Skip to Content

Some facts about UIU_COMP authorization object in SAP CRM.

Many of the SAP CRM consultant who are working on SAP CRM authorization must have come across UIU_COMP  authorization object. This object is the major differentiator between SAP CRM and SAP ERP. SAP CRM WEBUI make use of external services of the type UIU_COMP. The visibility of the work centre, logical links, creates, edit, etc in WEBUI pages depends on it. While creating PFCG Role (automatically/ manually) UIU_COMP authorizes UIU component on the base of Component name, inbound plug and component window.

The diagram below shows the relation between Authorization , Business Role and WEBUI.

The Role Menu in PFCG Role shows the list of all the work centre, logical links (which are UIU_COMP links) assigned to a specific business role link generated

Any deletion of any of the links in the role menu will cause deletion of the links in the WEBUI even if the changes are not made in the business role. For example if I delete UIU_COMP_BP_HIER_MainWindow_CREATE from the role menu, the same will be deleted in the authorization objects . And it will be not visible in the WEBUI too even if the same is maintained in the Business role.

You must be Logged on to comment or reply to a post.
  • Hi Neha,

         This information is perfect. This is a great document. I do have a question on the role change/maintenance process. So, we have a business requirement to make a inbound link visible on one of our workcenter menu's. Since that was a custom enhancement and was not generated during our initial role build, the UIU_COMP info is not in the role. Like we usually do, i wanted to add the UIU_COMP to the appropriate external service via SU24, but i am having trouble finding the appropriate external service. Is there a best practice to handle these type of role changes ? i know i can run the CRMD_UI_ROLE_PREPARE and re import and re generate but that will make me go through each auth object to make sure that no other value get affected. Can you help 🙂

    • Hello Jegadesh,

      Sorry for replying late. In such scenario where you do not want to regenerate. You can go other way round. Just add the UIU comp with all the 3 parameters ( COMP_NAME, COMP_PLUG and COMP_WIN) directly into the authorization tab. The link will be available in WEBUI even if it is not there in the role menu.

      Let me know if it helps!

      • I kind of figured out a clean way to do this. Activate the auth trace on via RZ11 parameter tcode. Then with one of our Super role (Non Production role), execute the new service. The auth trace will activate this UIU_COMP within the SU22 and SU24. Once complete, turn the trace off (so that your DB does not blowup 🙂 ). Then maintain the appropriate values on the SU24 for the service, then goto role menu which requires this new service, and add it to the menu (Like how you do for transaction, but instead of tcode, we are adding external service). Now the appropriate auth object will be populated in the authorizations list. Cleaner way, standard role maintenance, less headache 🙂 . If required, i can probably create a document and share!!



  • Hello Neha,

    Nice and easy document to understand the basics in CRM-Sec for new starters in CRM.

    I have one requirement: Whenever i search Accounts in marketing role , i am getting all countries accounts, how could i restrict to the only for particular country. my org unit is from DE.(Germany), but i could see all countries account information in web ui. Please suggest how to achieve this.Can this be done via BADI:BADI_CRM_BP_UIU_AUTHORITY ??


    Ramesh Badam