Skip to Content
author's profile photo Former Member
Former Member

Authorization Object CRM Order - Allowed Organ. Units

Hi experts,

I am using "Authorization Object CRM Order - Allowed Organ. Units" but it doesn't have any effect. Even I fill-in all its fields by * values the user can see only its own opportunities.

I have a set of auth objects in my role:

CRM@BRF: Authorization for Term

Authorization Object CRM Order - Visibility in Org. Model

Authorization Object CRM Order - Allowed Organ. Units

Authorization Object CRM Order - Own Documents

Authorization Object CRM Order - Credit Card Processing

Authorization Object CRM Order - Business Transaction Type

Authorization Object CRM Order - Bus. Obj. Rebate Agreement

Authorization Object CRM Order - Business Object Sales Order

Each object has full authorization (* in all fields).

I have no BADI's and any other custom code implemented.

Is there any caches?

Does "Own Documents" auth object have a higher priority then "Allowed org units"?

Thanks in advance

Add a comment
10|10000 characters needed characters exceeded

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Nov 22, 2007 at 01:24 PM

    Yes,

    Its a long chain of priorities on objects in CRMD_ORDER.

    Pls see link

    http://help.sap.com/saphelp_crm50/helpdata/en/5b/e4f53911cac83ce10000000a114084/frameset.htm

    In case u miss the link, following is IMP text.

    The authorization check is run according to the following procedure:

    1. Your own documents (authorization object CRM_ORD_OP)

    The system checks whether the user takes on a specific partner function for the activity executed in the relevant document, for example, whether he is the employee responsible. Furthermore, the system checks whether the user has the authorization to change, display or delete a transaction. If the result of this check is positive, no further checks take place at transaction level.

    2. Visibility in the organization model (authorization object CRM_ORD_LP)

    If the user is not authorized in the first step of the check, the second check is carried out. This check enables the employee to control the access to specific organizational units via his position, depending on his assignment. This authorization object defines which documents can be processed by the user in the individual organizational levels, and which activities he can carry out here. If the user is authorized for the chosen activity (create, change, display, delete) and the relevant organization level, no further checks are carried out.

    Note

    When maintaining the authorization field CHECK_LEV, you should only choose the organizational unit at the highest level of the units to be checked. If, during the authorization check, the relevance to a specific sales organization is checked, the organizational units beneath this are also automatically checked. This means that you do not have to choose the (lower-level) organizational unit sales office. This would cause considerable deterioration in performance.

    You can find further information under Check on Visibility in the Organization Model.

    3. Combination of several authorization objects

    If the first two checks were not successful, this combination of different authorization objects is checked. All the checks must be successful before the user is authorized to process the required transaction. This means the user only receives the authorization to process if he is authorized to:

    ¡ Process the leading business transaction category in the corresponding transaction type

    ¡ Process the corresponding transaction type

    ¡ Process in the corresponding sales area

    i. a) Authorization objects CRM_ACT, CRM_OPP, CRM_SAO, CRM_SEO, CRM_CO_SE, CRM_CON_SE, CRM_LEAD, CRM_CMP, CRM_CO_SA, CRM_CO_SC

    Using these authorization objects, the system checks which business transactions the user is allowed to process, and whether he is allowed to carry out the functions create, display or delete in these transactions. The relevant authorization object is checked, depending on the activity executed:

    · Activities: CRM_ACT

    · Opportunities: CRM_OPP

    · Sales transactions: CRM_SAO

    · Service transactions: CRM_SEO

    · Service contract: CRM_CO_SE

    · Service confirmation: CRM_CON_SE

    · Lead: CRM_LEAD

    · Complaints: CRM_CMP

    · Financing contract: CRM_CO_SA

    · Sales contract: CRM_CO_SC

    ii. Authorization object CRM_ORD_PR

    Using this authorization object, the system defines which action the user is allowed to execute for each business transaction type.

    iii. Authorization object CRM_ORD_OE

    Using this authorization object, the system defines in which sales area or in which service organization the user is allowed to process the CRM business transaction, and which activities he can carry out here.

    If the user is not authorized in the third step of the check, he will not be able to process the document in the required way. He will receive a system message which contains the corresponding authorization object and refers to the lacking authorization.

    POINT Welcome.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Nov 22, 2007 at 02:51 PM

    Hi,

    Try to use /nsu53 transaction just after you fail to open a sales order.

    It will give you the details of what objects are missing in your profile.

    Regards.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Just one Remark....Did you do a "User Comparison" after adjusting the role?

      since if you changed the role, but did no user comparison in the profile generator, the changes are not active fot those users....

      Next, could you indicate if you are working via the SAPGUI or via the portal.

      If using the portal, it can be someone has activated ACE (access control engine)...

      Next you should understand the process flow for authorization checks in business transactions...The logic has a certain following order,....and starts with the check on Object CRM_ORD_OP (own documents)...and continues with the other objects CRM_ORD_LP and so on..

      If the first authorization check is passed succesful,than the other checks are no longer verified... Only in case a negative result is found after an authorization check ...the next object will be checked..

      kind regards

      Davy

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.