cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Calling Access Control Engine (ACE) and UI Authorization Experts

Go to solution
Former Member

on ‎06-06-2009 10:03 PM

0 Kudos

Hi Experts,

We have implemented most of the scenarios sucessfully in ACE, but there is one requirement for which we require some expert advise.

As per my understanding, if for object type AccountCRM, ACE is enabled for some user, everything he can see in Account/Contact search and its edit and display access will be guided by ACE.

But in our scenario, we want to give display access to employees and all organizations to all the users in the system, though ACE will be enabled to them, is there any way by which we can keep some BP role out of ACE purview? So that it applies to all BPs except in role Employee, and some other role if required, if we do it through ACE, then for all the users (more than 1000), we will be putting a lot of entries in ACE table, which doesn;t look like a good idea.

Also, second question is, is there any way by which we can restrict only edit access to any BP on UI other than ACE. Can we use PFCG Role to remove edit access to any BP on WebUI.

Please help me on the same. It will be highly admired.

Thanks and Regards,

Rohit Khetarpal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

amarnath_kathi
Active Contributor
‎06-12-2009 11:42 AM
0 Kudos

Hi Rohit,

Your understanding of ACE is correct. Th central thread, as i see, in the two queries you have is about using parallel authorization schema to ACE. The basis authorizations, as far as i know, does not overwrite ACE authorizations. So i do not see how you can exclude a role from ACE perview so that you save on table entries. I mean i do not see an option of using PFCG roles for few sets of BPs so that they are accessible even though they are not included in ACE. I guess having the entries in ACE table is the only way for you.

ACE takes precedence as mentioned in SAP documentation quoted below -

"..if the basis authorization object does allow u201Cchangeu201D, but ACE rule(s) does not 􀃎user is not able to change object(s). So it can act as an additional filter of allowed access..."

About your second query, I am not completely clear on your requirement. You want a different authorization scheme on Web UI and Win GUI? Please elaborate.

Amar.

Show replies
Show replies
Former Member
‎08-11-2009 9:52 AM
0 Kudos

Thanks all for your responses.

Sorry for the delayed reply, we could not find any solution for taking BPs in some role out of ACE, so had to write classes to give access to all those BPs to the all the users in the system (around 15k users). Definitely it will put performance bottlenecks.

If someone can suggest an alternative approach, please let us know in detail. This is all about authorizations on Webclient based CRM 6.0 UI (and not GUI).

Will put my requirement again: We want to give access to all the BPs (business partner) in some specific role (say 'Organization'), to all the ace enabled users. That is, if there are 10000 organizations in system, all the users in system (15000) should be able to use any of them in any transaction or in BP search screen. Is this possible without writting ACE class code for them and populating 10k multiplied by 15k entries in ACE tables (or if take pfcg role in user group instead of individual users then may be 10k).

Regards,

Rohit

stephenjohannes
Active Contributor
‎08-11-2009 9:31 PM
0 Kudos

Take a look at the enhancement spot:

CRM_UIU_BP_ENHANCEMENT

In particular the BADI:

BADI_CRM_BP_UIU_AUTHORITY

Worse case scenario you'll also have to enhance the standard search component for business partners and edit/adjust filter out the result set.

Do a search in this forum on BP_HEAD_SEARCH as this has been discussed before. You can also look at CRM_BUPA_IL_SEARCH to handle part of the issues.

Take care,

Stephen

Former Member
‎08-17-2009 10:13 AM
0 Kudos

Hi Stephen,

Thanks for the prompt reply, i have already gone through those 2 Badis, and search enhancement badi we are already using.

But, from ACE point of view, we can do further things only if first data is coming from ACE tables, that is if i am not passing Employees (Business Partner) in my coding, then it will not appear in search result itself.

I have tried to enquire from a few senior people as well, but no one seems to have implemented ACE in any of the projects. I am really curious then how to solve this if possible, and how come such a functionality has not been implemented in most of the projects.

Please help.

Regards,

Rohit Khetarpal

monika_suchy2
Explorer
‎08-19-2009 6:58 PM
0 Kudos

Hello Rohit,

I have implemented ACE in a CRM 5.0 and actually in a CRM 7.0. If you want to use ACE you have to be familiar with ABAP coding (there are some examples for ACE coding in the system too).

For your scenario you shoud have a look at the so called universal actor.

SAP help:

To grant users of a user group access to a number of objects, the Access Control Engine (ACE) provides a special actor type. To do this, a rule is created that uses this actor type. When activating the right that uses this rule, all users of the user group and all objects of the rule are assigned to a universal actor. This gives all users of the right access to all objects of this rule

The universal actor reduces the entries in ACE tables

Regards,

Monika

Former Member
‎08-20-2009 2:56 PM
0 Kudos

Hi,

Thanks for the reply, i have done complete coding for ace, so that is not a problem We thought of looking into this universal actor concept, but somehow couldnt find it much relevant for our case.

If you have used this concept, could you please post a scenario and solution and how it helped. It would be of great use to us.

Also, as you have already implemented 2 project in ACE, what do you generally suggest as a solution to follow, is it better to use ACE, or is it better to restict the data access using PFCG Role, Badis and search enhancements, from both development and maintenance point of view.

If someone can provide this valuable guidance, it would help us immensely in solution designing before start of the project.

Thanks and Regards,

Rohit Khetarpal

Answers (2)

Answers (2)

Former Member
‎09-08-2009 10:19 AM
0 Kudos

Combination of ACE and BADI.

Show replies
Show replies
ravichandra_kummitha
Explorer
‎06-06-2012 9:06 AM
0 Kudos

HI Rohit,

I have similar requiremnt. I want to restrict the read, write & delete access of business partners to User of Two businesses wchich are setup in same crm system .

My requirement is Users of Business One should have access to only business parners of  BuinsessOne. Users of businessTwo  should have access to business partners of Business Two Only.

Please let me know how this can achieved in details.

Your advice will be highly appreciated,

Thanks in Advance,

Ravi

robert_kunstelj
Active Contributor
‎06-07-2009 2:11 PM
0 Kudos

Regarding your 2nd question...

Yes, you can restrict access to BPs via PFCG role. You can use object CRM_BPROLE to say which BP roles users can use (create, change, display or delete).

And these authorization object are also used for authorazing users, to say which data can users maintain/view:

B_BUPA_ATT - Business Partner: Authorization Types

B_BUPA_CRI - Business Partner: BP Role Category / Differentiation Typ

B_BUPA_FDG - Business Partner: Field Groups

B_BUPA_GRP - Business Partner: Authorization Groups

B_BUPA_RLT - Business Partner: BP Roles

B_BUPR_BZT - Business Partner Relationships: Relationship Categories

B_BUPR_FDG - Business Partner Relationships: Field Groups

B_CCARD - Payment Cards

B_CLEAR - Data Cleansing

Show replies
Show replies
Former Member
‎06-10-2009 4:25 PM
0 Kudos

Hi all,

be aware that some standard authorization objects do not work properly in WebUI.

We tried to implement an authorization check based on BP grouping via authorization object B_BUPA_ATT. This does not work in Web UI, because according to SAP 'the authorization object B_BUPA_ATT isn't intended to be used in the CRM WebUI.'.

There are 2 options for our scenario:

a) use ACE

b) implement authorizations in BADI_CRM_BP_UIU_AUTHORITY (check Note 1028531 for details on this)

Best regards,

Marek

Ask a Question