Skip to Content

Hello all, in this blog I want to explain you what CRM ACE is, what it can do, what the concept is and how you can implement it.

Introduction


Large and complex (international) CRM installations all face the same problem: how do we show the users only the data that they need to see? We don’t mean authorizations related to functionality, but related to business content. Imagine you run a big business and have a million customers worldwide. Then a sales rep responsible for a group of customers in Belgium should not see any customers from Asia in his search results. Or a sales rep with responsibility for a certain branche should not be bothered with customers of other branches. Furthermore, if the structure of the sales organisation changes, you don’t want to end up changing all kind of authorization profiles.

To solve these issues, SAP came up in CRM for the PCUI with a pretty nice solution: CRM-ACE. This stands for Access Control Engine and is a framework to calculate user dependent access rights on object level. It originates from Channel Management but works in all PCUI functionalities. Unfortunately it doesn’t work in other environments like IC Webclient or via the SAP GUI (but I created a development request for this….).

When I started looking into ACE a while ago there was very little documentation and information on this topic. There is some information in the IMG and a very basic SAP tutor file but posts in SDN Forums asking for info got almost no reply. As usual I found out how it works myself by debugging and tracing….and therefore I thought it would be a good idea to share it with you.

Difference with ‘normal’ authorizations


What is the real difference with the ‘normal’authorization concept we are all familiar with? In this traditional concept you have to specify all values is the role; e.g. the sales organisation which the user is allowed to see data from. If you have 30 sales organisations you need 30 roles. These are static autorisations. In ACE you can specify in one role that all users who have this role can see customers for the sales area to which they are linked to. So with 30 sales organisations you only need one role. If a sales rep moves from one organisation to another you don’t even need to change his authorizations. These are dynamic authorizations.

The concept of ACE

The basic element in the concept of ACE is the actor. To explain this in the most easy way you can say this is the linking and filtering element between the user and the object. The actor determines if the user should see the object or not. As an example look at the following picture which explains the scenario that a user is only allowed to see business partners where he is in the sales team. The user is linked to an employee and these employees are stored in the sales teams of the business partners.

image

From the user’s perspective you can determine the employee id which is in the sales team. Also from the business partners perspective you can see who are in his sales team. If both of them match, the user can see the object. If you understand the concept of the actor you understand the ACE for 75% already.

How the actor from both perspectives is determined is stored in a rule. Here are three methods defined: how to determine the actors from the user, how to determine the actors for an object, and a method to specify which objects to take into account in the first place.  This is shown in the following pic:

image

An ACE rule is a combination of a role and an action (read, write, delete). These rules you can assign to ACE user groups which you can link to individual users or in most cases to dummy ‘normal’ authorization roles which you can assign in the user master.

The nice thing about the concept of ACE is that when you activate it it fills the ACE tables with data so it can later during runtime determine very fast who is allowed to see what data objects. Basically it determines beforehands for all users and for all objects what it’s actors are and stores this in tables. During runtime it knows your user so can quickly read your actors and then read all objects which have the same actor. If a new object is created after the activation it automatically in the background determines the actors and updates the corresponding tables. Really nice!

Technical view

And now the interesting technical stuff: the place where you can customize all of the above is in the IMG under CRM\Basic Functions\ACE. Most things there speak for itself and the documentation is reasonably well.

If you create a new ACE right you have to implement a new class (copy from an existing class in the range CL_CRM_ACERULE*). The class contains 5 methods:

1.     GET_ACTORS_FROM_USER: this method receives the userid in the field im_usr_name and determines the actors for this user which should be put in table ex_actor_id_table. Code samples will be below in this blog.

2.     GET_OBJECTS_BY_FILTER: this method determines which objects to take into account and puts their GUIDs in table ex_object_guid_table

3.     CHECK_OBJECTS_BY_FILTER: this method receives the table from the GET_OBJECTS_BY_FILTER method and here you can add additional filtering

4.     GET_ACTORS_FROM_OBJECTS: this method receives the internal table of method CHECK_OBJECTS_BY_FILTER and for all these object GUIDS it determines the actors at once. It puts these in the itab et_actor_ids.

5.     GET_ACTORS_FROM_OBJECT: this method is called when there is a new object created after the activation; e.g. when you create a new prospect this method calculates its actors. It gets as input the object GUID in field im_object_guid and gives its actors in table ex_actor_id_table

So methods 1-4 are used during the activation of ACE and the last one is used when new objects are created. At the end of this blog you will find some code samples.

