Activity level
Authorization check
A separate programme - a separate permission. What sounds simple requires a few steps to be learned. Do you want to implement your own permission checks in your own development or extend standard applications with your own permission checks? When implementing customer-specific permissions, a lot needs to be considered. In this tip, we focus on the technical implementation of the authorisation check implementation.
Giving permissions to specific functions that are called in SAP CRM through external services requires some preliminary work. Users working in SAP CRM use the SAP CRM Web Client to invoke CRM capabilities. For this to work smoothly, you must assign a CRM business role to the user, which provides all the CRM functionality necessary for the user. If the role should only allow access to certain external services, regardless of the customising (or only to the external services specified in the customising), it becomes a little trickier. All clickable elements in the SAP CRM Web Client, such as area start pages or logical links, are represented by CRM UI components. These UI components are, technically speaking, BSP applications. By clicking on such a component, the user gains access to certain CRM functions. These UI components are represented in the roles as external services. You must explicitly allow access to these UI components through PFCG roles, similar to the permissions for access to specific transactions.
Use SAP_NEW correctly
When the auth/authorisation_trace parameter is turned on, external services are written to the USOBHASH table and permission checks are logged in the USOB_AUTHVALTRC table. You can now use the contents of this table to apply the checked objects and values from the trace to the suggestion values in the transaction SU24. Because it is a dynamic profile parameter, it is reset when the application server is launched. Now open the transaction SU24 and you will find your own UIK component as an external service. Double-clicking on this service will tell you that no suggestion values have been maintained there. You can apply these suggested values from the USOB_AUTHVALTRC table. Here you should at least maintain the UIU_COMP authorization object so that this information is loaded into the PFCG role as soon as you include the external service in your role menu.
Once the programme implementation and documentation have been completed, a functional test will always follow. A corresponding eligibility test should not be forgotten. The permission test must include both a positive and a negative permission test.
Secure your go-live additionally with "Shortcut for SAP systems". You can assign necessary SAP authorizations quickly and easily directly in the system.
SAP FI has direct interfaces to other modules, such as HR or SD.
Set a specific acronym or character to indicate whether your role has critical accesses so that separate assignment or approval rules can be observed for such roles.