Wednesday, May 18, 2011

How ACE (Access Control Engine) works

ACE (Access Control Engine) is a generic authorization mechanism in SAP CRM. In contrast to the conventional authorization in SAP CRM, ACE uses Access Control Lists instead of authorization based on object’s attributes. Whenever an object shows up in the screen (either in a search result or in an assignment block), the system checks if the object is available in the access control list (ACL) for this user, and if the display-action has been applied to the list. The same logic is applied if the user wants to change the object, but then with the change-action. Determination of the access control list can be user specific, role based or group based.

If for instance you want to grant edit-access to a group of customers only to a specific group of users, this would be possible with conventional authorization, but if you also want this group to be able to edit the contact persons of this group of customers or see the activities of this customer, this was not possible with conventional authorization. With ACE, it is.

Once ACE applies to an object for a user, this user will only be able to view or edit (depending on the rights) if this object is available in this user’s access list.

Note that if a user does not have view-rights, it will look as if there are no objects in the system. A search will for instance show 0 hits, and the current contacts assignment block might remain blank.

So, how does it work?
We have already discussed that the system at runtime checks whether the Business Partner is available in the ACL, so that’s clear, but how is the ACL formed?

ACE consists of several different components:
  • Rules
    • Actor Types
    • AFO classes (Actor For Object)
    • OBF classes (Objects By Filter)
    • AFU classes (Actors For User)
  • Rights
    • Work Packages
    • User Groups
    • Action Groups
    • Rules (from the previous component)
So, Rights map the Rules to the Users and Actions.

Rules specify which objects should be contained in the group.
For instance ‘All business partners with BU_GROUP <XYZ>’ could be a rule.
Also, ‘All contacts of all business partners with BU_GROUP <XYZ>' could be a rule.
A rule generally creates a list of objects that are part of the group. This list is stored in a database table ending with ‘_ACL’.
At runtime, the list is checked to see whether the object exists in the ACL (Access Control List).

ACE customizing
IMG --> CRM --> Basic Functions --> Access Control Engine

Rule Customizing
Rule Customizing consists of defining the AFU, OBF and AFU class.
AFU stands for Actor For User. This is used to determine actor_id the user is assigned to. This creates entries in the UCT table.
OBF stands for Objects By Filter. This is used to determine which objects are relevant for the group.
AFO stands for Actors for Objects. This is used to determine the actors that are to be applied for the found objects.

Rights Customizing
Right Customizing consists of defining the user group, and combining the user group, the allowed action (read, write, delete) and the rule into a “Right”.
To be Continued…

1 comment:

  1. This is a great post and easy to understand.
    When can we expect the next parts???