The relevant tables involved are the following (where XX can be BP for business partners, OO for ‘one order’ objects which can be activities, orders, opportunities and leads, and PR for products; these are the three objects for which SAP delivers tables)

1.     CRM_ACE_XX_GRP: in this table all possible actors are stored (e.g. all employee numbers or all sales areas) with their ACE_GROUP_ID, which is the GUID linked to this actor.

2.     CRM_ACE_XX_UCT: in this table all users with all their ACE_GROUP_Ids (=all their actors) are stored

3.     CRM_ACE_XX_ACL: here all object Ids with their actors (in the form of the ACE_GROUP_Ids) are stored.

From these tables you can easily see how ACE internally works: it knows your users, then reads in the user context table (UCT) your acegroup Ids, and then in the access control list table (ACL) it reads directly all objects you are allowed to see. It works as easy as that.

Performance


Does ACE boost the performance of your system? Seen the logic of the tables above, it should. However unfortunately the answer is no, or maybe just a very little. When you search for business partners, in the background it still retrieves all business partners, and then at a later stage it limits the result list according to the ACE rules. So from that point in time the result list is smaller, but the first search already spoiled the response time. But maybe in future releases SAP will improve the logic of searching in the PCUI so it first reads the ACE tables, and then the other tables. In most SAP systems this will be quicker, depending on how the employees are mapped to the business partners.

Code samples of the methods


And last but not least…..the code samples. In this example I implemented class ZCL_CRM_ACERULE_RELATION which does the following: it allows users only to see business partners for which they have a relation with. For example, they are defined as employee responsible, or as account manager.

As I’m not a real programmer (actually I’m a functional consultant however somehow I often end up programming too) there might be some room for improvement. I’m open for your suggestions!

GET_OBJECTS_BY_FILTER


This method retrieves all business partners which are organisations and all contact persons which are linked to a BP (because if you see a BP, you also want to see it’s CPs!)

METHOD IF_CRM_ACE_OBJECTS_BY_FILTER~GET_OBJECTS_BY_FILTER .

DATA: ls_ace_object_key TYPE crms_ace_object_guid,
ls_bsp_seareq_account TYPE crmt_bsp_seareq_account,
lt_partner_key TYPE bup_partner_guid_t,
ls_partner_key TYPE bupa_partner_guid,
ls_control TYPE crmt_bsp_search_control,
lt_crmm_but_lnk0011 TYPE TABLE OF crmm_but_lnk0011,
ls_crmm_but_lnk0011 TYPE crmm_but_lnk0011,
lt_bu_partner_guid TYPE bu_partner_guid,
lt_crmt_bsp_sales_area_bp_t TYPE crmt_bsp_sales_area_bp_t,
ls_crmt_bsp_sales_area_bp_t TYPE crmt_bsp_sales_area_bp.

DATA: lv_partner type BU_PARTNER_GUID,
lv_ace_guid TYPE crms_ace_object_guid.

*- Select all organisations
SELECT partner_guid
INTO lv_partner
FROM but000 where type = ‘2’.

MOVE lv_partner TO lv_ace_guid-object_guid.
APPEND lv_ace_guid TO ex_object_guid_table.
ENDSELECT.

*- Get all CPs which are linked to a BP

SELECT b~partner_guid
INTO lv_partner
FROM but051 as a inner join but000 as b on b~partner = a~partner2.

MOVE lv_partner TO lv_ace_guid-object_guid.
APPEND lv_ace_guid TO ex_object_guid_table.

ENDSELECT.

ENDMETHOD.

CHECK_OBJECTS_BY_FILTER

This method doesn’t do any additional filtering; it just moves the content of one itab to another.

method IF_CRM_ACE_OBJECTS_BY_FILTER~CHECK_OBJECTS_BY_FILTER .

  data: ls_object_guid type crms_ace_object_guid,

        lt_partnerroles type table of BAPIBUS1006_ROLES,

        lt_return type table of BAPIRET2.

  loop at im_object_guid_table into ls_object_guid.

  •    CALL FUNCTION ‘BUPA_ROLES_GET’

  •     EXPORTING

    •     IV_PARTNER            =

  •       IV_PARTNER_GUID       =  ls_object_guid-object_guid

  •     TABLES

  •       ET_PARTNERROLES       =  lt_partnerroles

  •       ET_RETURN             =  lt_return.

