This action might not be possible to undo. Are you sure you want to continue?
User Access via the Access Control Engine (ACE) in mySAP CRM
Contributing Speaker(s) Larry Justice
Platinum Technical Consultant, SAP America
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 2
As a result of this workshop, you will be able to:
Understand an overview of ACE functionality Understand the underlying architecture for ACE Have better understanding of developing and both from the developer’s perspective and from a security perspective using ACE Have a better understanding of the impact that implementing ACE has on user access management in CRM 4.0
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 3
Overview Section A Architecture Section B Development / Security Section C Summary Section D
Channel Management Portal Role Object 1 Object 2 Object 3 Brand Owner Object 4 Object 5 Object 6 Company User Object action Partner 1 Partner 2 Channel Manager Partner Manager Partner Employee Partner Manager Partner Employee Miller Jones Smith Gold Silver © SAP AG 2005. SAP TechEd ’05 / AGS206 / 5 .
SAP TechEd ’05 / AGS206 / 6 .Relations in the Business Typical relations of business objects to a partner company organization © SAP AG 2005.
SAP TechEd ’05 / AGS206 / 7 .Relation to Assign Access Rights The relation “MyCompaniesLeads” © SAP AG 2005.
The Actor (Org-Element) in the Relation
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 8
Use Cases in the Channel Management
Partner Employee can create, read, edit, and analyze accounts within his partner company. He can also read and edit (but not delete) accounts assigned by Channel Manager
Partner Manager Channel Commerce creates, reads, edits,
deletes, and analyses partner specific condition records
Partner Manager and Partner Employees are only allowed to
see their accounts (Relation: "is account of" / "has accounts")
Partner Manager has read access to leads where his organization is
the Sales Partner of this lead
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 9
Use Cases in the Channel Management Partner Manager has full access (create, read, edit, delete, analyze)
to opportunities created by himself or an employee of the own company
Channel Manager has only access to read, edit and analyze an
order (not to create or delete) for all orders of all partners. View own organization‘s customer orders only; no further restrictions. View, edit, etc. own organization‘s catalog (i.e. catalog with subscribed products) only; Product Subscription & Lead Time maintenance: Partner Manager – Channel Commerce only
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 10
Limitations to the Uses Cases Covered by existing authority concept
The create action is not possible for ACE
Integration of BW and ACE is a point for future releases to analysis requirements Additional actions like “negotiate” or “dispatch” planned for future releases Validating rights for a creation or dispatch process planned a for future release
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 11
SAP TechEd ’05 / AGS206 / 12 .Rule Administration Administration of rules: Actor type is the type of the organization element in the relation between user and business object GetActorsFromUser calculates the Actors to every user assigned to that right GetActorsFromObject calculates the Actors to every object returned by the GetObjectsByFilter Rule Relation ID (Rule ID) MyLeads MyCompaniesLeads Actor Type Contact Partner Company Object Type Lead Lead GetActors FromUser UserS Contacts UserSPartnerCompanies GetActors FromObject LeadSPartnerContacts LeadSPartnerCompanies GetObjectsByFilter * German Leads © SAP AG 2005.
write and delete Rights Right R314 R315 R316 User Group All Partner Roles Partner Manager All Partner Roles Object Type Lead Lead Lead Rule MyCompaniesLeads MyCompaniesLeads MyLeads Action Read Change Full After some changes in the rights tables the administrator has to activate the changes with an activation-tool © SAP AG 2005. SAP TechEd ’05 / AGS206 / 13 .Rights Administration Administration of rights In the most cases user groups are based on roles (portal-roles) Rules describe the relation between user and objects Actions are the combination of the single actions of read.
Definition of Rights Access Control List © SAP AG 2005. SAP TechEd ’05 / AGS206 / 14 .
SAP TechEd ’05 / AGS206 / 15 . the scenario owner has to develop three interfaces: Determine actors from user Determine actors from business object Determine lists of objects in the focus of the rule The Channel Management team has to be involved with the development of the rules for their use cases © SAP AG 2005.Rule (Scenario) interface To develop a rule.
