Skip to Content

In my Configuration & Implementation of CRM Access Control Engine (ACE)-Part 1 blog, I had listed down the configuration steps required for the business scenario discussed. In this blog we will go through the implementation of the ABAP class for Access Control.

Let me revist our Business scenario: 

Business Scenario:  Any particular account and its Contacts can be displayed/edited/deleted by the employee who has created that account and the other employees who are related to that Account with the relationship type “Is the Responsible Colleague Of”. 

As per our requirement: 

  • Objects: All the Business Partners who are Persons as well as Organizations.
  • Actors: Responsible Employee of any Business Partner or an employee who has created the BP. 

We need to implement the following interfaces in the ABAP class ZCL_ACERULE_ACCOUNT… 

IF_CRM_ACE_OBJECTS_BY_FILTER~GET_OBJECTS_BY_FILTER 

This method fetches all the objects to which ACE right is applicable. Objects applicable to our ACE rule are all the Business Partners. So, get the entire Business Partners from BUT000 and append them to the exporting internal table of this method.

 

  

 

IF_CRM_ACE_ACTORS_FROM_USER~GET_ACTORS_FROM_USER 

This method calculates the Actors to every user assigned to our ACE right. Actors are employees as said before. So get the employee for each user and append them to the exporting internal table.

 

  

 

IF_CRM_ACE_ACTORS_FROM_OBJECT~GET_ACTORS_FROM_OBJECTS 

This method is very important in an ABAPer’s point of view as it has maximum amount of coding 😉 

This method queries actors according to a specified list of objects. (Mass data method) 

SAP recommends us to implement this (mass data) method instead of single object versions, such as method GET_ACTORS_FROM_OBJECT.  

It has the following parameters: 

1. ‘IT_OBJECT_GUIDS’: Importing, type CRMT_ACE_OBJECT_GUID

This has all the objects (GUID of BP) whose actors are to be determined.

2. ‘ET_ACTOR_IDS’: Exporting, type CRMT_ACE_OBJECT_ACTORS

All the determined actors are appended to this internal table. 

3. ‘ET_FAILED_OBJECTS’: Exporting, type CRMT_ACE_OBJECT_GUID

All the failed objects, say objects to which actors couldn’t be determined will be appended to this internal table. Please refer to the implementation code below, it is self explanatory. 

 

 

 

We will not be implementing the method GET_ACTORS_FROM_OBJECT hence forth. 

We also have another method  IF_CRM_ACE_OBJECTS_BY_FILTER~CHECK_OBJECTS_BY_FILTER in which additional filtering can be performed.

 

 

 

Have a look at the parameters of the custom method GET_RESP_EMP and also its implementation part.

 

 

Then have a look at the Public Local Type Definitions created:

 

  

 

Then we need to activate our Work Package and Rights. First activate you User Group from the User Groups tab and then activate your right from the Rights tab. Related screen shots are attached below:  

 

 

 

Once the right has been activated you can check out a job runs which can be checked in your SM37 TA and the runtime tables are filled in with the authorization data. After the job finishes, you can check out one of the runtime tables CRM_ACE2_BP_ACL filled in with authorization data.

 

 

 

     

 

Now, check out the TA ACE_RUNTIME which will show the runtime data. One can check out the accounts a particular user can access. One can also check out who ever is allowed to access a particular account.  

Filter Selection To call the report, select at least one superobject type.If you have selected a superobject type, you can refine your search by additional criteria and display the list. 

 

 

 

One can also use the TA “ACE_UPDATE” to update the user context as well as the Object Context. My next blog would deal with this aspect.

Also, I would like to thank my Project Lead @Cognizant, Gautam Mandal who was the driving force behind this implementation.

I hope that this blog series would be very helpful to ABAP technical consultants while imlementation of Access Control Engine. 

Hope this blog serves its purpose!

To report this post you need to login first.

16 Comments

You must be Logged on to comment or reply to a post.

  1. Johan Van Zijl
    This is an excellent introduction to ACE and explains the concepts well.

    However, be careful when implementing the code provided as is.