*

**check if the partner has the role ‘Consumer’.

  •    If lt_return is initial.

  •      read table lt_partnerroles with key partnerrole = ‘BUP003’

  •                                transporting no fields.

  •      if sy-subrc eq 0.

        append ls_object_guid to ex_object_guid_table.

  •      endif.

  •    endif.

  endloop.

endmethod.

GET_ACTORS_FROM_USER


This method retrieves BPs to which the user is linked.

METHOD if_crm_ace_actors_from_user~get_actors_from_user .

*- This method gets the users and determines the BP which is linked as relation to an activity or business partner

DATA: l_iv_partner_guid TYPE bu_partner_guid,
l_bp_nr TYPE bu_partner,
ls_actor_id TYPE crms_ace_actor_id.

CLEAR: l_iv_partner_guid, ex_actor_id_table.
REFRESH: ex_actor_id_table.

*- First determine the BP of the user
CALL FUNCTION ‘BP_CENTRALPERSON_GET’
EXPORTING
iv_username = im_usr_name
IMPORTING
ev_bu_partner_guid = l_iv_partner_guid
EXCEPTIONS
no_central_person = 1
no_business_partner = 2
no_id = 3
OTHERS = 4
.
IF sy-subrc <> 0.

  • MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

  •         WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

  ENDIF.

*- Get the partner number as actor

  SELECT SINGLE partner FROM but000 into l_bp_nr where partner_guid = l_iv_partner_guid.

*-  ex_actor_id_table-IM_USR_NAME = im_usr_name.

  shift l_bp_nr left deleting leading ‘0’.

  MOVE l_bp_nr TO ls_actor_id-actor_id.

  APPEND ls_actor_id TO ex_actor_id_table.

  SORT ex_actor_id_table.

  DELETE ADJACENT DUPLICATES FROM ex_actor_id_table.

ENDMETHOD.

TYPE crms_ace_object_guid.

  CONSTANTS : abap_false TYPE c VALUE ‘ ‘.

  • in advantage of the multi function module the query for the

  • channel partner must only called one time

  LOOP AT it_object_guids ASSIGNING -object_guid TO ls_actor_ids-object_guid.

  •   get the ref kind.

    CALL FUNCTION ‘CRM_ORDER_GET_OBJECT_TYPE’

      EXPORTING

        iv_ref_guid = lv_order_guid

      IMPORTING

        ev_ref_kind = lv_ref_kind.

    MOVE lv_order_guid TO lv_bapi_order_guid.

    APPEND lv_bapi_order_guid TO lt_bapi_order_guid.

*- Get the activity details

    CALL FUNCTION ‘BAPI_BUSPROCESSND_GETDETAILMUL’

      TABLES

        guid    = lt_bapi_order_guid

        header  = lt_header_dis

        partner = lt_partner_dis

        status  = lt_status_dis

        return  = lt_ret2.

*- In table lt_partner_dis are the partners

    LOOP AT lt_partner_dis INTO ls_partner_dis.

      CLEAR ls_object_actors.

      l_bp_no = ls_partner_dis-partner_no.

*- Put leading zeros in front of BP nr

      CLEAR l_string.

      l_string = STRLEN( l_bp_no ).

      WHILE l_string NE 10.

        CONCATENATE ‘0’ l_bp_no INTO l_bp_no.

        l_string = STRLEN( l_bp_no ).

      ENDWHILE.

*- Check if the relation has a linked user; if not, don’t store it

      CLEAR l_username.

      SELECT SINGLE partner_guid INTO l_partner_guid2

                   FROM but000 WHERE partner = l_bp_no.

      CALL FUNCTION ‘BP_CENTRALPERSON_GET’

       EXPORTING

  •             IV_PERSON_ID              =

         iv_bu_partner_guid        = l_partner_guid2

  •             IV_EMPLOYEE_ID            =

  •             IV_USERNAME               =

       IMPORTING

  •             EV_PERSON_ID              =

  •             EV_BU_PARTNER_GUID        =

         ev_username               = l_username

  •             ET_EMPLOYEE_ID            =

  •             EV_NAME                   =

       EXCEPTIONS

         no_central_person         = 1

         no_business_partner       = 2

         no_id                     = 3

         OTHERS                    = 4

                .

      IF sy-subrc <> 0.

        CHECK 1 = 2.

      ENDIF.

