CRM and CX Blogs by Members
Find insights on SAP customer relationship management and customer experience products in blog posts from community members. Post your own perspective today!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
12,258

In my Configuration & Implementation of CRM Access Control Engine (ACE)-Part 1 blog, I had listed down the configuration steps required for the business scenario discussed. In this blog we will go through the implementation of the ABAP class for Access Control.

Let me revist our Business scenario: 

Business Scenario:  Any particular account and its Contacts can be displayed/edited/deleted by the employee who has created that account and the other employees who are related to that Account with the relationship type “Is the Responsible Colleague Of”. 

As per our requirement: 

  • Objects: All the Business Partners who are Persons as well as Organizations.
  • Actors: Responsible Employee of any Business Partner or an employee who has created the BP. 

We need to implement the following interfaces in the ABAP class ZCL_ACERULE_ACCOUNT... 

IF_CRM_ACE_OBJECTS_BY_FILTER~GET_OBJECTS_BY_FILTER 

This method fetches all the objects to which ACE right is applicable. Objects applicable to our ACE rule are all the Business Partners. So, get the entire Business Partners from BUT000 and append them to the exporting internal table of this method.

 

  

 

IF_CRM_ACE_ACTORS_FROM_USER~GET_ACTORS_FROM_USER 

This method calculates the Actors to every user assigned to our ACE right. Actors are employees as said before. So get the employee for each user and append them to the exporting internal table.

 

  

 

IF_CRM_ACE_ACTORS_FROM_OBJECT~GET_ACTORS_FROM_OBJECTS 

This method is very important in an ABAPer’s point of view as it has maximum amount of coding 😉 

This method queries actors according to a specified list of objects. (Mass data method) 

SAP recommends us to implement this (mass data) method instead of single object versions, such as method GET_ACTORS_FROM_OBJECT.  

It has the following parameters: 

1. 'IT_OBJECT_GUIDS': Importing, type CRMT_ACE_OBJECT_GUID

This has all the objects (GUID of BP) whose actors are to be determined.

2. 'ET_ACTOR_IDS': Exporting, type CRMT_ACE_OBJECT_ACTORS

All the determined actors are appended to this internal table. 

3. 'ET_FAILED_OBJECTS': Exporting, type CRMT_ACE_OBJECT_GUID

All the failed objects, say objects to which actors couldn’t be determined will be appended to this internal table. Please refer to the implementation code below, it is self explanatory. 

 

 

 

We will not be implementing the method GET_ACTORS_FROM_OBJECT hence forth. 

We also have another method  IF_CRM_ACE_OBJECTS_BY_FILTER~CHECK_OBJECTS_BY_FILTER in which additional filtering can be performed.

 

 

 

Have a look at the parameters of the custom method GET_RESP_EMP and also its implementation part.

 

 

Then have a look at the Public Local Type Definitions created:

 

  

 

Then we need to activate our Work Package and Rights. First activate you User Group from the User Groups tab and then activate your right from the Rights tab. Related screen shots are attached below:  

 

 

 

Once the right has been activated you can check out a job runs which can be checked in your SM37 TA and the runtime tables are filled in with the authorization data. After the job finishes, you can check out one of the runtime tables CRM_ACE2_BP_ACL filled in with authorization data.

 

 

 

     

 

Now, check out the TA ACE_RUNTIME which will show the runtime data. One can check out the accounts a particular user can access. One can also check out who ever is allowed to access a particular account.  

Filter Selection To call the report, select at least one superobject type.If you have selected a superobject type, you can refine your search by additional criteria and display the list. 

 

 

 

One can also use the TA "ACE_UPDATE" to update the user context as well as the Object Context. My next blog would deal with this aspect.

Also, I would like to thank my Project Lead @Cognizant, Gautam Mandal who was the driving force behind this implementation.

I hope that this blog series would be very helpful to ABAP technical consultants while imlementation of Access Control Engine. 

Hope this blog serves its purpose!

16 Comments
Former Member
0 Kudos
Hi Ravi Kiran

Good example business scenario

Thanks
Sai
Former Member
0 Kudos
Its a good example for the people trying to implement ACE.
mary_hoyle
Discoverer
0 Kudos
I appreciate your blog.  Excellent examples and documentation. 
johan_vanzijl
Participant
0 Kudos
This is an excellent introduction to ACE and explains the concepts well.

