Configuration & Implementation of CRM Access Control Engine (ACE)-Part 2

In my Configuration & Implementation of CRM Access Control Engine (ACE)-Part 1 blog, I had listed down the configuration steps required for the business scenario discussed. In this blog we will go through the implementation of the ABAP class for Access Control.

Let me revist our Business scenario: 

Business Scenario:  Any particular account and its Contacts can be displayed/edited/deleted by the employee who has created that account and the other employees who are related to that Account with the relationship type “Is the Responsible Colleague Of”. 

As per our requirement: 

• Objects: All the Business Partners who are Persons as well as Organizations.
• Actors: Responsible Employee of any Business Partner or an employee who has created the BP. 

We need to implement the following interfaces in the ABAP class ZCL_ACERULE_ACCOUNT… 

IF_CRM_ACE_OBJECTS_BY_FILTER~GET_OBJECTS_BY_FILTER 

This method fetches all the objects to which ACE right is applicable. Objects applicable to our ACE rule are all the Business Partners. So, get the entire Business Partners from BUT000 and append them to the exporting internal table of this method.

 method IF_CRM_ACE_OBJECTS_BY_FILTER~GET_OBJECTS_BY_FILTER.    data: lt_guids TYPE TABLE OF BU_PARTNER_GUID,         lv_guid TYPE BU_PARTNER_GUID,         ls_object_guid TYPE CRMS_ACE_OBJECT_GUID.    select PARTNER_GUID FROM but000 into table lt_guids.    loop at lt_guids into lv_guid.     ls_object_guid-OBJECT_GUID = lv_guid.     APPEND ls_object_guid to ex_object_guid_table.   endloop.  endmethod. 

IF_CRM_ACE_ACTORS_FROM_USER~GET_ACTORS_FROM_USER 

This method calculates the Actors to every user assigned to our ACE right. Actors are employees as said before. So get the employee for each user and append them to the exporting internal table.

 method IF_CRM_ACE_ACTORS_FROM_USER~GET_ACTORS_FROM_USER.    data: lv_partner_guid type BU_PARTNER_GUID,         ls_actor_id type CRMS_ACE_ACTOR_ID.    CALL FUNCTION ‘BP_CENTRALPERSON_GET’     EXPORTING       IV_USERNAME         = im_usr_name     IMPORTING       EV_BU_PARTNER_GUID  = lv_partner_guid     EXCEPTIONS       NO_CENTRAL_PERSON   = 1       NO_BUSINESS_PARTNER = 2       NO_ID               = 3       OTHERS              = 4.    if lv_partner_guid is not INITIAL.     move lv_partner_guid to ls_actor_id-ACTOR_ID.     APPEND ls_actor_id to ex_actor_id_table.     clear: lv_partner_guid, ls_actor_id.   endif.  endmethod. 

IF_CRM_ACE_ACTORS_FROM_OBJECT~GET_ACTORS_FROM_OBJECTS 

This method is very important in an ABAPer’s point of view as it has maximum amount of coding 😉 

This method queries actors according to a specified list of objects. (Mass data method) 

SAP recommends us to implement this (mass data) method instead of single object versions, such as method GET_ACTORS_FROM_OBJECT.  

It has the following parameters: 

1. ‘IT_OBJECT_GUIDS’: Importing, type CRMT_ACE_OBJECT_GUID

This has all the objects (GUID of BP) whose actors are to be determined.

2. ‘ET_ACTOR_IDS’: Exporting, type CRMT_ACE_OBJECT_ACTORS

All the determined actors are appended to this internal table. 

3. ‘ET_FAILED_OBJECTS’: Exporting, type CRMT_ACE_OBJECT_GUID

All the failed objects, say objects to which actors couldn’t be determined will be appended to this internal table. Please refer to the implementation code below, it is self explanatory. 