Application Interface For application integration SAP provides three kinds of interfaces: Runtime interfaces: Single object check Multiple objects check Get access control list for some objects Management interface: Inform ACE about new objects (call synchronously if possible) Inform ACE about changed objects Authority mode interface: Informs about states of the ACE © SAP AG 2005. SAP TechEd ’05 / AGS206 / 16 .
Overview Section A Architecture Section B Development / Security Section C Summary Section D .
Architecture Overview Architecture: Instance-based authorization Building subset of users Building subset of objects Using business relations to calculate authorization Processes: Database cache User context calculation Activating rights Session cache and authorization check Object creation Object changes © SAP AG 2005. SAP TechEd ’05 / AGS206 / 18 .
Authorizations in Channel Management Basis Authorizations Based on authorization objects Reaches down to transaction. display. change) Dynamic Authorizations Framework to determine user dependent access rights on object level Application can check access rights for actions on business objects Portal Dynamic Authorizations Portal Role A User 1 action User 2 Object 1 Object 2 action Company 2 Object 3 Company 1 © SAP AG 2005. and field value level SAP Authorizations Basis authorization concept User Role object class authorization object authorization authorization fields (ex. SAP TechEd ’05 / AGS206 / 19 . field.
Building Subset of Users ACE User Groups Gr1 Gr1 Role User 1 Roles known by ACE User Groups (R1 & R2) R1 R1 2 Gr2 Gr2 R2 R2 Roles assigned to Users Example: User “5” has Role “R3” and “R4” 3 User not under ACE control 4 R3 R3 5 R4 R4 6 © SAP AG 2005. SAP TechEd ’05 / AGS206 / 20 .
SAP TechEd ’05 / AGS206 / 21 .Building Subset of Objects Objects Objects returned by an object filter ACE Object Filter F1 Lead 01 Lead 02 Lead 03 Lead 04 Lead 05 Lead 06 Lead 07 Lead 08 F3 F2 Objects not under ACE control Lead 09 Lead 10 Lead 11 Lead 12 F4 © SAP AG 2005.
User.and Object-Context User-context The functions „GetActorFormUser()“ calculate the user-context Examples for types in the user-context: Companies Org-Unit Position Sales Area We call this types „Actor-Type“ We call the values in the user context „Actor“ Object-context The function „GetActorFromObject()“ calculate the object-context Examples for values in the object-context: Companies Org-Unit © SAP AG 2005. SAP TechEd ’05 / AGS206 / 22 .
User.and Object-Context II ACE User Groups Gr1 Gr1 Role User 1 UserObjectContext Objects ACE Object Filter F1 Lead 01 R1 R1 Lead 03 2 Gr2 Gr2 R2 R2 Lead 04 Lead 05 F2 3 Lead 06 Lead 07 F3 4 R3 R3 Actor Business function to calculate the User/Object Context © SAP AG 2005. SAP TechEd ’05 / AGS206 / 23 Lead 10 F4 .
User Context: GetActorFormUser() 3.Definition of Rule 4 Lead 1 3 2 5 F1 Parts of a Rule: 2. Object Context: GetActorFormObject() 4. SAP TechEd ’05 / AGS206 / 24 . Object Type 5. Filter: GetObjectByFilter() Rule Rule ID MyLeads MyCompaniesLeads Actor Type Contact Partner Company Object Type Lead Lead GetActors FromUser UserS Contacts UserSPartnerCompanies GetActors FromObject LeadSPartnerContacts LeadSPartnerCompanies GetObjectsByFilter * German Leads © SAP AG 2005. Actor Type 1.
Rule 3. Action: What kind of action can a user do with his objects 4. User Group 2. SAP TechEd ’05 / AGS206 / 25 . (Not “Object Type”.Definition of Right 4 1 Gr1 Gr1 Role Role 3 Lead 01 2 Lead Parts of a Right: 1. makes administration easy) Rights Right R314 R315 R316 User Group All Partner Roles Partner Manager All Partner Roles Object Type Lead Lead Lead Rule MyCompaniesLeads MyCompaniesLeads MyLeads Action Read Change Full © SAP AG 2005.
