Pelssers Davy Pagina 1 12/11/2012
Pelssers Davy [email protected] Pagina 1 12/11/2012 How to restrict access to “Direct Links” or d”Direct link Groups” via UIU_COMP? If you logon to the CRM 7.0 system, using the standard delivered business role “SALESPRO”, you will normally see the following direct link groups: In the screenshot you can see that there are 2 direct Link Groups in the navigation bar. Create Recent Items How can you find this back in Customizing? In the SAP IMG (SPRO), use the following path: SAP IMG >> Customer Relationship Management >> UI Framework >> Business Roles >> Define Business Role Pelssers Davy [email protected] Pagina 2 12/11/2012 Select the Business Role “SALESPRO” and open the folder “Adjust Direct Link Groups” on the left side of the configuration screen. You can recognize the two “Direct Link Groups”, and also see that they are marked as ‘visible’. As such they do appear when you logon with this business role SALESPRO. Within the ‘direct link group SLS-CREATE’ you can see that the following direct links are defined: Again, you should notice that these direct links that are marked as ‘visible’ can be directly accessed in the WEB UI. One way to remove the direct link for EVERY USER having the business role SALESPRO would be to remove the entry, or at least ‘unflag’ the entry from being visible. Pelssers Davy [email protected] Pagina 3 12/11/2012 A second way is to disallow the access based on the authorization values maintained in the authorization object UIU_COMP. Based on the following SQVI Query, we can directly find back all relevant details for UIU_COMP, by simply entering the name of the Business Role, e.g. SALESPRO. Table Name CRMC_UI_PROFILE CRMC_UI_NB_A_DLG CRMC_UI_ROLE_DLG CRMC_UI_LLINK_T CRMC_UI_LLINK CRMC_UI_COMP_IP Information stored Contains the link between Business role and Navigation Bar Profile Contains the link between Navigation Bar Profile and related Direct Link groups Link between the direct link group and the direct links Contains the Texts of the Logical Link IDs Contains the link between the Logical Link ID and the Target ID Contains the necessary data for UIU_COMP (component/Window/Inbound Plug) Pelssers Davy [email protected] Pagina 4 12/11/2012 Query selection of Input/Output fields: Field Business Role Nav. Bar Profile Group ID Position Logical Link ID Link Visible in Dir. Link Group Link Deleted Language Key Title Component Name Window Name Target ID Inbound Plug UI Object Type UI Action Table CRMC_UI_PROFILE Input X Output Tech. Name X PROFILE CRMC_UI_PROFILE X X CRMUI_NAVBAR CRMC_UI_NB_A_DLG X CRMC_UI_NB_A_DLG CRMC_UI_ROLE_DLG X X X X GROUP_ID POSITION LINK_ID CRMC_UI_ROLE_DLG X X VISIBLE CRMC_UI_ROLE_DLG X X DELETED CRMC_UI_LLINK_T X LANGUAGE CRMC_UI_LLINK_T CRMC_UI_COMP_IP X X TITLE COMPONENT CRMC_UI_COMP_IP X WINDOW CRMC_UI_COMP_IP CRMC_UI_COMP_IP X X TARGET_ID INBOUND_PLUG CRMC_UI_COMP_IP X OBJECT_TYPE CRMC_UI_COMP_IP X OBJECT_ACTION X When I run the Query for the Business Role SALESPRO, I see the following results: Pelssers Davy [email protected] Pagina 5 12/11/2012 Practical Example 1 As seen earlier, when you logon as a user having the Business Role SALESPRO, the “direct link groups” and their respective “direct links” are the following: Based on the Query I now can easily found out the technical details necessary to restrict access to one or more of these logical links for the authorization object UIU_COMP. Direct Link Group CREATE CREATE CREATE CREATE CREATE CREATE CREATE CREATE Direct Link Group ID SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE Direct Link Title Opportunity Quotation Contact Lead Appointment Interaction Log E-Mail Task Component Name BT111M_OPPT BT115QM_SLSQ BP_CONT_MAIN BT108M_LEA BT110M_ACT BT110M_ACT BT110M_ACT BT110M_ACT Suppose I only want the Call Center Agent to use/create: Contact Appointments Interaction Logs. Window Name MainWindow MainWindow MainWindow MainWindow MainWindow MainWindow MainWindow MainWindow Inbound Plug CREATE CREATE CREATE CREATE CREATE_APPT CREATE_CALL CREATE_MAIL CREATE_TASK Pelssers Davy [email protected] Pagina 6 12/11/2012 In my PFCG authorization role Z_CRM_UIU_SLS_PROFESSION_A, which is made as a copy of the standard PFCG role SAP_CRM_UIU_SLS_PROFESSIONAL; I remove the following entries, marked in red: Direct Link Group CREATE CREATE CREATE CREATE CREATE CREATE CREATE CREATE Direct Link Group ID SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE SLS-CREATE Direct Link Title Opportunity Quotation Contact Lead Appointment Interaction Log E-Mail Task Component Name BT111M_OPPT BT115QM_SLSQ BP_CONT_MAIN BT108M_LEA BT110M_ACT BT110M_ACT BT110M_ACT BT110M_ACT Window Name MainWindow MainWindow MainWindow MainWindow MainWindow MainWindow MainWindow MainWindow Inbound Plug CREATE CREATE CREATE CREATE CREATE_APPT CREATE_CALL CREATE_MAIL CREATE_TASK Remark: make sure you do NOT have an authorization value having