method IF_CRM_ACE_ACTORS_FROM_OBJECT~GET_ACTORS_FROM_OBJECTS.    data: ls_object_guids TYPE line of crmt_ace_object_guid,         lv_usr_created like sy-uname,         ls_actor_ids TYPE CRMS_ACE_OBJECT_ACTORS,         lv_actor_guid TYPE BU_PARTNER_GUID,         lt_actor_guids TYPE TABLE OF BU_PARTNER_GUID,         lt_get_Actors TYPE t_guid_tab,         ls_get_Actors TYPE LINE OF t_guid_tab,         lt_cp_guids TYPE t_guid_tab,         ls_failed_objects TYPE CRMS_ACE_OBJECT_GUID.    loop at it_object_guids into ls_object_guids.  *- Get all the Partners of whom the object is a CP     SELECT b~partner_guid FROM       but051 AS a INNER JOIN but000 AS b       ON ( a~partner2 = b~partner )       INTO TABLE lt_cp_guids       WHERE b~partner_guid = ls_object_guids-OBJECT_GUID.      if lt_cp_guids[] is not INITIAL. *- Object is a CP of some partners, get the actors for them       CALL METHOD ME->GET_RESP_EMP         EXPORTING           IT_OBJECT_GUIDS = lt_cp_guids         IMPORTING           ET_ACTOR_GUIDS  = lt_actor_guids.        CLEAR lt_cp_guids[].      else. *- Object is not a CP, then get its actors        MOVE ls_object_guids-OBJECT_GUID to ls_get_Actors-partner_guid.       APPEND ls_get_Actors to lt_get_Actors.       CLEAR ls_get_Actors.        CALL METHOD ME->GET_RESP_EMP         EXPORTING           IT_OBJECT_GUIDS = lt_get_Actors         IMPORTING           ET_ACTOR_GUIDS  = lt_actor_guids.        CLEAR: lt_get_Actors[].      endif. *-Assign access to the created user     select single CRUSR from but000 into lv_usr_created                                     where PARTNER_GUID = ls_object_guids-OBJECT_GUID.     if lv_usr_created is not INITIAL.       CALL FUNCTION ‘BP_CENTRALPERSON_GET’         EXPORTING           IV_USERNAME         = lv_usr_created         IMPORTING           EV_BU_PARTNER_GUID  = lv_actor_guid         EXCEPTIONS           NO_CENTRAL_PERSON   = 1           NO_BUSINESS_PARTNER = 2           NO_ID               = 3           OTHERS              = 4.       clear lv_usr_created.       if lv_actor_guid is not INITIAL.         APPEND lv_actor_guid to lt_actor_guids.         clear: lv_actor_guid.       endif.     endif. *- remove duplicate entries     SORT lt_actor_guids ASCENDING.     DELETE ADJACENT DUPLICATES FROM lt_actor_guids. *- finally append it to the exporting itab     if lt_actor_guids[] is not INITIAL.       ls_actor_ids-OBJECT_GUID = ls_object_guids-OBJECT_GUID.       ls_actor_ids-ACTORS[] = lt_actor_guids[].       append ls_actor_ids to et_actor_ids.       clear:ls_actor_ids,lt_actor_guids[].     else.       MOVE ls_actor_ids-OBJECT_GUID to ls_failed_objects-OBJECT_GUID.       APPEND ls_failed_objects to et_failed_objects.       CLEAR ls_failed_objects.     endif.   endloop. *- check for duplicates and delete them   SORT et_actor_ids ASCENDING.   DELETE ADJACENT DUPLICATES FROM et_actor_ids.  endmethod. 

We will not be implementing the method GET_ACTORS_FROM_OBJECT hence forth. 

We also have another method  IF_CRM_ACE_OBJECTS_BY_FILTER~CHECK_OBJECTS_BY_FILTER in which additional filtering can be performed.

method IF_CRM_ACE_OBJECTS_BY_FILTER~CHECK_OBJECTS_BY_FILTER.   ex_object_guid_table[] = im_object_guid_table[]. endmethod.  

Have a look at the parameters of the custom method GET_RESP_EMP and also its implementation part.

method GET_RESP_EMP. *- Gets all the actors (Employees who are related to account with the relationship type BUR011 *- BUR011 corresponds to relations “Has Responsible Colleague”   TYPES: BEGIN OF t_partner_tab,     partner TYPE bu_partner,     END OF t_partner_tab.    DATA: it_partner TYPE TABLE OF t_partner_tab.    select partner from but000 into TABLE it_partner                  FOR ALL ENTRIES IN it_object_guids                  where PARTNER_GUID = it_object_guids-PARTNER_GUID.    select but000~PARTNER_GUID FROM ( but000 INNER JOIN but050 on but000~partner = but050~partner2 )     into TABLE et_actor_guids     FOR ALL ENTRIES IN it_partner     where ( but050~partner1 = it_partner-partner and  but050~reltyp = `BUR011` ).  endmethod.

Then have a look at the Public Local Type Definitions created:

Then we need to activate our Work Package and Rights. First activate you User Group from the User Groups tab and then activate your right from the Rights tab. Related screen shots are attached below:  

Once the right has been activated you can check out a job runs which can be checked in your SM37 TA and the runtime tables are filled in with the authorization data. After the job finishes, you can check out one of the runtime tables CRM_ACE2_BP_ACL filled in with authorization data.

Now, check out the TA ACE_RUNTIME which will show the runtime data. One can check out the accounts a particular user can access. One can also check out who ever is allowed to access a particular account.  

Filter Selection To call the report, select at least one superobject type.If you have selected a superobject type, you can refine your search by additional criteria and display the list. 

One can also use the TA “ACE_UPDATE” to update the user context as well as the Object Context. My next blog would deal with this aspect.

Also, I would like to thank my Project Lead @Cognizant, Gautam Mandal who was the driving force behind this implementation.

I hope that this blog series would be very helpful to ABAP technical consultants while imlementation of Access Control Engine. 

Hope this blog serves its purpose!