Scenario
A user can set the parameter CRM_UI_PROFILE to a specific value or even * .
It's a security risk, because a user could use a standard business role instead of the customer configured role.
The user parameter overrules any other role assignments (via the organizational management or pfcg-role),
CRM 7.0 / PFCG Roles and Authorization Concept, page 28:
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/00515e75-f1d0-2c10-bebb-e5675f470...
Requirement
Even if the parameter is set to * only allowed business roles are displayed in the pick list of the logon screen.
Solution
The enhancement spot WCF_RESTRICT_ACCESS (note 1566074) and an own defined authorization object is used to
restrict the business roles.
Implementation
1. Create authorization object ZUI_PROFIL
Create the authorization field ZUI_PROFIL in transaction SU21:
Create the authorization object ZUI_PROFIL with field ZUI_PROFIL and don't forget to re-generate SAP_ALL
2. Implement the enhancement spot WCF_RESTRICT_ACCESS
In the next step you have to implement the enhancement spot WCF_RESTRICT_ACCESS in transaction SE18.
Add the following code in method get_business_role_white_list
method if_wcf_restrict_access_badi~get_business_role_white_list.
** Restrict Access to WebClient UI Framework
** according to the authoization object ZUI_PROFIL
** Note 1566074
** Data
data lt_role type standard table of crmc_ui_profile.
field-symbols <fs_role> type crmc_ui_profile.
field-symbols <line> like line of ct_business_roles.
*
cv_is_implemented = abap_true.
* Get all CRM-web-UI business roles
select * from crmc_ui_profile into table lt_role
where profile_type = 'C'.
* authority check
loop at lt_role assigning <fs_role>.
authority-check object 'ZUI_PROFIL'
id 'ZUI_PROFIL' field <fs_role>-profile.
if sy-subrc = 0.
append initial line to ct_business_roles assigning <line>.
<line> = <fs_role>-profile.
endif.
endloop.
endmethod.
|
3. Apply authorization object to user
In the last step you only add the new authorization object with the allowed roles in pfcg role.
Result
In the logon screen only the allowed roles are shown: