Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Session ID: AGS206
User Access via the Access Control Engine (ACE) in mySAP CRM
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 2
Contributing Speaker(s)
Larry JusticePlatinum Technical Consultant, SAP America
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 3
Learning Objectives
As a result of this workshop, you will be able to:
Understand an overview of ACE functionalityUnderstand the underlying architecture for ACEHave better understanding of developing and both from the developer’s perspective and from a security perspective using ACEHave a better understanding of the impact that implementing ACE has on user access management in CRM 4.0
Development / Security Section C
Summary Section D
Overview Section A
Architecture Section B
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 5
Channel Management
Object 2
Object 3
Brand Owner
Channel Manager
Partner 1 Partner 2
Miller
Partner Employee
Partner Manager
Portal Role
Company
User
Partner Employee
Partner Manager
Jones Smith Gold Silver
Object
Object 1 Object 4
Object 5
Object 6action
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 6
Relations in the Business
Typical relations of business objects to a partner company organization
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 7
Relation to Assign Access Rights
The relation “MyCompaniesLeads”
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 8
The Actor (Org-Element) in the Relation
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 9
Use Cases in the Channel Management
Partner Employee can create, read, edit, and analyze accounts within his partner company. He can also read and edit (but not delete) accounts assigned by Channel Manager
Partner Manager Channel Commerce creates, reads, edits, deletes, and analyses partner specific condition records
Partner Manager and Partner Employees are only allowed to see their accounts (Relation: "is account of" / "has accounts")
Partner Manager has read access to leads where his organization is the Sales Partner of this lead
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 10
Use Cases in the Channel Management
Partner Manager has full access (create, read, edit, delete, analyze) to opportunities created by himself or an employee of the own company
Channel Manager has only access to read, edit and analyze an order (not to create or delete) for all orders of all partners. View own organization‘s customer orders only; no further restrictions. View, edit, etc. own organization‘s catalog (i.e. catalog with subscribed products) only; Product Subscription & Lead Time maintenance: Partner Manager – Channel Commerce only
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 11
Limitations to the Uses Cases
Covered by existing authority conceptThe create action is not possible for ACE
Future ReleasesIntegration of BW and ACE is a point for future releases to analysis requirementsAdditional actions like “negotiate” or “dispatch” planned for future releasesValidating rights for a creation or dispatch process planned a for future release
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 12
Rule Administration
Administration of rules:Actor type is the type of the organization element in the relation between user and business objectGetActorsFromUser calculates the Actors to every user assigned to that rightGetActorsFromObject calculates the Actors to every object returned by the GetObjectsByFilter
Rule
Relation ID (Rule ID)
Actor Type Object Type
GetActors FromUser
GetActors FromObject
GetOb-jectsByFilter
MyLeads Contact Lead UserS Contacts
LeadSPartner-Contacts
*
MyCompa-niesLeads
Partner Company
Lead UserSPartner-Companies
LeadSPartner-Companies
German Leads
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 13
Rights Administration
Administration of rightsIn the most cases user groups are based on roles (portal-roles)Rules describe the relation between user and objectsActions are the combination of the single actions of read, write and delete
After some changes in the rights tables the administrator has toactivate the changes with an activation-tool
Rights
Right User Group Object Type Rule Action
R314 All Partner Roles Lead MyCompaniesLeads Read
R315 Partner Manager Lead MyCompaniesLeads Change
R316 All Partner Roles Lead MyLeads Full
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 14
Definition of Rights Access Control List
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 15
Rule (Scenario) interface
To develop a rule, the scenario owner has to develop three interfaces:
Determine actors from userDetermine actors from business objectDetermine lists of objects in the focus of the rule
The Channel Management team has to be involved with the development of the rules for their use cases
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 16
Application Interface
For application integration SAP provides three kinds of interfaces:
Runtime interfaces:Single object checkMultiple objects checkGet access control list for some objects
Management interface:Inform ACE about new objects (call synchronously if possible)Inform ACE about changed objects
Authority mode interface:Informs about states of the ACE
Development / Security Section C
Summary Section D
Overview Section A
Architecture Section B
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 18
Architecture Overview
Architecture:Instance-based authorizationBuilding subset of usersBuilding subset of objectsUsing business relations to calculate authorization
Processes:Database cacheUser context calculationActivating rightsSession cache and authorization checkObject creationObject changes
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 19
Authorizations in Channel Management
Basis AuthorizationsBased on authorization objectsReaches down to transaction, field, and field value level
Dynamic AuthorizationsFramework to determine user dependent access rights on object levelApplication can check access rights for actions on business objects
Basis authorization conceptUser
object classauthorization object
authorizationauthorization fields(ex. display, change)
SAP AuthorizationsSAP Authorizations
Role
Dynamic Authorizations
Portal Role APortal
User 1
Company 1 Company 2
Object 1Object 2Object 3
actionaction
User 2
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 20
Building Subset of Users
ACE User Groups
UserRole
Roles known by ACE User Groups (R1 & R2)
R1R1
R2R2
R4R4
R3R3
1
2
3
4
5
6
Gr2Gr2
Gr1Gr1
Roles assigned to Users Example: User “5” has Role “R3” and “R4”
User not under ACE control
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 21
Building Subset of Objects
ACE Object Filter
F1Lead 01
Lead 02
Lead 03
Lead 04
Lead 05
Lead 06
Lead 07
Lead 08
Lead 09
Lead 10
Lead 11
Lead 12
ObjectsObjects returned by an object filter
F2
F3
F4
Objects not under ACE control
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 22
User- and Object-Context
User-contextThe functions „GetActorFormUser()“ calculate the user-contextExamples for types in the user-context:
CompaniesOrg-UnitPositionSales Area
We call this types „Actor-Type“We call the values in the user context „Actor“
Object-contextThe function „GetActorFromObject()“ calculate the object-contextExamples for values in the object-context:
CompaniesOrg-Unit
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 23
User- and Object-Context II
F1
Objects
F2
F3
F4
ACE Object Filter
R1R1
R2
Role
R2
R3R3
1
2
3
4
User
Gr2Gr2
Gr1Gr1
ACE User Groups
User-Object-Context
Business function to calculate theUser/Object Context
Actor
Lead 01
Lead 03
Lead 04
Lead 05
Lead 06
Lead 07
Lead 10
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 24
Definition of Rule
Parts of a Rule:1. User Context: GetActorFormUser()
2. Actor Type3. Object Context: GetActorFormObject()
4. Object Type5. Filter: GetObjectByFilter()
F1Lead
Rule
Rule ID Actor Type Object Type
GetActors FromUser
GetActors FromObject
GetOb-jectsByFilter
MyLeads Contact Lead UserS Contacts
LeadSPartner-Contacts
*
MyCompa-niesLeads
Partner Company
Lead UserSPartner-Companies
LeadSPartner-Companies
German Leads
1
2
3
45
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 25
Definition of Right
Parts of a Right:1. User Group2. Rule3. Action: What kind of action can a user do with his objects4. (Not “Object Type”, makes administration easy)
Rights
Right User Group Object Type Rule Action
R314 All Partner Roles Lead MyCompaniesLeads Read
R315 Partner Manager Lead MyCompaniesLeads Change
R316 All Partner Roles Lead MyLeads Full
RoleRoleGr1Gr1
12 Lead
4
Lead 01
3
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 26
Results
No new roles for authorization necessary
Add new rights without code modification in the business object code
Customer code used as an add-on
Use of business relations make the coding of rules very easyDefinition of actor types is very important task when using ACE in a project
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 27
Runtime Cache
Calculate every rule by every authorization check?Good performance can be achieved for authorizations by pre-calculation (caching) rule results
Structure of the database cache
Additional memory caches exist
There are processes working with this data:First authorization check User ContextActivating rights ACL (User Context)Authorization checkCheating objects ACLChanging objects ACL
User Context
User
ACE Group ID
ACE Group
Right ID
Actor
Access Control List
Business Object ID
ACE Group ID
Action
ACE Group ID1 *1*
Development / Security Section C
Summary Section D
Overview Section A
Architecture Section B
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 29
Overview of Authorizations and ACE
Access Control Engine
Authorization Objects
Implicit Authorizations
Other concepts
Portal Role
SSO
Authentication
R/3
Portal Content
Application
EP
CRM
AuthorizationPortal User
CRM User
CRM Business Partner
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 30
First Authorization Check (User Context)
The first steps are:1. Is the ACE inactive? (CUSTOM)2. Is this query a „Friendly Call“ ?3. Is the action to be checked supported by the ACE?4. Is the object type to be checked relevant for the ACE?5. Is the user an active ACE user?
Now ACE starts working with:Is the user cached? (App-Server)Has the user context expired? (customizable; default value = 16 hours)Determining the active status
Remark:App-server cache and database cache are the same
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 31
User Context Cache
Calculating the new user context1. Get all Roles of the user2. Get all ACE-User-Groups of the user3. Get all Rights for the user4. List all different “GetActorFromUser()” functions5. Calculate all different Actors6. Create all new ACE-Group entries (Right-ID, Actor) pair7. Change Entries in User-Context-Table
Create App-Server-Cache for user context
Remark: Start and end-time of a right is only used in the user context, not in ACLIf a user’s roles change, the administrator has to refresh the user-context manually
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 32
Activation of Rights and User-Groups
The first step of activating is to copy the design-time data into the corresponding runtime tables
Changing ACE configuration has no influence on the runtime until they are activated
You find the list of active rights and user groups by using the deactivation value-help
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 33
Activating Rights (ACL- Calculation)
Two separate steps:1. Get all objects, using the
filter2. Calculate all ACL-entries
in small parallel processes
Retrieve all objects to be activated
Insert objects into the work table, block by block
Read N blocks of 100 objects at most
Enqueue objects in this block and proceed with activation
Enqueue objects in this block and proceed with activation
N
Update information on the success/failure as well as reporting
data
Update information on the success/failure as well as reporting
data
Commit the work in this LUW and dequeue objects in the block
Commit the work in this LUW and dequeue objects in the block
Create reporting data
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 34
Runtime Authorization Check
Some processes call the ACE authorization check very often for the same object
There is a runtime cache for checked ACE entriesThis cache is a session cacheThe runtime store isonly for objects createdin the same session
CHECK_SINGLE_OBJECT_GUID /CHECK_MULTIPLE_OBJECTS_GUID
CL_ACE_RUNTIME_STORE
CL_ACE_USER_OBJECTS_CACHE
DB TableXX_ACL
e.g. read from ACL
Runtime-Store
UserObjects-Cache
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 35
Runtime Changes of Business Objects
All business objects under ACE control send change and create notifications to ACE
There are two different calls from the business object to ACEHandleNewObjects()
HandleChangedObjects()
Two different calls are necessary, because of different processes
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 36
Creating New Object
During the creation process, the following happens:Write full access in the session runtime storeWrite the temporary ACL entry (Full control for the creator) in the DBStart a background process to calculate the new ACL entries
In the background processList all “Filter” for this ObjectCalculate all used “GetActorFormObject()” functions using the “Filter”Calculate all actors for this objectWrite all new ACE-Group entriesWrite all new ACL entriesRemove temporary ACL entry
RemarkThe creator can directly access his created object(s)
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 37
Change Object
During the change process the following happens:Start a background process to calculate the changes of ACL entries
In the background processList all “Filter” for this objectCalculate all used “GetActorFormObject()” functions using the “Filter”Calculate all actors for this objectWrite all new ACE-Group entriesCalculate the delta of ACL entriesWrite all new ACL entriesRemove all unused ACL entries
Remark:If only right independent attributes are changed, there is no write access to the DB
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 38
Dynamic Authorizations – Example 1
Megan (User A, manager with a partner company) wants to see the leads assigned to her company
Hierarchical structure of partner organization Business objects
Business objects
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 39
Dynamic Authorizations – Example
Rules to determine access for the lead
1a
Rule 1: Check which contact person the lead is associated with
1b
Rule 1b: Look up primary partner company for contact person
2a
Rule 2a: Retrieve the contact person for user Megan
2b
Rule 2b: Look up primary partner company for contact person
3
Rule 3: Compare partner companies, if identical: show lead to Megan
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 40
Dynamic Authorizations – Example Cont’d.
