SAP CRM Access Control Engine Overview

-

 

The intended audiences of this topic are the SAP Functional Consultants and the Project Managers who are involved in Implementation of SAP Access Control Engine (ACE).

 

Serve as a guideline document for Implementing SAP Access Control Engine. The white paper is an outcome of the exploration which I had done during my Implementation of SAP Access Control Engine.


1.    Introduction

 

SAP CRM ACE (Access Control Engine) controls which users see which Business Objects, business objects can be Customer, Product and One order Objects (Quotes, contracts and Activities etc). Also ACE Controls whether the users have the Authorization to read, edit or delete those Business objects. Access Control Engine grants dynamic access on object-level based on user.

The ACE Right combines all the information: It defines what kind of business objects have to be checked for what kind of users, which have certain permissions on a business object.

 

ACE Right:

o            Work Package

o            Object Type

o            ACE Rule

o            ACE User Group

o            Action Group

 

   Work Package

Work Package is used to activate User Groups and ACE rights.

 

• Object Type:

         Super Object Type and Object Type describe what kind of business object has to be checked via ACE.

o            Super Object type: ONE ORDER

o            Object Type: SALESCONTRACTCRM or SALESORDERCRM

 

• ACE Rule:

 

          ACE rules are used to limit access to business objects. ACE rules are executed after the standard authorization checks, which are done via authorization objects. That means that the access to business objects must be allowed in PFCG Roles first, before limiting the results by ACE rules.

 

ACE only checks for read, write, and delete Activities.  ACE cannot be used for the Create Activity; PFCG role should be used for the validation.

 

The actual check on a business object is described within the ACE Rule. An ACE rule consists of four parts:

 

o   Actor Type: describes the criterion matching within a user and an object.

o   Actors from User: It returns all actors that are found from user perspective.

o   Actors from Object: It returns all actors that are found from business object perspective.

o   Objects by Filter: Filter on business objects, so that only valid objects are being used for actor calculations.

 

ACE User group

 

The ACE User Group defines what kinds of users are checked with which ACE Rule. Therefore, a PFCG Role must be created and assigned to an ACE User Group in the customizing. If a user is assigned to this PFCG Role, the User is automatically under ACE control.

 

Example: External Users of a Distributor.

 

•Action Group

 

The Action Group defines the permission a user has on a certain business object.

 

Example: Read or Write or Delete.

 

 

1.1  Example for the ACE:  Access to only Own End Customers

 

Distributor users are only allowed to display their own end customers.

The ACE rule is built up in the following way:

Actor: Channel Partner (own Distributor Company)

Objects by Filter: filter for BP Role = Customer

Actors from User: check if Business Partner of own user has the relationship “has Contact Person” to Actor (Distributor Company)

Actors from Object: check if BP, which has BP-role “Customer” has the relationship “is End Customer of” the same Distributor Company

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Following graphic shows, the relationships and BP roles, which needs to be checked for this ACE rule:

 

 

 

1.2  Customizing

 

Navigation Path:

SPRO-->Customer Relationship Management-->Basic Functions -->Access Control Engine-->Create Rights

Define Work Package; Assign Object type to the Work Package.

Define User Group, Assign the Work Package ID to the User Group ID.

Assign the Dummy PFCG Role to the User Group ID. This Dummy PFCG Role should be assigned to the users.

Define Right ID, Assign the Object type, Rule ID, User Group, Action Group ID

 

 

 

 

 

Define Rule ID, Assign Actor type ID, AFU, AFO and OBF class.

Navigation Path:

SPRO-->Customer Relationship Management-->Basic Functions -->Access Control Engine-->Rules  Create Rules

 

Define AFU Class ID

 

Define AFO Class ID

 

ACE Class with Different methods.

 

ACE General Parameter Maintenance .

Navigation Path: SPRO-->Customer Relationship Management-->Basic Functions -->Access Control Engine--> Maintain General Parameters

 

1.3   ACE Activation Steps

 

1. Go to transaction code: ACE_ACTIVATION

2. Select Work package and double click on the Work Package.

3. Go to Rights tab - > select all

4. Deactivate the selected rights

5. Go to user group tab 

6. Deactivate all user groups

7. Validate all user groups

8. Activate all user groups

9. Go to Rights tab and select all rights

10. Validate selected rights

11. Activate selected rights

12. Check the Monitoring tab.

 

1.4   Important Transaction Codes

 

ACE_Runtime:  Using this Transaction it is possible to test the ACE Rules.

 

ACE_Update:    Using this transaction User Context can be generated for new users.

2.    Conclusion

 

With the use of SAP CRM ACE, it is possible to grant dynamic access on  object Level based on the user. In general SAP CRM ACE is implemented in Distribution business, to restrict distributors to access only to their own Data.

Comments

Post a Comment

Popular posts from this blog

Distributing Business Transaction Data from SAP CRM to an external system using the CRM XIF Adapter

-
Image
 Distributing Business Transaction Data from SAP CRM to an external system using the CRM XIF  Adapter Applies to: SAP CRM 7.0 on Web AS 700 (SAP_ABA 700, SAP_BASIS 700, BBPCRM 500)  Summary:  The interface setup was done through a combination of CRM XIF adapter setup, BADI enhancement (for populating custom fields) and IDoc Technology to distribute the data. This article explains how the interface was configured in SAP CRM step by step. A scenario where we had to interface CRM Business transaction Data to an external system called ISAR, The challenge here was to interface SAP CRM and ISAR with/without a powerful middleware such as SAP XI. For transferring data from SAP CRM, we had to introduce custom structures with additional fields as the standard IDoc in CRM did not contain all the data we needed. So BADI enhancements had to be implemented to populate these custom structures.   I am aware that there is standard documentation on CRM XIF function module...
Read more

SAP Cloud for Customer ( C4C) beginners Guide-Part 2

-
  SAP C4C – Work Centers & Views When you open SAP Cloud for Customer in Silverlight mode, you can access multiple work centers to perform various administrative and configuration tasks. 1. Feed 2. Business Analytics 3. Application user management 4. Business Configuration 5.Business Partner 6.Organizational Management 7.customer 8.People 9.Marketing 10.Sales 11.Activities 12.Analysis 13.Competitor 14.Products 15.Library 16.Service Control center 17.ECC Search 18.offers ,Visits, Surveys…. etc Administrator This is a very important work center and is available to the admin users. Most of the customization activities in C4C is done in this work center. This work center is available in Silverlight view of C4C system. It has many customizations like service and social, sales and marketing setting, mash up services, workflows, user management, approval process etc. SAP C4C – Project Implementation & Scoping As a part of SAP C4C, there are various activities, which you need to pe...
Read more