all * values, like below. You have to ‘deactivate’ this. Now I search for the 5 authorization value combinations that I need to remove, and delete them. & & This particular ‘value range’ I changed into two authorization values that now look like this: Pelssers Davy [email protected] Pagina 7 12/11/2012 and Make sure that you open the ‘component name’ values; in order to see if they are maintained here…..it can be difficult to find them back You will notice that removing these entries has an effect on other parts of the Navigation. When you would press on the navigation link ‘LEADS’ in the Work Center Sales Cycle, you jump to the SEARCH PAGE. But on that SEARCH PAGE, you will normally also have a “NEW” button, which is actually the ‘create’ button, if you want to create a new lead. After pressing the Navigation Link “leads” in the workcenter ‘Sales Cycle’, you will jump to the search page for Leads; where you normally see the “NEW” button in order to create new leads. Pelssers Davy [email protected] Pagina 8 12/11/2012 After making the changes in my PFCG role Z_CRM_UIU_SLS_PROFESSION_A, I log on with my test user that has the adjusted authorization role, and see the following: DIRECT LINKS: I also check the impact in the Work Center “Sales Cycle”. I still have my navigation link that direct to the search page of “Leads”, which is OK. Pelssers Davy [email protected] Pagina 9 12/11/2012 Clicking on the navigation link itself, I jump to the search page and see that the “NEW” button is still there. Now, strictly seen, this should NOT be the case, but when I was at SAP Walldorf AG concerning CRM 7.0 security, I was told that SAP had not yet foreseen a completely consistent logic for all buttons. It does work on some parts however: (see Practical Example 2) Business Partner Master Data (create buttons for Individual Account/Groups etc) Marketing and Campaign Management area Practical Example 1 If we take a closed look at the Work Center Account Managent, you will see the following second level navigation links. If you next click on the link ‘accounts’ you should normally see 3 ‘create’ buttons, related to business partner Master Data. Pelssers Davy [email protected] Pagina 10 12/11/2012 Here you see 3 buttons to create a specific type of Business partner in the system. Corporate Account Individual Account Group Furthermore you also see that the option to create Business Partners of the above type is possible via the Work Center Page of Account Management itself: Possible Scenarios: A) You have a scenario where you do not want users with a specific Business role to ‘create’ any business partner, but only search/display them. B) You have a scenario where you want users with a specific business role, only be able to create ‘individual accounts’, but no corporate account or Groups. Pelssers Davy [email protected] Pagina 11 12/11/2012 Step 1: Identify what the UIU_COMP values are for the ‘create’ actions. When you press for example on the button ‘Corporate Account’, you jump to the creation page for ‘corporate accounts’. If you press the button F2 on this screen, you get technical details on this View. Running the Query for ‘logical links for a Business Role’ and filtering on UI Component, I see the following: Pelssers Davy [email protected] Pagina 12 12/11/2012 Another option here is that searching directly in the customizing table CRMC_UI_COMP_IP, which actually contains all TARGET IDs and the relevant UIU_COMP data you need to restrict access, you can also try searching the following way: Input parameters: Object Action = D (create) Component : BP* Target ID: MD-BP* This results in the following output: It is now obvious that the entries in yellow colour are actually the ones you might want to restrict access to. Pelssers Davy [email protected] Pagina 13 12/11/2012 Step 2: I will now adjust my PFCG role Z_CRM_UIU_SLS_PROFESSION_A which is a copy of the standard PFCG role SAP_CRM_UIU_SLS_PROFESSIONAL. In my copied role, I find back the above entry. When I deactivate it; and logon with my test-user I now see the following: Check 1: Account Page – CREATE Buttons The buttons for CREATION are now ‘greyed out’, meaning I can not use them!! >> Result is as expected! Check 2: the Work Center Page creation options The entries to create a corporate account, Individual account or Group also disappeared here, which is correct! Pelssers Davy [email protected] Pagina 14 12/11/2012 What I have illustrated above is actually scenario A. I now reactivate the authorization values, but remove ‘corporate account and group’ and see the results, but should be able to create ‘individual accounts’. So I delete the following Inbound Plugs: CREATE_CORP CREATE_GROUP Check 1: Account Page – Creation Buttons OK, as I have the ‘activated’ button again. Check 2: Work Center Page This is also fine as I have the additional navigation link for ‘individual account’.
© Copyright 2024