SAP TechEd ’05 / AGS206 / 26 .Results No new roles for authorization necessary Add new rights without code modification in the business object code Customer code used as an add-on Use of business relations make the coding of rules very easy Definition of actor types is very important task when using ACE in a project © SAP AG 2005.
Runtime Cache Calculate every rule by every authorization check? Good performance can be achieved for authorizations by pre-calculation (caching) rule results Structure of the database cache User Context ACE Group ID User * 1 ACE Group ACE Group ID Actor Right ID 1 * Access Control List ACE Group ID Business Object ID Action Additional memory caches exist There are processes working with this data: First authorization check Activating rights Cheating objects Changing objects © SAP AG 2005. SAP TechEd ’05 / AGS206 / 27 User Context ACL (User Context) ACL ACL Authorization check .
Overview Section A Architecture Section B Development / Security Section C Summary Section D .
SAP TechEd ’05 / AGS206 / 29 .Overview of Authorizations and ACE SSO Authentication Portal User Portal Role Portal Content Authorization EP Application CRM User Implicit Authorizations Access Control Engine Other concepts CRM R/3 CRM Business Partner Authorization Objects © SAP AG 2005.
Is the user an active ACE user? Now ACE starts working with: Is the user cached? (App-Server) Has the user context expired? (customizable. Is this query a „Friendly Call“ ? 3. Is the action to be checked supported by the ACE? 4. Is the object type to be checked relevant for the ACE? 5. SAP TechEd ’05 / AGS206 / 30 . Is the ACE inactive? (CUSTOM) 2. default value = 16 hours) Determining the active status Remark: App-server cache and database cache are the same © SAP AG 2005.First Authorization Check (User Context) The first steps are: 1.
Actor) pair 7. Calculate all different Actors 6. not in ACL If a user’s roles change. Get all Roles of the user 2. Change Entries in User-Context-Table Create App-Server-Cache for user context Remark: Start and end-time of a right is only used in the user context. Get all ACE-User-Groups of the user 3.User Context Cache Calculating the new user context 1. the administrator has to refresh the usercontext manually © SAP AG 2005. Get all Rights for the user 4. Create all new ACE-Group entries (Right-ID. List all different “GetActorFromUser()” functions 5. SAP TechEd ’05 / AGS206 / 31 .
Activation of Rights and User-Groups The first step of activating is to copy the design-time data into the corresponding runtime tables Changing ACE configuration has no influence on the runtime until they are activated You find the list of active rights and user groups by using the deactivation value-help © SAP AG 2005. SAP TechEd ’05 / AGS206 / 32 .
using the filter 2.Activating Rights (ACL. SAP TechEd ’05 / AGS206 / 33 .Calculation) Two separate steps: 1. Get all objects. Calculate all ACL-entries in small parallel processes Retrieve all objects to be activated Insert objects into the work table. block by block Create reporting data Read N blocks of 100 objects at most Enqueue objects in this block and proceed with activation Update information on the success/failure as well as reporting data Commit the work in this LUW and dequeue objects in the block N Enqueue objects in this block and proceed with activation Update information on the success/failure as well as reporting data Commit the work in this LUW and dequeue objects in the block © SAP AG 2005.
g. read from ACL © SAP AG 2005.Runtime Authorization Check Some processes call the ACE authorization check very often for the same object There is a runtime cache for checked ACE entries This cache is a session cache The runtime store is only for objects created in the same session RuntimeStore CHECK_SINGLE_OBJECT_GUID / CHECK_MULTIPLE_OBJECTS_GUID UserObjectsCache CL_ACE_USER_OBJECTS_CACH E CL_ACE_RUNTIME_STORE DB Table XX_ACL e. SAP TechEd ’05 / AGS206 / 34 .