Portal Role
Sales Area
User
Object
1520/99/40
1010/99/32
1600/99/34
Maier
Schmitt
Müller
Manager
Employee
Elektro-Heinz
Rights
Right User Group Object Type Rule Action
R007 Manager Customer MySalesAreasCustomes Full
R008 Empoyee Customer MySalesAreasCustomes Read
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 41
Dynamic Authorizations – Example Cont’d.
Portal role consists of applications user is able to work withNo application available in the role no access at all
User is assigned to portal roleDifferent portal roles enable different authorization on role level
Application itself consists of “implicit” authorizationE.g. Sales Order Management does not include Opportunity Management
Application supports authorization checks via ACEApplication (resp. the assigned CRM object) supports ACE checks, the current user is activated for ACE checks, and corresponding ACE rule is activated
Application/CRM offers authorization checks via Basis AuthorizationAuthorization object is available, application does checks on authorization objects, and user is assigned to authorization objects
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 42
Dynamic Authorizations – Example Cont’d.
Different levels and possibilities of authorizations:Top-down view
To implement an authorization matrix, as proposed, there are several possibilities and dependencies, which have to be taken into account First of all, there is the portal role definition. If the authorization matrix does not have a mark for a specific role-application combination, this particular application should not be part of the role definition at all. Therefore the user assigned to this role does not have the application available and therefore no authorization at all
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 43
Dynamic Authorizations – Example Cont’d.
Different levels and possibilities of authorizations:Top-down view
Next level is to use specific BSP application view to implement "functional" authorizations on UI level, e.g. remove a create button restrict this capability for a specific role.A role specific application may also be used in combination withunderlying authorization concepts to implement an "ideal solution"This means for example, if you only have read-access to a certain object without the right to create new ones, but there is a create button available, this button can be completely removed by defining a corresponding BSP application view
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 44
Dynamic Authorizations – Example Cont’d.
Different levels and possibilities of authorizations:Top-down view
Now ACE comes into play, if activated and if necessary for a specific business process. Authorizations implemented via ACE using rules(which) and rights (how) define which documents a user (assigned to a certain role) may see and how these documents may be accessed.Currently implemented and available actions are write, read, anddelete. ACE sits on top of basis authorization
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 45
Dynamic Authorizations – Example Cont’d.
Different levels and possibilities of authorizations:Top-down view
Last, but not least, the basis authorization can be used to define "overall" authorizations in the system. Here authorization objects assigned to users/user groups define what access is allowed
The role itself represents the center of all authorization, and it is used at each "level" (portal role definition, BSP application view, ACE, and basis authorization) as a kind of anchor in the authorization model/matrix
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 46
Comments about Basis Authorizations
Basis authorization and ACE:Basis authorization may be used best to define basis authorizations, e.g. a whole role should only have read access to a certain transaction or application. This should be implemented using basis authorization objects assigned to a role/user group (even if it could be accomplished via ACE)
By doing as much of the restrictions in the backend using basis authorizations for the affected roles, the development work using ACE is simplified
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 47
Comments about Basis Authorizations
Basis authorization and ACE:If a certain role should only have access to a specific range ofdocuments, e.g. only for a particular channel partner (<=> sales partner), then the ACE should be used implementing corresponding rules (which documents should be visible) and rights (how documents are accessible)In this case it is necessary to clearly define which characteristics (partner functions; relations; etc.) are used to determine the rule process (actors from user; actors from object)To come to such a clear technical definition, a list of business rules describing the business requirement in a matrix is extremely helpfulA combination of both, basis and ACE, can be used, but from a business perspective it can increase user administration costs (duplicated effort; potential confusion of access modes used in complex roles; etc.)
