Pelssers Davy Pagina 1 12/11/2012

Pelssers Davy
[email protected]
Pagina 1
12/11/2012
How to restrict access to “Direct Links” or d”Direct link Groups” via
UIU_COMP?
If you logon to the CRM 7.0 system, using the standard delivered business role
“SALESPRO”, you will normally see the following direct link groups:
In the screenshot you can see that
there are 2 direct Link Groups in the
navigation bar.


Create
Recent Items
How can you find this back in Customizing?
In the SAP IMG (SPRO), use the following path:
SAP IMG >> Customer Relationship Management >> UI Framework >> Business
Roles >> Define Business Role
Pelssers Davy
[email protected]
Pagina 2
12/11/2012
Select the Business Role “SALESPRO” and open the folder “Adjust Direct Link
Groups” on the left side of the configuration screen.
You can recognize the two “Direct Link Groups”, and also see that they are marked as
‘visible’. As such they do appear when you logon with this business role SALESPRO.
Within the ‘direct link group SLS-CREATE’ you can see that the following direct
links are defined:
Again, you should notice that these direct links that are marked as ‘visible’ can be
directly accessed in the WEB UI.

One way to remove the direct link for EVERY USER having the business role
SALESPRO would be to remove the entry, or at least ‘unflag’ the entry from
being visible.
Pelssers Davy
[email protected]

Pagina 3
12/11/2012
A second way is to disallow the access based on the authorization values
maintained in the authorization object UIU_COMP.
Based on the following SQVI Query, we can directly find back all relevant details for
UIU_COMP, by simply entering the name of the Business Role, e.g. SALESPRO.
Table Name
CRMC_UI_PROFILE
CRMC_UI_NB_A_DLG
CRMC_UI_ROLE_DLG
CRMC_UI_LLINK_T
CRMC_UI_LLINK
CRMC_UI_COMP_IP
Information stored
Contains the link between Business role and Navigation
Bar Profile
Contains the link between Navigation Bar Profile and
related Direct Link groups
Link between the direct link group and the direct links
Contains the Texts of the Logical Link IDs
Contains the link between the Logical Link ID and the
Target ID
Contains the necessary data for UIU_COMP
(component/Window/Inbound Plug)
Pelssers Davy
[email protected]
Pagina 4
12/11/2012
Query selection of Input/Output fields:
Field
Business
Role
Nav. Bar
Profile
Group ID
Position
Logical
Link ID
Link Visible
in Dir. Link
Group
Link
Deleted
Language
Key
Title
Component
Name
Window
Name
Target ID
Inbound
Plug
UI Object
Type
UI Action
Table
CRMC_UI_PROFILE
Input
X
Output Tech. Name
X
PROFILE
CRMC_UI_PROFILE
X
X
CRMUI_NAVBAR
CRMC_UI_NB_A_DLG X
CRMC_UI_NB_A_DLG
CRMC_UI_ROLE_DLG X
X
X
X
GROUP_ID
POSITION
LINK_ID
CRMC_UI_ROLE_DLG X
X
VISIBLE
CRMC_UI_ROLE_DLG X
X
DELETED
CRMC_UI_LLINK_T
X
LANGUAGE
CRMC_UI_LLINK_T
CRMC_UI_COMP_IP
X
X
TITLE
COMPONENT
CRMC_UI_COMP_IP
X
WINDOW
CRMC_UI_COMP_IP
CRMC_UI_COMP_IP
X
X
TARGET_ID
INBOUND_PLUG
CRMC_UI_COMP_IP
X
OBJECT_TYPE
CRMC_UI_COMP_IP
X
OBJECT_ACTION
X
When I run the Query for the Business Role SALESPRO, I see the following results:
Pelssers Davy
[email protected]
Pagina 5
12/11/2012
Practical Example 1
As seen earlier, when you logon as a user having the Business Role SALESPRO, the
“direct link groups” and their respective “direct links” are the following:
Based on the Query I now can easily found out the technical details necessary to
restrict access to one or more of these logical links for the authorization object
UIU_COMP.
Direct Link
Group
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
Direct Link Group
ID
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
Direct Link Title
Opportunity
Quotation
Contact
Lead
Appointment
Interaction Log
E-Mail
Task
Component
Name
BT111M_OPPT
BT115QM_SLSQ
BP_CONT_MAIN
BT108M_LEA
BT110M_ACT
BT110M_ACT
BT110M_ACT
BT110M_ACT
Suppose I only want the Call Center Agent to use/create:
 Contact
 Appointments
 Interaction Logs.
Window
Name
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
Inbound Plug
CREATE
CREATE
CREATE
CREATE
CREATE_APPT
CREATE_CALL
CREATE_MAIL
CREATE_TASK
Pelssers Davy
[email protected]
Pagina 6
12/11/2012
In my PFCG authorization role Z_CRM_UIU_SLS_PROFESSION_A, which is made
as a copy of the standard PFCG role SAP_CRM_UIU_SLS_PROFESSIONAL; I
remove the following entries, marked in red:
Direct Link
Group
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
CREATE
Direct Link Group
ID
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
SLS-CREATE
Direct Link Title
Opportunity
Quotation
Contact
Lead
Appointment
Interaction Log
E-Mail
Task
Component
Name
BT111M_OPPT
BT115QM_SLSQ
BP_CONT_MAIN
BT108M_LEA
BT110M_ACT
BT110M_ACT
BT110M_ACT
BT110M_ACT
Window
Name
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
MainWindow
Inbound Plug
CREATE
CREATE
CREATE
CREATE
CREATE_APPT
CREATE_CALL
CREATE_MAIL
CREATE_TASK
Remark: make sure you do NOT have an authorization value having all * values, like
below. You have to ‘deactivate’ this.
Now I search for the 5 authorization value combinations that I need to remove, and
delete them.
&
&
This particular ‘value range’ I changed into two authorization values that now look
like this:
Pelssers Davy
[email protected]
Pagina 7
12/11/2012
and
Make sure that you open the ‘component name’ values; in order to see if they are
maintained here…..it can be difficult to find them back 
You will notice that removing these entries has an effect on other parts of the
Navigation. When you would press on the navigation link ‘LEADS’ in the Work
Center Sales Cycle, you jump to the SEARCH PAGE.
But on that SEARCH PAGE, you will normally also have a “NEW” button, which is
actually the ‘create’ button, if you want to create a new lead.
After pressing the Navigation Link
“leads” in the workcenter ‘Sales
Cycle’, you will jump to the search
page for Leads; where you
normally see the “NEW” button in
order to create new leads.
Pelssers Davy
[email protected]
Pagina 8
12/11/2012
After making the changes in my PFCG role Z_CRM_UIU_SLS_PROFESSION_A,
I log on with my test user that has the adjusted authorization role, and see the
following:
DIRECT LINKS:
I also check the impact in the Work Center “Sales Cycle”.
I still have my navigation link
that direct to the search page
of “Leads”, which is OK.
Pelssers Davy
[email protected]
Pagina 9
12/11/2012
Clicking on the navigation link itself, I jump to the search page and see that the
“NEW” button is still there.
Now, strictly seen, this should NOT be the case, but when I was at SAP Walldorf AG
concerning CRM 7.0 security, I was told that SAP had not yet foreseen a completely
consistent logic for all buttons.
It does work on some parts however: (see Practical Example 2)