*- If no linked user, don’t bother saving it

      CHECK NOT l_username IS INITIAL.

      ls_object_actors-object_guid = lv_order_guid.

      CLEAR l_string.

      l_string = STRLEN( l_bp_no ).

      WHILE l_string NE 10.

        CONCATENATE ‘0’ l_bp_no INTO l_bp_no.

        l_string = STRLEN( l_bp_no ).

      ENDWHILE.

      APPEND l_bp_no TO lt_actors_for_object.

*- If the partner is the activity partner, save this for the next processing block

      IF ls_partner_dis-ref_partner_fct = ‘00000009’.

        l_activity_partner = ls_partner_dis-partner_no.

      ENDIF.

    ENDLOOP.

    IF NOT l_activity_partner IS INITIAL.

*- Also append the partners of the business partner of the activity

*- Select all relationships of this BP with a BP with a userid linked

      SELECT partner2 INTO l_partner2

               FROM but050 WHERE partner1 = l_activity_partner.

*- Check if the relation has a linked user

        CLEAR l_username.

        SELECT SINGLE partner_guid INTO l_partner_guid2

                     FROM but000 WHERE partner = l_partner2.

        CALL FUNCTION ‘BP_CENTRALPERSON_GET’

         EXPORTING

  •             IV_PERSON_ID              =

           iv_bu_partner_guid        = l_partner_guid2

  •             IV_EMPLOYEE_ID            =

  •             IV_USERNAME               =

         IMPORTING

  •             EV_PERSON_ID              =

  •             EV_BU_PARTNER_GUID        =

           ev_username               = l_username

  •             ET_EMPLOYEE_ID            =

  •             EV_NAME                   =

         EXCEPTIONS

           no_central_person         = 1

           no_business_partner       = 2

           no_id                     = 3

           OTHERS                    = 4

                  .

        IF sy-subrc  TYPE crm_ace_object_guid.

  CONSTANTS : abap_false TYPE c VALUE ‘ ‘.

  • in advantage of the multi function module the query for the

  • channel partner must only called one time

  assign im_object_guid to  TO ls_actor_ids-object_guid.

  •   get the ref kind.

    CALL FUNCTION ‘CRM_ORDER_GET_OBJECT_TYPE’

      EXPORTING

        iv_ref_guid = lv_order_guid

      IMPORTING

        ev_ref_kind = lv_ref_kind.

    MOVE lv_order_guid TO lv_bapi_order_guid.

    APPEND lv_bapi_order_guid TO lt_bapi_order_guid.

    CALL FUNCTION ‘BAPI_BUSPROCESSND_GETDETAILMUL’

      TABLES

        guid    = lt_bapi_order_guid

        header  = lt_header_dis

        partner = lt_partner_dis

        status  = lt_status_dis

        return  = lt_ret2.

*- In table lt_partner_dis are the partners

    LOOP AT lt_partner_dis INTO ls_partner_dis.

      l_bp_no = ls_partner_dis-partner_no.

      ls_object_actors-object_guid = lv_order_guid.

      append l_bp_no TO lt_actors_for_object.

      ls_object_actors-actors = lt_actors_for_object.

    ENDLOOP.

    ex_actor_id_table = lt_actors_for_object.

endmethod.

To report this post you need to login first.

47 Comments

You must be Logged on to comment or reply to a post.

  1. Senthil Rathinasamy
    Wonderful conceptual presentation. I also appreciate your presentation as to the concept and the code sample separately.
    Though, you mentioned they are ‘samples’, I was wondering if my doubt is appropriate, yet quoting here.
    In your sample code “GET_ACTORS_FROM_USERS”,  in the last 5 lines, you are appending the ex_actor_id_table with l_bp_no(the actual BP partner id). I guess that table has to have guids. I may be wrong..Pls clarify if you could.

    Thanks

    (0) 
    1. Boris Dingenouts Post author
      Hi Senthil,

      The code ‘samples’ are really live in a customers system. The code which is in the methods is not filling the CRM_ACE* tables directly; they are just filling internal tables. In a later stage (by standard SAP coding) the actors are converted into GUIDs and these are written into the tables. The mapping between the actor and the GUID can be found in the CRM_ACE_XX_GRP tables where XX is the object type (BP, OO or PR).

      I hope this answers your question.

