CRM Web Client Auth Problems

Version: 1.0

CRM Web UI: Analyzing AuthorizationProblems

HistoryVersion Date Status (Comments)

1.0 23.12.2008 Initial Version

CRM Web UIAnalyzing Authorization Problems

© 2006 SAP AGDietmar-Hopp-Allee 16D-69190 Walldorf

Page2 of 17

Table of Contents1 Introduction .................................................................................................................. 32 Analyzing Authorization Issues................................................................................... 42.1 Setting up Authorizations Correctly.........................................................................................42.2 Making Exceptions Visible in the UI.........................................................................................42.3 Checking whether user has the PFCG profile SAP_CRM_UIU_FRAMEWORK assigned.......42.4 Checking If User Has The Right PFGC Role Assigned............................................................52.5 Analyzing Missing Authorization Objects................................................................................72.5.1 Determining Missing Authorization Object ...................................................................................72.5.2 Authorization Controlling Navigation..........................................................................................103 Appendix ..................................................................................................................... 143.1 Authorization Concept Overview............................................................................................143.2 Determination of the Business Role at Runtime....................................................................17



Page3 of 17

1 IntroductionThis document provides information how to analyze and patch authorization related problems.

Authorizations problems often lead to:

Authorizations errors in the Web UI

Missing links in the CRM Web UI

There are various reasons for those problems. The main reasons are:

Authorizations in the PFCG Profile are not set up correctly

There are missing authorizations objects in the PFCG Profile.

This documents gives some hints how to determine/solve issues related to missing authorization



Page4 of 17

2 Analyzing Authorization Issues

2.1 Setting up Authorizations CorrectlyYou may check if you have followed the procedures described in the Implementation Guide (TransactionSPO):

CRM 2007

SAP Implementation Guide => Customer Relationship Management => UI Framework => Technical RoleDefinition => Define Authorization Role

CRM 7.0

SAP Customizing Implementation Guide => Customer Relationship Management => UI Framework

Business Roles => Define Authorization Role

2.2 Making Exceptions Visible in the UIIf you get errors due missing authorizations it could help to make exceptions visible in the WEB UI. Youcan turn on this feature by enabling the checkpoint group BSP_WD_EXCEPTION_DISPLAY in thetransaction SAAB.

2.3 Checking whether user has the PFCG profileSAP_CRM_UIU_FRAMEWORK assigned

Each user using the CRM Web UI must have the PFCG Role SAP_CRM_UIU_FRAMEWORK assigned (orat least the authorization contained in this role)

The missing authorization can lead to short dumps (see screenshot below) or errors when starting theCRM Web UI (this depends on your CRM release and SP level).

You can check if the user has the profile assigned in transaction PFCG or SU01.

The PFCG role SAP_CRM_UIU_FRAMEWORK is usually assigned automatically if you follow thestandard role assignment procedure by using the report CRMD_UI_ROLE_ASSIGN.



Page5 of 17

2.4 Checking if User Has Right PFGC Role AssignedEach Business Role has usually a corresponding PFCG role.

You can determine the PFCG of you Business Role in the IMG customizing:

Transaction SPRO: SAP Customizing Implementation Guide => Customer Relationship =>Management => UI Framework => Business Roles => Define Business Role

Select your Business Role

Determine the name of the PFCG role (Field: PFCG Role ID)



Page6 of 17

Goto Transaction PFCG and select the role determined in the previous step

Make sure

o That the authorizations profile has been generated: 'Authorization' tab green

o Users have been assigned to the role and a complete user comparison has beenperformed: 'User' tab green



Page7 of 17

2.5 Analyzing Missing Authorization ObjectsThere could be several reasons for authorizations related issues:

The authorization object needed is available in the PFCG profile(s) assigned to the user but it haswrong authorization values maintained

The authorization object is missing in the PFCG profile(s) assigned to the user

Navigations is not possible due missing authorizations in authorization object UIU_COMP

The following chapters describe how to analyze these issues

2.5.1 Determining Missing Authorization ObjectYou can determine missing authorizations using the following transactions:

SU53This transaction shows the last failed authorization check. Unfortunately this method often failsbecause authorization checks are performed not at the time of error (e.g. but when starting theapplication) and the reported failed authorization check is not the one causing the problemST01The Authorization Trace can be used to get information on all performed authorization checks.This is the proffered way to analyze authorization issues

2.5.1.1 Analyzing Authorization Issues with ST01



Page8 of 17

Logon to SAP GUI with a user who has authorizations to call transaction ST01 Click on 'Filters' Set the filter to the user who is logged on in the web UI

Turn the trace on using option 'Authorization check' Start the CRM Web UI and log on with the user who is missing some authorization Reproduce the problem in the web UI. Turn the trace off Analyze the trace for the user who was logged on in the web UI Check if there are some failed authorization checks



Page9 of 17

Write down the authorization object for which the check has failed

2.5.1.2 Checking Authorizations Object in PFCG RoleYou have determined the authorizations object for which the authorization check has failed. The next taskis to check if this authorization object is part of the PFCG role.

Start Transaction PFCG Open the PFCG role which is connected to the Business Role x

o You can determine the PFCG role assigned to the Business Role you are using intransaction CRMC_UI_PROFILE

Goto tab 'Authorizations' Display the authorization data



Page10 of 17

Search for the authorization object you have found using ST01 (or SU53) There are two cases:

o Authorization object is existing but has wrong values assigned => Correct the value

o Authorization object is missing. You can add the authorization object manually to theprofile. (It could create an OSS message an let SAP know that there is a mandatoryauthorization object missing)

2.5.2 Authorization Controlling NavigationThe (cross component) navigation in the CRM Web UI is controlled by the following way_

It must be configured in the Business Role customizing.