However, be careful when implementing the code provided as is.

In method GET_RESP_EMP, a check should be done if anything was found, otherwise it will retrieve all BP's on the next select.

Also, et_failed_objects is not filled properly in GET_ACTORS_FROM_OBJECTS.

Former Member
0 Kudos
Hello all!
When I set breakpoint to GET_ACTORS_FROM_OBJECTS method, it didn't stopped and when I tryed to change code there was no effect. Seems like this code didn't execute.
Why?
Former Member
0 Kudos
Hi Artur,

The ACE activation and refresh happens in background. Hence the break point is not executed from foreground. Go to SM50 select the process, go to Program/Session->Program->Debugging to debug the process.

Regards,
Ravi
mabujan
Explorer
0 Kudos
Hi Ravi,

We are having an issue with calendar appointments (Business Activity CRM) where the Object Id that is created for the event has the "Actor" field empty when checked against the runtime table. (ACE access error is triggered when accessing the object)

Active ACE users can't see those objects as they can only see the ones in their Org Unit (Actor) per design.

Do you have any idea how to resolve that?

Thanks,
Manuel
Former Member
0 Kudos
Someone suggest me to look at this blog. I think this is a good blog which illustrate the concept of ACE. But somehow I do have some other opinion on ACE. We have implement ACE for a large client several years ago. Conceptually, it is good. It fulfill the real business requirement. But after the go-live, you will notice so many problems. The system is unbelievably slow. And after reading all the ACE code and architecture. You will find the problem. Basically, how ACE work is.
For example, the user only have access to 100 customer. There are totally 1 million customer in the database. The user just want to see all the customer he can access. So he do a search without any criteria. In this process, SAP code retrieve 1 million customer from the database, match them one by one to the authorization entries generated by ACE. In this case, most likely what return to the user will be a memory overflow error. We raise the question to SAP and SAP says it is by design.
So be careful with ACE. If the pool is only 100 records and you want to control through ACE, it is fine. But if it is a big pool. You should consider something else in addition.
Former Member
0 Kudos
This is a common problem if you cannot do meaningful restrictions in OBF. This is not just an ACE problem - unrestricted selects kill performance, whether in ACE, reports or any where else
Former Member
0 Kudos
Hi,

I have implimented this configuration and the methods but the result doesn't appears (I mean the last image that contains the object that the user is authorized to read/write/delete).
In your opinion what is the problem ?

Thank you in advance.

mll mat
Former Member
0 Kudos
Hi Ravi,


I have configured successfully and while implementing class ZCL_CRM_ACERULE_ACCOUNT, When I try to give parameters with their associate types T_GUID_TAB & T_ACTOR_TAB table types not found. What do I need to do it for this?

Thanks & Regards

Rohan
Former Member
0 Kudos
The definition of these tables is a bit later. They are defined in the public section.

Dídac
Former Member
0 Kudos

Hi,

very good contribution for starters. I implemented ACE a couple of years ago and after I'm sticking on it (avoiding PFCG as much as possible)

Does anybody knows if ACE will be available in ECC as well?

udaykumar_kanike
Active Contributor
0 Kudos

Hi Ravi,

        I am currently in this project. You have done really good job. Can you contact me. I do have few doubts regarding this ACE security model.

Thank you,

Uday

Former Member
0 Kudos

Hi Ravi and everyone else who is familiar with ACE,

This is such a good read! however, i'm still encountering an issue. From what I understand from this, is that it can only do things to Contacts that are assigned to an Account.

Can someone help me, my issue is whenever a sales rep. creates a contact, he/she is not able to search it afterwards. Take note that the contact created is not yet assigned to an account.

thanks!

Paul

Former Member
0 Kudos

hello, ravikiran.chittum

     I follow the procedure step by step.When I activate the right,the background job ( ace_dispatcher )do not generate ,but the table CRM_ACE2_BP_ACL is filled with data,the final result like this: can you help me analyze what's wrong with it.Really Thank you!

Labels in this area