    In method GET_RESP_EMP, a check should be done if anything was found, otherwise it will retrieve all BP’s on the next select.

    Also, et_failed_objects is not filled properly in GET_ACTORS_FROM_OBJECTS.

    (0) 
  2. Hello all!
    When I set breakpoint to GET_ACTORS_FROM_OBJECTS method, it didn’t stopped and when I tryed to change code there was no effect. Seems like this code didn’t execute.
    Why?
    (0) 
    1. Ravikiran Chittum Post author
      Hi Artur,

      The ACE activation and refresh happens in background. Hence the break point is not executed from foreground. Go to SM50 select the process, go to Program/Session->Program->Debugging to debug the process.

      Regards,
      Ravi

      (0) 
      1. Manuel Bujan
        Hi Ravi,

        We are having an issue with calendar appointments (Business Activity CRM) where the Object Id that is created for the event has the “Actor” field empty when checked against the runtime table. (ACE access error is triggered when accessing the object)

        Active ACE users can’t see those objects as they can only see the ones in their Org Unit (Actor) per design.

        Do you have any idea how to resolve that?

        Thanks,
        Manuel

        (0) 
  3. GENERIC Bp
    Someone suggest me to look at this blog. I think this is a good blog which illustrate the concept of ACE. But somehow I do have some other opinion on ACE. We have implement ACE for a large client several years ago. Conceptually, it is good. It fulfill the real business requirement. But after the go-live, you will notice so many problems. The system is unbelievably slow. And after reading all the ACE code and architecture. You will find the problem. Basically, how ACE work is.
    For example, the user only have access to 100 customer. There are totally 1 million customer in the database. The user just want to see all the customer he can access. So he do a search without any criteria. In this process, SAP code retrieve 1 million customer from the database, match them one by one to the authorization entries generated by ACE. In this case, most likely what return to the user will be a memory overflow error. We raise the question to SAP and SAP says it is by design.
    So be careful with ACE. If the pool is only 100 records and you want to control through ACE, it is fine. But if it is a big pool. You should consider something else in addition.
    (0) 
    1. Vijay Vijayasankar
      This is a common problem if you cannot do meaningful restrictions in OBF. This is not just an ACE problem – unrestricted selects kill performance, whether in ACE, reports or any where else
      (0) 
  4. mll Mat
    Hi,

    I have implimented this configuration and the methods but the result doesn’t appears (I mean the last image that contains the object that the user is authorized to read/write/delete).
    In your opinion what is the problem ?

    Thank you in advance.

    mll mat

    (0) 
  5. Rohan M
    Hi Ravi,

    I have configured successfully and while implementing class ZCL_CRM_ACERULE_ACCOUNT, When I try to give parameters with their associate types T_GUID_TAB & T_ACTOR_TAB table types not found. What do I need to do it for this?

    Thanks & Regards

    Rohan

    (0) 
  6. mauro b.

    Hi,

    very good contribution for starters. I implemented ACE a couple of years ago and after I’m sticking on it (avoiding PFCG as much as possible)

    Does anybody knows if ACE will be available in ECC as well?

    (0) 
  7. Uday Kumar Kanike

    Hi Ravi,

            I am currently in this project. You have done really good job. Can you contact me. I do have few doubts regarding this ACE security model.

    Thank you,

    Uday

    (0) 
  8. Paul Fuente

    Hi Ravi and everyone else who is familiar with ACE,

    This is such a good read! however, i’m still encountering an issue. From what I understand from this, is that it can only do things to Contacts that are assigned to an Account.

    Can someone help me, my issue is whenever a sales rep. creates a contact, he/she is not able to search it afterwards. Take note that the contact created is not yet assigned to an account.

    thanks!

    Paul

    (0) 
  9. rock lee

    hello, Ravikiran Chittum

         I follow the procedure step by step.When I activate the right,the background job ( ace_dispatcher )do not generate ,but the table CRM_ACE2_BP_ACL is filled with data,the final result like this: can you help me analyze what’s wrong with it.Really Thank you!

    QQ Photo20141218190626.jpg

    (0) 

Leave a Reply