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 48
ACE Right Definition Process Detail cont’d.
Example of External Matrix
Rights/Roles
Roles Partner Manager
Lead Manager
Sales Manager
Portal Administrator (web support center)
Partner Management Rights
Partner Profile Management R/M/D/E R R R/M/D/E
Account Management R/M R R/M/D R/M/D/E
User Management R/M/D/E
Sales Cycle
Activities R/M/D R/M/D R/M/D R/M/D
Leads R R/M/D R
Opportunities R/M/D R/M/D/E
Orders (B2B-Shop) R/M/D R/M/D/E
Legend: R = Read only E = Execute (reports, search) D = Delete M = Maintain
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 49
ACE Right Definition Process Detail
Steps for coming from an authorization matrix to ACE-based authorizations access control on document level:
Authorization matrix generated by business departmentTranslation of authorization matrix into ACE-related building blocksCustomizing and implementation of ACE building blocks
Overview(Preliminary) Activation for testingTesting
Results of final ACE rights activationOverviewTesting
Runtime monitoring of ACE authorizationsOverviewTesting
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 50
ACE Right Definition Process Detail
Now let’s look at the actual screen shots involved in setting up ACE functionality.
This involves both developers and security resources working together.
The first part of the process involves a developer resource to do the configuration part
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 51
Log on to CRM Development Instance
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 52
Execute /nspro
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 53
Select „SAP Reference IMG“
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 54
Select Customer Relationship Management
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 55
Next select Basic Functions
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 56
Now select Access Control Engine
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 57
Next select User Groups
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 58
Click on Assign Users to User Groups
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 59
Setting Up Rules for ID’s/Roles for ACE
Finally, we are in the proper part of the IMG, so:
The first step in the process is to assign the ‘role’ or ‘user’ ID’s to an ID or role. In this situation, we are going to tie a user ID to a specific role. If you are going to assign it to a ‘group’ of people, you would assign the backend ‘Z’ BASIS security role as shown in the following Screen Shot
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 60
Setting Up Rules for ID’s/Roles for ACE
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 61
Setting Up Rules for ID’s/Roles for ACE
But in this case, we are going to assign the CRD_SARF2 user to the SAP_CRM_PARTNER_EMP group and assign the user group child type as ‘U User’since this is a user ID.
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 62
Setting Up Rules for ID’s/Roles for ACE
Unfortunately, currently there is no search for the ‘User Group Child’ functionality, you have to know the ID or the BASIS role you wish to attach.
Once this is completed, we have to decide what rules we wish to activate. For this case, we are going to make it so a CP can maintain, edit, change, display BP’s. If this is the first time ACE is being used, you must enter the developers tool to activate the necessary groups and rules. For this scenario I have activated the following group’s and ID’s.
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 63
SAP_CRM_PARTNER_EMP User Group is Activated
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 64
Rules which have been activated
LEAD_CHP_CP_EMP
a) PARTNER EMPLOYEE: CONTACTPERS. CHANGE
b) Account (ACCOUNTCRM)
c) Partner employee (SAP_CRM_PARTNER_EMP)
d) Grants the partner employee, as contact person with the relationship type "is contact person for" and the portal role Partner Employee, access (read- and write authorization (ACT_GRP_CHANGE)) to all end customer business activities. Here, the business partner must be a contact person, who in turnhas the relationship "is contact person for" a business partner who has the relationship "is end customer of" his or her own company
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 65
Rules which have been activated
LEAD_CHP_ENDCUST_EMP
a) PARTNER EMPLOYEE: END CUSTOMER CHANGE
b) Account (ACCOUNTCRM)
c) Partner employee (SAP_CRM_PARTNER_EMP)
d) Grants the partner employee, as contact person with the relationship type "is contact person for" and the portal role "Partner Employee", access (read- and write authorization (ACT_GRP_CHANGE)) to his or her own company’s end customers. The business partner must have the relationship "is end customer of" his or her own company
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 66
Rules which have been activated
LEAD_CHP_PROSP_EMP
a) PARTNER EMPLOYEE: PROSPECT CHANGE
b) Account (ACCOUNTCRM)
c) Partner employee (SAP_CRM_PARTNER_EMP)
d) Grants the partner employee, as contact person with the relationship type "is contact person for” and the portal role "Partner Employee", access (read- and write authorization (ACT_GRP_CHANGE)) to all of the user’s company’s prospects. The "Prospect" must be in an "is end customer of" relationship to the "Company" that the current partner employee is a contact person of. Or the "Prospect" is the "Company" itself, then the current user also has access ("to own company as prospect "; this is only of interest if the lead is used as a quotation for the channel partner itself).