      Best regards,

      Boris Dingenouts

      (0) 
      1. Rahul Sharma

        Hello Boris,

        I am new to ACE and went through your very helpful blog and was able to configure ace with help of my technical consultant. But I am not getting the desired output with the same.

        Our scenario is that we want to restrict the user access to the customer data, lead and opportunity based on sales organisation. However after the configuration of the ACE the user is only able to see the customer data created by him, but other user are able to see all the data including the one created by user who is assigned in ACE. Moreover no restrictions are active in lead (it may be because we have not configured yet)

        This is first time I am trying to work on ACE and my technical consultant also does not have a great idea about the same. We followed some post on the web with code and everything. But still the result is not appearing.

        One of the reason I could identify is that at the time of creation of account the user EMP id is not getting updated automatically and when we try to do this manually we get an error message BP does not exist. I checked the user id in PPOMA_CRM and it is assigned properly to the Org structure. Then we deactivated ACE and log in with the same user ID and created a new account and employee id was getting automatically pulled from Org Stuct.

        I would greatly appreciate your help if you could give me some idea of what we may be doing wrong.

        Thanks & Regards

        (0) 
  2. Alexander Schuchman
    Within CRM(5.0), there is Trade Promotion Management.  Two years ago, my colgate evaluated using ACE to control our very complex security requirments, basically ACE is exactly what we wanted/needed.  However after multiple conference calls with SAP Germany Product Managers for ACE, it was decided that since ACE is not being called/checked by all the various applications within TPM(Marketing Calendar, Marketing Planner, Account Planner) that it would be more difficult to use ACE that custom write our own BADIs.
    I’ve never really heard of anyone using ACE, therefore your post is very interesting.  Wanted to see what your thoughts were on ACE and TPM.
    Thanks.
    -Alex
    (0) 
    1. Boris Dingenouts Post author
      Hello Alex,

      We use ACE in the PCUI environment. I’m aware of the fact that ACE is not implemented in the IC Webclient and also not in the online sales transactions via the GUI. For the IC Webclient I’m planning to make a development request to SAP as I was unpleasantly surprised when I found out it was not working there. As I have no experience with TPM I don’t know the implementation status of ACE there.

      I really believe that ACE is a very strong concept and it’s possibilities are almost unlimited as you can define in the methods your own coding. Therefore I truly hope that SAP will implement ACE in all parts of CRM like in TPM,  but also in the coming Unified User Interface. Maybe a development request will help for future releases?

      Best regards,

      Boris Dingenouts

      (0) 
  3. Thomas Hettenhausen
    Hello Boris,

    based on your code here I tried to implement ACE as well, but this time I wanted to use the Sales Org as the actor. This means that I determined the sales orgs that BPs are related to on one hand, and on the other hand I did the same for the users.

    When I activate the ACE it first looks fine, tables are filled, and searching for Accounts only returns those I expected.

    The problem now is that when I search for contact persons the system tells me that there is no relation between the found CP and the BP (stating the correct IDs in the error message) and then not listing anything in the result list.

    While debugging I found that this happens in the MAC CL_BSP_BP_COP_ACCMOD in function read, where the code

    READ TABLE lt_object_keys INTO ls_object_keys WITH TABLE KEY table

    produces a sy-subrc of 4, and therefore executes

    DELETE lt_relation_numbers INDEX lv_tabix.

    This means that all relations are deleted from the relations table. The problem is that in the debugger I cannot see what value the variable “table” has, and I currently see no way around this.

    I first thought that adding GUIDs for relationships would help, but now I would rather first know why this is happening at all.

    Do you have any idea regarding this?

    Regards
    Thomas

    (0) 
    1. Thomas Hettenhausen
      Well, my mistake in this case was that I used the classic debugger, which didn’t show the whole line, unfortunately…
      Now I figured that what happens is that the system compares the GUIDs it finds with all the GUIDs in a table called gt_uoc, which unfortunately does only hold the GUID for the BP I seach for, not the contact persons. This table gt_uoc is from a class User Objects Cache Class, CL_CRM_ACE_USER_OBJECTS_CACHE. I somehow have the feeling that this is some kind of global cache, but I do not know how to clear this cache.

      Did you come across this cache as well in your work?

      Thomas

      (0) 
      1. Boris Dingenouts Post author
        Hello Thomas,

        It could very well be that for performance reasons things are cached; I did not come across this yet. However I sometimes do find some things which seem not to be correct; de- and reactivating the ACE rule always fixes this problem. Probably then this cache is cleared.