SAP TechEd ’05 / AGS206 / 35 .Runtime Changes of Business Objects All business objects under ACE control send change and create notifications to ACE There are two different calls from the business object to ACE HandleNewObjects() HandleChangedObjects() Two different calls are necessary. because of different processes © SAP AG 2005.
the following happens: Write full access in the session runtime store Write the temporary ACL entry (Full control for the creator) in the DB Start a background process to calculate the new ACL entries In the background process List all “Filter” for this Object Calculate all used “GetActorFormObject()” functions using the “Filter” Calculate all actors for this object Write all new ACE-Group entries Write all new ACL entries Remove temporary ACL entry Remark The creator can directly access his created object(s) © SAP AG 2005. SAP TechEd ’05 / AGS206 / 36 .Creating New Object During the creation process.
there is no write access to the DB © SAP AG 2005.Change Object During the change process the following happens: Start a background process to calculate the changes of ACL entries In the background process List all “Filter” for this object Calculate all used “GetActorFormObject()” functions using the “Filter” Calculate all actors for this object Write all new ACE-Group entries Calculate the delta of ACL entries Write all new ACL entries Remove all unused ACL entries Remark: If only right independent attributes are changed. SAP TechEd ’05 / AGS206 / 37 .
manager with a partner company) wants to see the leads assigned to her company Business objects Hierarchical structure of partner organization © SAP AG 2005.Dynamic Authorizations – Example 1 Megan (User A. SAP TechEd ’05 / AGS206 / 38 Business objects .
if identical: show lead to Megan 3 2b 1b 1a 2a © SAP AG 2005. SAP TechEd ’05 / AGS206 / 39 .Dynamic Authorizations – Example Rules to determine access for the lead Rule 1: Check which contact person the lead is associated with Rule 1b: Look up primary partner company for contact person Rule 2a: Retrieve the contact person for user Megan Rule 2b: Look up primary partner company for contact person Rule 3: Compare partner companies.
Portal Role Manager Maier 1600/99/34 Schmitt Employee Müller 1010/99/32 1520/99/40 ElektroHeinz Rights Right R007 R008 User Group Manager Empoyee Object Type Customer Customer Rule MySalesAreasCustomes MySalesAreasCustomes Action Full Read Sales Area User Object © SAP AG 2005.Dynamic Authorizations – Example Cont’d. SAP TechEd ’05 / AGS206 / 40 .
g. Sales Order Management does not include Opportunity Management Application supports authorization checks via ACE Application (resp. the current user is activated for ACE checks. and user is assigned to authorization objects © SAP AG 2005. SAP TechEd ’05 / AGS206 / 41 . the assigned CRM object) supports ACE checks. application does checks on authorization objects. and corresponding ACE rule is activated Application/CRM offers authorization checks via Basis Authorization Authorization object is available.Dynamic Authorizations – Example Cont’d. Portal role consists of applications user is able to work with No application available in the role no access at all User is assigned to portal role Different portal roles enable different authorization on role level Application itself consists of “implicit” authorization E.
this particular application should not be part of the role definition at all. Therefore the user assigned to this role does not have the application available and therefore no authorization at all © SAP AG 2005. SAP TechEd ’05 / AGS206 / 42 . there are several possibilities and dependencies.Dynamic Authorizations – Example Cont’d. which have to be taken into account First of all. as proposed. If the authorization matrix does not have a mark for a specific role-application combination. Different levels and possibilities of authorizations: Top-down view To implement an authorization matrix. there is the portal role definition.
this button can be completely removed by defining a corresponding BSP application view © SAP AG 2005.g. if you only have read-access to a certain object without the right to create new ones. A role specific application may also be used in combination with underlying authorization concepts to implement an "ideal solution" This means for example. remove a create button restrict this capability for a specific role. e. SAP TechEd ’05 / AGS206 / 43 . Different levels and possibilities of authorizations: Top-down view Next level is to use specific BSP application view to implement "functional" authorizations on UI level.Dynamic Authorizations – Example Cont’d. but there is a create button available.
