Configuration Settings for the Authorization
Concept 
Use
You can assign authorization roles to users in CRM Web Channel to determine the activities and transactions they can carry out. For example, you can determine whether a B2B Web shop user can create orders, or only display them. Assigning authorization roles to user’s results in the system performing background checks on the users’ permissions and restricting the tasks they can carry out accordingly. Users can only access menus and transactions relevant to them and their Web-based application authorizations match their backend user authorizations.
SAP delivers a standard set of authorization roles for use in CRM Web Channel. This means all authorization values are specified and you only need to generate the user profiles. However, several authorization objects have been assigned full authorizations values since they are based on customizing and master data. This means that certain functions are enabled which you may not be using in your Web shop, and also the permission levels they give to users may not meet your requirements. SAP therefore recommends that you copy the standard roles, rename them, and modify them before use. This will improve security.
The authorization roles provided are for the user type SU01 only. The SU05 user concept does not support the assignment of authorizations to SU05 users or Single-Sign-On (SSO) functionality. Therefore, SAP recommends you use SU01 users to improve security. You can migrate existing SU05 users to SU01 users in Customizing for Customer Relationship Management under Web Channel ® Basic Settings ® Internet User ® Internet User Settings. In the activities for creating B2B and B2C users you can migrate existing SU05 users to SU01 users.
If you do wish to create SU05 users you can assign the Internet user role and the service user role to the service user for the application. SU05 users are based on the anonymous service user concept, whereby the service user has full application functionality.
Procedure
Copy roles
You copy the standard delivered roles in your SAP CRM system as follows:
...
1. In the SAP Easy Access Menu choose Architecture and Technology ® System Administration ® User Maintenance ® Role Administration ® Roles(Transaction PFCG).
2. Enter the standard role in the Role field and select Copy Role.
3. Specify a new name for your local role and select Copy selectively.
4. Deselect all the checkboxes in the Choose Objects dialog box and select Continue.
5. The copied role is now created and you can generate the authorization profile.
6. Select the Change role icon next to the role name. The system displays the roles details.
7. On the Authorizations tab page select Change Authorization Data. The system displays the authorization objects contained in the authorization role.
8.
Select
the Generate icon 
and change the profile name if required. The
system creates a profile.
Modify roles
Once you have created a profile you can change the authorization objects and values in the role to meet your requirements.
1. In the SAP Easy Access Menu choose Architecture and Technology ® System Administration ® User Maintenance ® Role Administration ® Roles(Transaction PFCG).
2. Enter the name of your Role field and select Change Role. The system displays the roles details.
3. On the Authorizations tab page select Change Authorization Data. The system displays the authorization objects contained in the authorization role.
4. Select the authorization object you wish to change and expand the view to display all the authorization values.
5. Select Change (pencil icon next to the value). The system displays a dialog box with all values for the authorization object for your selection.
6. Select the appropriate value(s) and Save your selection.
7. Regenerate the user profile as described above.
Standard delivered roles
For a list of the standard roles delivered by SAP for the CRM E-Commerce and Channel Management Web-based applications, see Authorization Roles in CRM Web Channel.
For information about user roles in the ACE groups, see CRM Web Channel User Management and the Access Control Engine.