You need the appropriate authorizations for the navigation. This is controlled by the authorizationobject UIU_COMP

If you have changed the Business Role customizing you can determine the needed authorization by usingthe report CRMD_UI_ROLE_PREPARE and following the procedure described in the Business Rolescustomizing. (see chapter 2.1 Setting up Authorizations Correctly)

If you are sure that you have configured the navigation correctly in the Business Role customizing it couldbe, that missing authorization is the reason for the missing navigation. The missing authorization can bedetermined either be running the Authorization Trace (ST01) or by using the log of the Checkpoint GroupCRM_UIF_NAV_AUTH



Page11 of 17

Go to transaction SAAB and enter the Checkpint Group CRM_UIF_NAM_AUTH

Turn on the log for the user running the CRM Web UI



Page12 of 17

The log reports failed authorization checks for navigation configured in the Business RoleCustomizing



Page13 of 17



Page14 of 17

3 Appendix

3.1 Authorization Concept OverviewIn the CRM role concept there is a dependency between Business Roles and PFCG roles. Every BusinessRole has usually corresponding PFCG Role containing all authorization objects needed to fulfill the taskdefined in the Business Role.

Note:

The Business Role customizing allows you to omit the PFCG Role assignment at all or the assign thesame PFCG Roles to several Business Roles. These are exceptional cases and not covered in thischapter.

This following figure shows and explains the following dependencies:

Between the PFCG Role Menue and the Business Role

Between the User and the PFCG Role

PFCG Role(Tx PFCG)

User(Tx SU01)

0..* 1association

Org Management(Tx PPOMA)

1

0..*

association

1

1

association

ReportCRMD_UI_ROLE_PREPARE

R

1 1

association

File containig PFCG rolemenue information

R writes

Role Menu(link between PFCG profile and

SU24 trace)

PFCG Profile(current authorization settings)

Nav Bar Profile(IMG Customizing)

Business Role( IMG Customizing )

ReportCRMD_UI_ROLE_ASSIGN

Component Description



Page15 of 17

User CRM uses standard User Maintenance (SU01). Authorizations areprovided using PFCG Profiles/Roles assigned to the users.

Organizational Management Users are (usually) assigned to Business Roles indirectly using theOrganizational Management. If a position in the OrganizationalManagement is assigned to a Business Role using the info type 'businessrole' then it turn all users are assigned to this Business Role as well.

Navigation Bar Profile Used to define Work Centers, Logical links etc. Provides commonsettings used in Business Roles.

Business Role Uses and adopts the Navigation Bar Profile. (e.g. Workcenters can beturned off) to the needs of the particular business functions. There is(usually) an assignment to one PFCG role (for exceptions see PFCGRole)

Report'CRMD_UI_ROLE_ASSIGN'

Assigns PFCG Roles to the user based on user assignments in theOrganizational Management (Positions in the Org Management in turnare assigned to Business Roles)

PFCG Role Contains tailored authorizations for the Business Role. The authorizationsare retrieved from SU22/SU24 traces (at SAP/Customer) based on thePFCG Role Menu.

Caution:Each user must have the PFCG role SAP_CRM_UIU_FRAMEWORK assigned in addition to the business role specific PFCG roleUsually there is a 1:1 relation between business roles and PFCG roles.There are cases where this is not suitable. It is then possible to assignthe same PFCG Role to several Business roles in the Business RoleCustomizing or even to omit the PFCG role

PFCG Role Menu Is imported from a file created by report CRMD_UI_ROLE_PREPARE inthe PFCG transaction. Each Role Menu entry is linked to a SU24 trace.The menu contains all traces and in turn all the authorizations needed torun a specific Business Role

ReportCRMD_UI_ROLE_PREPARE

The report creates the Role Menu file based on the settings in thebusiness role customizing. This information represents the link betweenthe Business Role settings and the SU24 traces

The next picture shows and explains the following dependencies:

Between PFCG Role and the SU22/24 traces

Between the PFCG Role and the CRM Web UI based application



Page16 of 17

Component Description

PFCG Profile Contains authorization objects needed for a particular Business Role.The profile retrieves authorization objects from SU22/SU24 trace during profile creation.Only those traces are read, which are connected to the PFCG role via the role menu.

SU22 Trace Authorization traces delivered by SAP. The CRM User Interface uses the external tracetype UIU_COMP

SU24 Trace Authorization traces maintained by the customer. This traces are copied from the SAPname space (SU22) using transaction SU25

CRMApplication

Available UI functions are controlled using Business Role customizing. Authorizations arecontrolled by PFCG Roles.SU22 (at SAP) and SU24 (at customer) traces are written if they are turned when theapplication performs an authorization check.Turning trace on/off:TA: RZ11auth/authorization_trace = Y : activeauth/authorization_trace = N : inactiveThe more functions have been executed in the application the better the coverage of theauthorization check in the SU22/24 trace



Page17 of 17

3.2 Determination of the Business Role at RuntimeThe Business Role is determined in the following order:

1. The role assigned using the User Parameter CRM_UI_PROFILE (in SU2)

2. The role assigned in Organizational Management (Transaction PPOMA)

3. If neither 1 nor 2 applies: The CRM Framework checks which PFCG roles are assigned to theuser. It checks then if there are Business Roles assigned to these PFCG roles and uses them ifthere are any assigned.

Documents

CRM Web Client Auth Problems