Business Partner Master Data (create buttons for Individual Account/Groups etc)
Marketing and Campaign Management area
Practical Example 1
If we take a closed look at the Work Center Account Managent, you will see the
following second level navigation links.
If you next click on the link ‘accounts’ you should normally see 3 ‘create’ buttons,
related to business partner Master Data.
Pelssers Davy
[email protected]
Pagina 10
12/11/2012
Here you see 3 buttons to create a specific type of Business partner in the system.



Corporate Account
Individual Account
Group
Furthermore you also see that the option to create Business Partners of the above type
is possible via the Work Center Page of Account Management itself:
Possible Scenarios:
A) You have a scenario where you do not want users with a specific Business role
to ‘create’ any business partner, but only search/display them.
B) You have a scenario where you want users with a specific business role, only
be able to create ‘individual accounts’, but no corporate account or Groups.
Pelssers Davy
[email protected]
Pagina 11
12/11/2012
Step 1: Identify what the UIU_COMP values are for the ‘create’ actions.
When you press for example on the button ‘Corporate Account’, you jump to the
creation page for ‘corporate accounts’.
If you press the button F2 on this screen, you get technical details on this View.
Running the Query for ‘logical links for a Business Role’ and filtering on UI
Component, I see the following:
Pelssers Davy
[email protected]
Pagina 12
12/11/2012
Another option here is that searching directly in the customizing table
CRMC_UI_COMP_IP, which actually contains all TARGET IDs and the relevant
UIU_COMP data you need to restrict access, you can also try searching the following
way:
Input parameters:
 Object Action = D (create)
 Component : BP*
 Target ID: MD-BP*
This results in the following output:
It is now obvious that the entries in yellow colour are actually the ones you might
want to restrict access to.
Pelssers Davy
[email protected]
Pagina 13
12/11/2012
Step 2: I will now adjust my PFCG role Z_CRM_UIU_SLS_PROFESSION_A
which is a copy of the standard PFCG role
SAP_CRM_UIU_SLS_PROFESSIONAL.
In my copied role, I find back the above entry. When I deactivate it; and logon with
my test-user I now see the following:
Check 1: Account Page – CREATE Buttons
The buttons for CREATION are now ‘greyed out’, meaning I can not use them!!
>> Result is as expected!
Check 2: the Work Center Page creation options
The entries to create a corporate account, Individual account or Group also
disappeared here, which is correct!
Pelssers Davy
[email protected]
Pagina 14
12/11/2012
What I have illustrated above is actually scenario A.
I now reactivate the authorization values, but remove ‘corporate account and group’
and see the results, but should be able to create ‘individual accounts’.
So I delete the following Inbound Plugs:
CREATE_CORP
CREATE_GROUP
Check 1: Account Page – Creation Buttons
OK, as I have the ‘activated’ button again.
Check 2: Work Center Page
This is also fine as I have the additional navigation link for ‘individual account’.