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 67
Rules which have been activated
CHP_CONSUMER_EMP
a) PARTNER EMPLOYEE: CONSUMERS DISPLAY
b) Account (ACCOUNTCRM)
c) Partner employee (SAP_CRM_PARTNER_EMP)
d) Grants the partner employee, as contact person with the relationship type "is contact person for" and portal role Partner Employee, access (read authorization (ACT_GRP_READ)) to all consumers. The business partner must exist in the business partner role "Consumer".
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 68
Working with the Business Package
The security team will be involved in this activity
Once you have activated the rights, let us create/modify the Business Package (BP) associated with the test user ID and then assign them a organization. Open up the BP associated with the user ID. (note, if you are assigning ACE rules to a specific ‘role’ you must maintain the Role in the Role area of the following screen shot)
In the BP you have open, maintain a ‘Contact Person’ as well as the ‘internet user’ role of the partner
Once this is done, now assign user to the organization that he represents when he logs in. For example, if I am an employee atAce Apple’s than I would assign myself as a contact person at Ace.
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 69
Working with the Business Package
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 70
Create Ace Apple’s BP and Associate crd_Sarf2 to it
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 71
Activating User Group SAP_CRM_PARTNER_EMP
Back in the ACE Administration Tool:
Select the user group to activate (here it is the SAP_CRM_Partner_EMP)
Once this is completed successfully, then you will notice all of the condition ‘traffic lights’ will be green as seen on the next slide.
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 72
Activating User Group SAP_CRM_PARTNER_EMP
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 73
Rights Have Been Activated
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 74
Final Step
Back to the administration tool and the last thing needed to do is to refresh the user (note, if you use roles you do not have to do this) Once this is done, everything should be active for the test ID
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 75
Schematic View of what has been set up
Development / Security Section C
Summary Section D
Overview Section A
Architecture Section B
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 77
Summary
ACE functionality based on Rules, Rights and Roles in the portaland the backend system
It is important for the developer team and security to work together during the initial configuration of ACE functionality
Where ever possible use the capabilities of the basis authorizations in the backend system to simplify the development and use of ACE functionality
It is very important to have an overall naming convention for the portal roles, the ACE user groups, and backend user roles BEFORE implementing ACE
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 78
Final Comments
When ACE is activated initially, there is no access to any documents for an activated user as long as there is no ACE rule to grant access!
ACE cannot “extend” authorizations granted by Basis Authorizations, but refine
Extend: the basis authorization object does not grant access “at all”, then no ACE rule can change thisRefine: if the basis authorization object does allow “change”, but ACE rule(s) does not user is not able to change object(s). So it can act as an additional filter of allowed access.
ACE can be used if authorization per “object” based on “object”attributes are required for different user groups
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 79
Further Information
Public Web:www.sap.comSAP Developer Network: www.sdn.sap.comNetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdnSAP Customer Services Network: www.sap.com/services/
Related SAP Education Training Opportunitieshttp://www.sap.com/education/
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 80
Questions?
Q&A
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 81
Please complete your session evaluation.
Be courteous — deposit your trash, and do not take the handouts for the following session.
Feedback
Thank You !
© SAP AG 2005, SAP TechEd ’05 / AGS206 / 82
Copyright 2005 SAP AG. All Rights Reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. MaxDB is a trademark of MySQL AB, Sweden.SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.Development section content contributed by Matthew Parker, SAP America
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.