Question:
Hi, does anyone know how I can restrict certain transaction types so that different users can only see what is relevant to them?
Thanks
Answer:
control in CRM are not very robust so you may not be able to do what you want. In general CRM only controls on the start of a transaction nothing more.
You can use ST01 with authorization trace on to determine your options.
Answer:
Has anyone applied structural authorizations to CRM activities?
Answer:
Structural authorization apply only to HR data, if CRM access HR data and you have structural authorization turned on the Structural authorizations can be used.
Answer:
Thanks John,
that was perhaps the answer, but I'd like to make sure.
We don't use HR data as such in CRM. I have the same task as the person who started this thread: I should limit access to CRM business transactions (activities, opportunities, contacts etc.) based on our organizational structure. Users in organizational branch A should not be able to see what users in branch B have created.
I planned to do this authorization based on the object CRM_ORD_LP. According to help.sap.com
http://help.sap.com/saphelp_crm40/helpdata/en/26/99973915e69238e10000000a11402f/content.htm
it should be just what I need.
However, the checks didn't work as I understood from the documentation. CRM borrows its organizational structure from HR, so I thought I'd need structural authorizations to interpret the organizational levels for authorization checks of business transactions, too. But if structural authorizations are only for personnel data, it is not the way.
How can I check the authorizations for business transactions based on the CRM organization?
Answer:
If CRM uses the HR structure and you have Structural authorizations turned on then it may work provided the data you are trying to protect or the key to the data resides in the HR Infotypes. What happens in SAP HR is generally you have P_ORGIN turned on and then you turn on structural authorization in tcode OOAC. SAP then takes the Infotypes and checks P_ORGIN to limit the list of HR records you are authorized to see and then further limits the records based on the wheter the records are in the HR structure's path (SD does this). If the CRM code adheres to this it may work, but if the code could care less where the peson is it may bypass this...
You can test it. Do note it requires IT 0105 ST 0001 to be populated with the user ID and a PD profile assigned to the user. The default PD profall for all users if "ALL" access.