Dynamic Authorizations – Example Cont’d. SAP TechEd ’05 / AGS206 / 44 . ACE sits on top of basis authorization © SAP AG 2005. Currently implemented and available actions are write. if activated and if necessary for a specific business process. and delete. Authorizations implemented via ACE using rules (which) and rights (how) define which documents a user (assigned to a certain role) may see and how these documents may be accessed. read. Different levels and possibilities of authorizations: Top-down view Now ACE comes into play.
the basis authorization can be used to define "overall" authorizations in the system. Here authorization objects assigned to users/user groups define what access is allowed The role itself represents the center of all authorization. Different levels and possibilities of authorizations: Top-down view Last. and it is used at each "level" (portal role definition. and basis authorization) as a kind of anchor in the authorization model/matrix © SAP AG 2005. SAP TechEd ’05 / AGS206 / 45 . ACE.Dynamic Authorizations – Example Cont’d. but not least. BSP application view.
the development work using ACE is simplified © SAP AG 2005. SAP TechEd ’05 / AGS206 / 46 .g. a whole role should only have read access to a certain transaction or application. e. This should be implemented using basis authorization objects assigned to a role/user group (even if it could be accomplished via ACE) By doing as much of the restrictions in the backend using basis authorizations for the affected roles.Comments about Basis Authorizations Basis authorization and ACE: Basis authorization may be used best to define basis authorizations.
etc. relations.) © SAP AG 2005. basis and ACE. can be used. a list of business rules describing the business requirement in a matrix is extremely helpful A combination of both.) are used to determine the rule process (actors from user. etc. potential confusion of access modes used in complex roles. only for a particular channel partner (<=> sales partner). but from a business perspective it can increase user administration costs (duplicated effort.Comments about Basis Authorizations Basis authorization and ACE: If a certain role should only have access to a specific range of documents. actors from object) To come to such a clear technical definition. then the ACE should be used implementing corresponding rules (which documents should be visible) and rights (how documents are accessible) In this case it is necessary to clearly define which characteristics (partner functions. SAP TechEd ’05 / AGS206 / 47 . e.g.
Example of External Matrix Rights/Roles Partner Manager Lead Manager Sales Manager Portal Administrator (web support center) Roles Partner Management Partner Profile Management Account Management User Management Sales Cycle Rights R/M/D/E R/M R R R R/M/D R/M/D/E R/M/D/E R/M/D/E Activities Leads Opportunities Orders (B2B-Shop) Legend: © SAP AG 2005. SAP TechEd ’05 / AGS206 / 48 R/M/D R R/M/D R/M/D R = Read only R/M/D R/M/D R/M/D R R/M/D/E R/M/D/E R/M/D E = Execute (reports.ACE Right Definition Process Detail cont’d. search) D = Delete M = Maintain .
SAP TechEd ’05 / AGS206 / 49 .ACE Right Definition Process Detail Steps for coming from an authorization matrix to ACE-based authorizations access control on document level: Authorization matrix generated by business department Translation of authorization matrix into ACE-related building blocks Customizing and implementation of ACE building blocks Overview (Preliminary) Activation for testing Testing Results of final ACE rights activation Overview Testing Runtime monitoring of ACE authorizations Overview Testing © SAP AG 2005.
SAP TechEd ’05 / AGS206 / 50 . This involves both developers and security resources working together. The first part of the process involves a developer resource to do the configuration part © SAP AG 2005.ACE Right Definition Process Detail Now let’s look at the actual screen shots involved in setting up ACE functionality.
Log on to CRM Development Instance © SAP AG 2005. SAP TechEd ’05 / AGS206 / 51 .
Execute /nspro © SAP AG 2005. SAP TechEd ’05 / AGS206 / 52 .
Select „SAP Reference IMG“ © SAP AG 2005. SAP TechEd ’05 / AGS206 / 53 .
Select Customer Relationship Management © SAP AG 2005. SAP TechEd ’05 / AGS206 / 54 .
Next select Basic Functions © SAP AG 2005. SAP TechEd ’05 / AGS206 / 55 .
