether further checks would lead to a positive or negative result.

The authorization concept in the CRM business transaction has the following characteristics:

· Role-related protection:

Users have access to already existing business transaction documents, regardless of all other authorization checks, if they have been entered as a partner in these documents. This can be an example of a user-defined partner function; the user does not have to have the “Employee Responsible” partner function.

You can control the type and scope of the permitted activity, (for example creating or changing documents), for each partner function and partner function category.

See also: Structure link Partner Processing

· Sales area/Assignment in the organization model:

Users have access to business transactions which are or were already created in or above a certain level in the organization model, regardless of all other authorization checks. If need be, users can only execute specific activities.

· Business transaction category:

Users can only create transactions if they have authorization for the corresponding business transaction category (for example, activity - CRM_ACT, opportunity - CRM_OPP).

· Business transaction type:

Users only have access to business transaction documents if they have authorization for the corresponding business transaction type. If need be, users can only execute specific activities.

· Sales area

· Payment card processing:

Only authorized users are able to see the payment card number.

Prerequisites

Users for whom an authorization check is to be executed must be assigned in the organization model.

Recommendation

In order that other functions can be executed, for example, partner determination, SAP recommends that you assign an employee, to whom a user is assigned in the business partner record, to the position.

Process Flow

The authorization check is run according to the following procedure:

This graphic is explained in the accompanying text

...

1. Your own documents (authorization object CRM_ORD_OP)

The system checks whether the user takes on a specific partner function for the activity executed in the relevant document, for example, whether he is the employee responsible. Furthermore, the system checks whether the user has the authorization to change, display or delete a transaction. If the result of this check is positive, no further checks take place at transaction level.

2. Visibility in the organization model (authorization object CRM_ORD_LP)

If the user is not authorized in the first step of the check, the second check is carried out. This check enables the employee to control the access to specific organizational units via his position, depending on his assignment. This authorization object defines which documents can be processed by the user in the individual organizational levels, and which activities he can carry out here. If the user is authorized for the chosen activity (create, change, display, delete) and the relevant organization level, no further checks are carried out.

Note

When maintaining the authorization field CHECK_LEV, you should only choose the organizational unit at the highest level of the units to be checked. If, during the authorization check, the relevance to a specific sales organization is checked, the organizational units beneath this are also automatically checked. This means that you do not have to choose the (lower-level) organizational unit sales office. This would cause considerable deterioration in performance.

You can find further information under Check on Visibility in the Organization Model.

3. Combination of several authorization objects

If the first two checks were not successful, this combination of different authorization objects is checked. All the checks must be successful before the user is authorized to process the required transaction. This means the user only receives the authorization to process if he is authorized to:

¡ Process the leading business transaction category in the corresponding transaction type

¡ Process the corresponding transaction type

¡ Process in the corresponding sales area

i. a) Authorization objects CRM_ACT, CRM_OPP, CRM_SAO, CRM_SEO, CRM_CO_SE, CRM_CON_SE, CRM_LEAD, CRM_CMP, CRM_CO_SA, CRM_CO_SC

Using these authorization objects, the system checks which business transactions the user is allowed to process, and whether he is allowed to carry out the functions create, display or delete in these transactions. The relevant authorization object is checked, depending on the activity executed:

· Activities: CRM_ACT

· Opportunities: CRM_OPP

· Sales transactions: CRM_SAO

· Service transactions: CRM_SEO

· Service contract: CRM_CO_SE

· Service confirmation: CRM_CON_SE

· Lead: CRM_LEAD

· Complaints: CRM_CMP

· Financing contract: CRM_CO_SA

· Sales contract: CRM_CO_SC

ii. Authorization object CRM_ORD_PR

Using this authorization object, the system defines which action the user is allowed to execute for each business transaction type.

iii. Authorization object CRM_ORD_OE

Using this authorization object, the system defines in which sales area or in which service organization the user is allowed to process the CRM business transaction, and which activities he can carry out here.

If the user is not authorized in the third step of the check, he will not be able to process the document in the required way. He will receive a system message which contains the corresponding authorization object and refers to the lacking authorization.

Effects on the User Interface Layer

· When you select the transaction you wish to create, only the transaction types for the business transaction categories for which you have authorization are displayed. For example, if you only have authorization to create opportunities and sales transactions, only the transaction types for the Opportunity and Sales business transaction categories are displayed.

· Function keys Create/Change and Delete: The system only displays the keys that you are allowed to use. If, for example, you are only authorized to display, the key Display/Change is not active.