        We are also regulary rebuilding the ACE tables; we plan to do this every weekend.

        Best regards,

        Boris Dingenouts

        (0) 
  4. Glenn Michaels
    I’m a functional CRM configurator with lite abap.
    I was successful in ACE setting up a partner employee assigning rights to Partner Employee Maintain Opportunity.  We created a Partner Employee user id with role SAP_PCC_PARTNEREMPLOYEE.   When this id logs into the portal or CRM online the only opportunities found are those documents where he is defined as a BP = 00000090     Employee Resp. at Ch. Partner.  This all looks great.

    My question is can I use ACE to allow the user to see all documents associated with a sales Office (sales office in the org model on the document in CRM) even if he is not a BP on that document???

    The reason being we are using ISA and if we switch to channel management we need to not lose the history (plus we scenario X, so the CRM documents are locked from updates) plus our external reps come & go and a new rep needs to see history of their territory.  (we would use channel management for sales orders & opportunities).

    I’m having a hard time finding if the 00000090 Employee Resp. at Ch. Partner is required on the documents / BP’s you want to give authorization  to.

    Thanks,
    Glenn

    (0) 
    1. Boris Dingenouts Post author
      Dear Glenn,

      If I understand your issue well you want to authorise your channel partner employee to view all orders of a certain sales office.

      This is very well possible. Therefore there are two things that should be in place:
      1. your orders must have the sales office somewhere
      2. there must exist a link between a channel partner employee and the sales office (e.g. the channel partner employee is linked to a channel partner which is linked to a sales office)

      The actor in this case is the sales office. You must define a rule which determines the sales offices of the orders (the actors for object method) and the sales office(s) linked to the channel employee (the actors for user method).

      This will require some (relatively easy) ABAP programming and some customizing in ACE.

      ACE is very well suited to handle these kind of cases.

      Best regards,

      Boris Dingenouts

      (0) 
      1. Glenn Michaels
        You understand correctly, and we do have those relationships established.  Thanks very much for letting me know some lite abap is required so I don’t crazy trying to configure something.

        Thanks!

        (0) 
  5. Andy FROEMMEL
    Hello Boris,

    thanks a lot for the detaild description. This will help other customers/partners to understand this scenario better.

    Best regards,

    Andy Froemmel

    (0) 
  6. Catherine Xinos
    Boris,

       Thanks for writing this.  I’m trying to put it all together though.  We want to use the sales office as the actor.  So I created a new class by copying an existing one as you said.  For the time being, I just wanted to follow the flow of the logic that used in your examples.  My question is where do these Methods get called from?  Do you have any step by step instructions for the configuration part of this?  Incorporating the new class/methods?

    Thank You,
    Cathy

    (0) 
    1. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    2. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    3. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    4. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    5. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    6. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    7. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    8. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
    9. Boris Dingenouts Post author
      Hello Cathy,

      The methods in the blog get called in two cases:
      1. when you activate ACE via the trx. CRM_ACE_ADM. Then the runtime tables get build up and these methods are called

      2. the method GET_ACTORS_FOR_OBJECT gets called every time an object gets created or changed. This makes sure that after the initial activation also all changes are properly reflected in these tables.

      If you want a more detailed step-by-step instruction: in the CRM Expert Magazine edition of this month (May) I wrote an article which has a step-by-step instruction on how to configure ACE. I’m sure you will find this very usefull.

      Best regards,

      Boris

      (0) 
  7. Bernard F Greene
    Boris,
    Thanks for posting this blog. There is little info on ACE anywhere. We were looking into ACE to limit the BP’s based on role. However, I wanted to test your code first to fully understand how it works. I have created the class and all other associated objects, but when I pull up the Accounts PCUI app, I get no results. I also noticed that table CRM_ACE_BP_ACL is empty as well. Should this table be populated?

    Thanks for your help,
    BG

    (0) 
    1. Boris Dingenouts Post author
      Hello Bernard,

      If the CRM_ACE_BP_ACL table is empty this means ACE is not setup correctly. Did you activate ACE properly via the CRM_ACE_ADM trx? Do you see in the last tab there that there were objects processed?

      You can test your methods in trx SE24 and using the test button. There you can test if it finds any actors linked to your users and if it finds actors linked to the BPs. You need to input a BP GUID there and in your case it should return it’s role as an actor.