Now select Access Control Engine © SAP AG 2005. SAP TechEd ’05 / AGS206 / 56 .
SAP TechEd ’05 / AGS206 / 57 .Next select User Groups © SAP AG 2005.
SAP TechEd ’05 / AGS206 / 58 .Click on Assign Users to User Groups © SAP AG 2005.
we are in the proper part of the IMG.Setting Up Rules for ID’s/Roles for ACE Finally. In this situation. SAP TechEd ’05 / AGS206 / 59 . we are going to tie a user ID to a specific role. you would assign the backend ‘Z’ BASIS security role as shown in the following Screen Shot © SAP AG 2005. so: The first step in the process is to assign the ‘role’ or ‘user’ ID’s to an ID or role. If you are going to assign it to a ‘group’ of people.
SAP TechEd ’05 / AGS206 / 60 .Setting Up Rules for ID’s/Roles for ACE © SAP AG 2005.
SAP TechEd ’05 / AGS206 / 61 . © SAP AG 2005. we are going to assign the CRD_SARF2 user to the SAP_CRM_PARTNER _EMP group and assign the user group child type as ‘U User’ since this is a user ID.Setting Up Rules for ID’s/Roles for ACE But in this case.
For this scenario I have activated the following group’s and ID’s. © SAP AG 2005. Once this is completed. For this case.Setting Up Rules for ID’s/Roles for ACE Unfortunately. display BP’s. SAP TechEd ’05 / AGS206 / 62 . If this is the first time ACE is being used. we are going to make it so a CP can maintain. you have to know the ID or the BASIS role you wish to attach. change. currently there is no search for the ‘User Group Child’ functionality. you must enter the developers tool to activate the necessary groups and rules. edit. we have to decide what rules we wish to activate.
SAP_CRM_PARTNER_EMP User Group is Activated © SAP AG 2005. SAP TechEd ’05 / AGS206 / 63 .
and write authorization (ACT_GRP_CHANGE)) to all end customer business activities.Rules which have been activated LEAD_CHP_CP_EMP a) PARTNER EMPLOYEE: CONTACTPERS. Here. the business partner must be a contact person. CHANGE b) Account (ACCOUNTCRM) c) Partner employee (SAP_CRM_PARTNER_EMP) d) Grants the partner employee. who in turn has the relationship "is contact person for" a business partner who has the relationship "is end customer of" his or her own company © SAP AG 2005. SAP TechEd ’05 / AGS206 / 64 . as contact person with the relationship type "is contact person for" and the portal role Partner Employee. access (read.
SAP TechEd ’05 / AGS206 / 65 . as contact person with the relationship type "is contact person for" and the portal role "Partner Employee". access (read.and write authorization (ACT_GRP_CHANGE)) to his or her own company’s end customers.Rules which have been activated LEAD_CHP_ENDCUST_EMP a) PARTNER EMPLOYEE: END CUSTOMER CHANGE b) Account (ACCOUNTCRM) c) Partner employee (SAP_CRM_PARTNER_EMP) d) Grants the partner employee. The business partner must have the relationship "is end customer of" his or her own company © SAP AG 2005.
© SAP AG 2005. access (read. SAP TechEd ’05 / AGS206 / 66 . then the current user also has access ("to own company as prospect ". Or the "Prospect" is the "Company" itself. this is only of interest if the lead is used as a quotation for the channel partner itself). The "Prospect" must be in an "is end customer of" relationship to the "Company" that the current partner employee is a contact person of.and write authorization (ACT_GRP_CHANGE)) to all of the user’s company’s prospects. as contact person with the relationship type "is contact person for” and the portal role "Partner Employee".Rules which have been activated LEAD_CHP_PROSP_EMP a) PARTNER EMPLOYEE: PROSPECT CHANGE b) Account (ACCOUNTCRM) c) Partner employee (SAP_CRM_PARTNER_EMP) d) Grants the partner employee.
