Skip to Content

Many of the SAP CRM consultant who are working on SAP CRM authorization must have come across UIU_COMP  authorization object. This object is the major differentiator between SAP CRM and SAP ERP. SAP CRM WEBUI make use of external services of the type UIU_COMP. The visibility of the work centre, logical links, creates, edit, etc in WEBUI pages depends on it. While creating PFCG Role (automatically/ manually) UIU_COMP authorizes UIU component on the base of Component name, inbound plug and component window.

The diagram below shows the relation between Authorization , Business Role and WEBUI.

The Role Menu in PFCG Role shows the list of all the work centre, logical links (which are UIU_COMP links) assigned to a specific business role link generated

Any deletion of any of the links in the role menu will cause deletion of the links in the WEBUI even if the changes are not made in the business role. For example if I delete UIU_COMP_BP_HIER_MainWindow_CREATE from the role menu, the same will be deleted in the authorization objects . And it will be not visible in the WEBUI too even if the same is maintained in the Business role.

To report this post you need to login first.

27 Comments

You must be Logged on to comment or reply to a post.

  1. jegadesh karthikeyan

    Hi Neha,

         This information is perfect. This is a great document. I do have a question on the role change/maintenance process. So, we have a business requirement to make a inbound link visible on one of our workcenter menu’s. Since that was a custom enhancement and was not generated during our initial role build, the UIU_COMP info is not in the role. Like we usually do, i wanted to add the UIU_COMP to the appropriate external service via SU24, but i am having trouble finding the appropriate external service. Is there a best practice to handle these type of role changes ? i know i can run the CRMD_UI_ROLE_PREPARE and re import and re generate but that will make me go through each auth object to make sure that no other value get affected. Can you help πŸ™‚

    (0) 
    1. Neha Gupta Post author

      Hello Jegadesh,

      Sorry for replying late. In such scenario where you do not want to regenerate. You can go other way round. Just add the UIU comp with all the 3 parameters ( COMP_NAME, COMP_PLUG and COMP_WIN) directly into the authorization tab. The link will be available in WEBUI even if it is not there in the role menu.

      Let me know if it helps!

      (0) 
      1. jegadesh karthikeyan

        I kind of figured out a clean way to do this. Activate the auth trace on via RZ11 parameter tcode. Then with one of our Super role (Non Production role), execute the new service. The auth trace will activate this UIU_COMP within the SU22 and SU24. Once complete, turn the trace off (so that your DB does not blowup πŸ™‚ ). Then maintain the appropriate values on the SU24 for the service, then goto role menu which requires this new service, and add it to the menu (Like how you do for transaction, but instead of tcode, we are adding external service). Now the appropriate auth object will be populated in the authorizations list. Cleaner way, standard role maintenance, less headache πŸ™‚ . If required, i can probably create a document and share!!

        Cheers

        Jega

        (0) 
  2. Ram Badam

    Hello Neha,

    Nice and easy document to understand the basics in CRM-Sec for new starters in CRM.

    I have one requirement: Whenever i search Accounts in marketing role , i am getting all countries accounts, how could i restrict to the only for particular country. my org unit is from DE.(Germany), but i could see all countries account information in web ui. Please suggest how to achieve this.Can this be done via BADI:BADI_CRM_BP_UIU_AUTHORITY ??

    Regards,

    Ramesh Badam

    (0) 
      1. Ram Badam

        Hi Neha,

        Any idea?? without ACE and Territory Management??? πŸ˜› … I mean to say how to achieve this by using only Auth objects and BADI??

        Regards,

        Ramesh Badam

        (0) 
        1. Faisal PC

          Hi Ram,

          Yes. You can do this by implementing BADI BADI_CRM_BUPA_IL_SEARCH. Here you can check the result obtained and then the org unit of the user. You can filter the result with the org unit country. However, put proper restrictions as this will affect all account searches.

          Thanks,

          Faisal

          (0) 

Leave a Reply