      Best regards,

      Boris

      (0) 
      1. Bernard F Greene
        Thank you very much for your help Boris. I was not aware that I could test in SE24 (as I am not a programmer either). Everything appears to be working now, except that when I deactivate and activate the rule, I get the proper entries in tables CRM_ACE_BP_GRP and CRM_ACE_BP_ACL. However, when I refresh the objects ACL from CRM_ACE_ADM, I get wrong entries in both the tables. Deactivating and activating again restores the correct values. Might this be a cache issue, or possibly a bug?

        Thanks,
        Bernard

        (0) 
        1. Boris Dingenouts Post author
          Hello Bernard,

          It is a very strange effect that activating a rule gives a proper result while refreshing the objects ACL is not. Can you maybe check if the refreshing of the objects ACL gives a timeout? I’ve seen that refreshing the object ACL starts as a background job which starts a dialog job which can timeout.

          Best regards,

          Boris

          (0) 
    2. Andy Pats
      Hi Bernard,
      I too have similar requirement to restrict BPs(Accounts) based on role.  Could you please share with me (email: andyspats@gmail.com) your knowledge on this particular scenario how you managed. I also request if you can send me the code you implemented to accomplish this requirement alongwith customizing steps.

      Many thanks in advance,

      Regards,
      Andy (andyspats@gmail.com)

      (0) 
  8. Andy Pats
    Excellent presentation. Can you also please send the configuration steps and other documentation which you did for this work, starting from creating usergroup, rule etc..

    Thx & Rgds,
    Andy

    (0) 
  9. Andy Pats
    Hi Boris,
      I am testing for a standard scenario ‘CONTACT’ Rule wherein the Object context is blank when I activate it but the user context has a record(BP to which my user is associated with). When I  debugged it from Class(Se24) I got some entries in AFO(Actors from Objects Class). Where could be the problem?

    Another finding I noticed was in SM50(Process Overview) I could see that status for background process(BGD) was ‘on HOLD’ and reason was ‘SLEEP’ for report ‘CRM_ACE_DISPATCHER’.

    As I find you as an expert in ‘ACE’, could you also please pass me on your article which has come up in CRM EXPERT(to andyspats@gmail.com)

    Thanks in advance…..
    Regards,
    Andy

    (0) 
  10. Andy Pats
    Hi Boris,
       we resolved the object context being blank issue, as it was happening due to the background processor which schedules background job when we active the rights was inactive(sleep) mode.

    Current scenario is, when two BPs are connected with relationship ‘Is contact Person For’, when a user is connected to this BP, he sould not be allowed to edit BPs who are contacts. Any thoughts on this?

    Regards,
    Andy
    (email:andyspats@gmail.com)

    (0) 
  11. Andy Pats
    Hi Boris,
       we resolved the object context being blank issue, as it was happening due to the background processor which schedules background job when we active the rights was inactive(sleep) mode.

    Current scenario is, when two BPs are connected with relationship ‘Is contact Person For’, when a user is connected to this BP, he sould not be allowed to edit BPs who are contacts. Any thoughts on this?

    Regards,
    Andy

    (0) 
    1. Boris Dingenouts Post author
      Hello Andy,

      I’m not sure if I understand your scenario correctly. Normally there is a BP which is has contactpersons which are linked via the relationship ‘has contactperson’. Do you want that they cannot edit contactpersons?

      Best regards,

      Boris

      (0) 
      1. Andy Pats
        Hi Boris,
          the scenario is like,
        BP ‘A’ is in relation to BP ‘B’ via relationship ‘has contact person’. A User who is attached to BP ‘A’ when logs in, should not be able to edit all BPs maintained as Contact persons for BP ‘A'(including BP ‘B’ in this case!). But again, this we need to implement with ACE on BRAND OWNERs’ side (not with channel partners!).

        Please brainstorm with some logic to handle this.

        Best Regards,
        Andy

        (0) 
  12. Hello Boris,

    your way of approach over the ACE was very excelent!! Basically i am working in the area of Authorization and now we want to implement this ACE for some of the channel management roles in PCUI

    Actually i am new to this SAP World ,luckily i found your blog when  i was trying to make some research on this topic and it is really helpful to me i need your support for the step-by-step  Configuration for Implimenting the ACE.

    So Can you please provide me the document to my mail id (manikya_kalyan@hotmail.com)

    (0) 
    1. Boris Dingenouts Post author
      Hi Manikya,

      I get this question often, but I have no better document than what is described here in the weblog. With the help of this you should be able to implement ACE.