The business partner must exist in the business partner role "Consumer".Rules which have been activated CHP_CONSUMER_EMP a) PARTNER EMPLOYEE: CONSUMERS DISPLAY b) Account (ACCOUNTCRM) c) Partner employee (SAP_CRM_PARTNER_EMP) d) Grants the partner employee. © SAP AG 2005. access (read authorization (ACT_GRP_READ)) to all consumers. as contact person with the relationship type "is contact person for" and portal role Partner Employee. SAP TechEd ’05 / AGS206 / 67 .
Working with the Business Package The security team will be involved in this activity Once you have activated the rights. (note. if you are assigning ACE rules to a specific ‘role’ you must maintain the Role in the Role area of the following screen shot) In the BP you have open. maintain a ‘Contact Person’ as well as the ‘internet user’ role of the partner Once this is done. let us create/modify the Business Package (BP) associated with the test user ID and then assign them a organization. For example. © SAP AG 2005. Open up the BP associated with the user ID. if I am an employee at Ace Apple’s than I would assign myself as a contact person at Ace. now assign user to the organization that he represents when he logs in. SAP TechEd ’05 / AGS206 / 68 .
SAP TechEd ’05 / AGS206 / 69 .Working with the Business Package © SAP AG 2005.
Create Ace Apple’s BP and Associate crd_Sarf2 to it © SAP AG 2005. SAP TechEd ’05 / AGS206 / 70 .
SAP TechEd ’05 / AGS206 / 71 . © SAP AG 2005.Activating User Group SAP_CRM_PARTNER_EMP Back in the ACE Administration Tool: Select the user group to activate (here it is the SAP_CRM_Partner_EMP) Once this is completed successfully. then you will notice all of the condition ‘traffic lights’ will be green as seen on the next slide.
Activating User Group SAP_CRM_PARTNER_EMP © SAP AG 2005. SAP TechEd ’05 / AGS206 / 72 .
Rights Have Been Activated © SAP AG 2005. SAP TechEd ’05 / AGS206 / 73 .
if you use roles you do not have to do this) Once this is done. everything should be active for the test ID © SAP AG 2005. SAP TechEd ’05 / AGS206 / 74 .Final Step Back to the administration tool and the last thing needed to do is to refresh the user (note.
SAP TechEd ’05 / AGS206 / 75 .Schematic View of what has been set up © SAP AG 2005.
Overview Section A Architecture Section B Development / Security Section C Summary Section D .
Summary ACE functionality based on Rules. the ACE user groups. SAP TechEd ’05 / AGS206 / 77 . Rights and Roles in the portal and the backend system It is important for the developer team and security to work together during the initial configuration of ACE functionality Where ever possible use the capabilities of the basis authorizations in the backend system to simplify the development and use of ACE functionality It is very important to have an overall naming convention for the portal roles. and backend user roles BEFORE implementing ACE © SAP AG 2005.
but refine Extend: the basis authorization object does not grant access “at all”. So it can act as an additional filter of allowed access. ACE can be used if authorization per “object” based on “object” attributes are required for different user groups © SAP AG 2005. SAP TechEd ’05 / AGS206 / 78 . there is no access to any documents for an activated user as long as there is no ACE rule to grant access! ACE cannot “extend” authorizations granted by Basis Authorizations. but ACE rule(s) does not user is not able to change object(s).Final Comments When ACE is activated initially. then no ACE rule can change this Refine: if the basis authorization object does allow “change”.
com/education/ © SAP AG 2005.com NetWeaver Developer‘s Guide: www.com/services/ Related SAP Education Training Opportunities http://www.sap.sdn SAP Customer Services Network: www.com SAP Developer Network: www.sap. SAP TechEd ’05 / AGS206 / 79 .sdn.Further Information Public Web: www.sap.sdn.sap.com/sdn/developersguide.sap.
SAP TechEd ’05 / AGS206 / 80 .Questions? Q&A © SAP AG 2005.
and do not take the handouts for the following session. Thank You ! © SAP AG 2005. Be courteous — deposit your trash. SAP TechEd ’05 / AGS206 / 81 .Feedback Please complete your session evaluation.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.