      I’m working now on an ACE implementation in CRM 5.0 and ACE has been changed quite a lot from the customizing perspective. If the summer stays bad as it is here in the Netherlands I will make a blog about ACE in 5.0 as well….

      Best regards,

      Boris

      (0) 
  13. Glenn Michaels
    What happened to CRM_ACE_DEV & CRM_ACE_ADM in 5.0?  Please don’t tell me I have to use the rule modeler.  I just want to keep the sales office logic we enhanced in 4.0 in our 5.0 upgrade.

    I see table CRM_ACE_USERS, but how do I activate & de-activate users?

    (0) 
    1. Boris Dingenouts Post author
      Hello Glen,

      The customizing transactions and some tables are from 5.0 onwards a bit different. You find all of them in the customizing tree: CRM->Basic Functions->Access Control engine. The main transaction for enhancements is now the ‘Create Rules’ node.

      The activation transaction is now called ACE_ACTIVATION.

      Just a matter of getting used to the new transactions, I hardly can remember how it was in 4.0 😉

      Best regards,

      Boris

      (0) 
  14. fiel calleja
    Hello,Boris.
    First say that you blog about ace is a impresive document.
    I just have a simple question for you.
    We are installing sap crm 5.0 and we are wondering whether we can use ACE on SAP GUI interface or not ( we suspect that it  is not possible)
    Thank you in advance
    (0) 
  15. Rohan M
    Hi Boris,

    I have configured and implemented Access Control Engine as per Ravi’s Blog and used Bori’s Code, everything went fine, I have activated “Usergroups” , its activated.

    But when I tried to activate ACE “RIGHTS” using the same Tx Code: ACE_ACTIVATION. It says “Activation of right: ZACC_RIGHT is already in process” but its not getting activated.

    Can you please guide me to resolve the problem.

    Thanks & Regards

    Rohan

    (0) 
  16. Remko Buijink
    Dear Boris,

    this blog is still very helpfull in 2009 for implementing ACE. It helped a lot!

    I have a specific question from a customer for using ACE. They are going to implement ACE and have the following specification. If you do not have a relation with the BP you are allowed to view the account information, contact information( employees of the account), relationsships.

    But you are not allowed to see any transactions, attachements of the account and the Fact sheet. Can these kind requirements be met with ACE? and will it involve a lot of ACE rules.

    best Regards

    (0) 
  17. Curtis Fincher
    Great blog,

    Does the use of ACE require installation and use of Enterprise Portal?

    Can some different options be suggested on this, even though they may be limited since these are external users hitting a system.

    Regards,

    curtis

    (0) 
  18. Bharat Kalagara
    Hi Boris,

    Thanks for posting this blog. Could you please clarify my questions below.
    What is the process of deactivating the ACE rights? Will it start any background job? I tried to deactivate it from the tcode “CRM_ACTIVATION”(Deactivation end date is appearing as blank.). I observed that a background process(SM50) is running for a long time and nothing is happening.

    Please clarify how CRM ACE works once the initial activation is completed. What will happen if we ignore the OBF(Objects By Filter) method and write the code only in AFO(Actors From Objects) and AFU(Actors From User) methods?

    Regards,
    Bharat.

    (0) 
    1. Satender Yadav

      Hi Bharat,

      1. If you want to deactivate ACE, you can disable by going in SPRO>>CRM>>Basic functions>>Access Control Engine>>Maintain General Parameters>>ACE_IS_INACTIVE – X.

      It will disable ACE.

      If you want to individually disable rights, you can do through txn ACE_ACTIVATION. Select a right and deactivate.

      2. If you don’t write anything in OBF, it will filter in all object of that Actor type (e.g. if ACCOUNTCRM is actor it will filter in all prospects/sold to/contacts etc). You can put a filter there, if you want.

      Hope it will help.

      Thanks,

      Satender

      (0) 
  19. ROBIN FRANKLIN
    Hi Boris,
       Thanks for your excellent post on ACE Implementation. Few clarification on ACE would help me to go ahead to implement this.
      I have scenario where Sales Employee should see only Sales area data (Sales Org+Dis Channel+DIV) which he belongs to, when creating Account(Business partner). Would Ace help on this scenario?

    Thanks in Advance.,
    Robin Franklin

    (0) 

Leave a Reply