Professional Documents
Culture Documents
Larry Justice
Platinum Technical Consultant, SAP America
Architecture Section B
Summary Section D
Channel Management
Portal Role
Object 1 Object 4
Company
Object 2 Object 5 User
action
Brand Owner
Partner 1 Partner 2
Miller
Jones Smith Gold Silver
Partner Employee can create, read, edit, and analyze accounts within
his partner company. He can also read and edit (but not delete)
accounts assigned by Channel Manager
Partner Manager has full access (create, read, edit, delete, analyze)
to opportunities created by himself or an employee of the own company
Future Releases
Integration of BW and ACE is a point for future releases to analysis
requirements
Additional actions like “negotiate” or “dispatch” planned for future
releases
Validating rights for a creation or dispatch process planned a for future
release
Administration of rules:
Actor type is the type of the organization element in the relation
between user and business object
GetActorsFromUser calculates the Actors to every user assigned to that
right
GetActorsFromObject calculates the Actors to every object returned by
the GetObjectsByFilter
Rule
Relation ID Actor Type Object GetActors GetActors GetOb-
(Rule ID) Type FromUser FromObject jectsByFilter
MyLeads Contact Lead UserS LeadSPartner- *
Contacts Contacts
MyCompa- Partner Lead UserSPartner- LeadSPartner- German
niesLeads Company Companies Companies Leads
Administration of rights
In the most cases user groups are based on roles (portal-roles)
Rules describe the relation between user and objects
Actions are the combination of the single actions of read, write and
delete
Rights
Right User Group Object Type Rule Action
R314 All Partner Roles Lead MyCompaniesLeads Read
R315 Partner Manager Lead MyCompaniesLeads Change
R316 All Partner Roles Lead MyLeads Full
Runtime interfaces:
Single object check
Multiple objects check
Get access control list for some objects
Management interface:
Inform ACE about new objects (call synchronously if possible)
Inform ACE about changed objects
Architecture Section B
Summary Section D
Architecture Overview
Architecture:
Instance-based authorization
Building subset of users
Building subset of objects
Using business relations to calculate authorization
Processes:
Database cache
User context calculation
Activating rights
Session cache and authorization check
Object creation
Object changes
Basis Authorizations
SAP Authorizations
Based on authorization objects
Basis authorization concept
Reaches down to transaction,
User
field, and field value level
Role
object class
authorization object
authorization
Dynamic Authorizations authorization fields
(ex. display, change)
2
Roles assigned to Users
Gr2 Example: User “5” has Role “R3” and “R4”
Gr2 R2
R2
3
R4
R4 6
User-context
The functions „GetActorFormUser()“ calculate the user-context
Examples for types in the user-context:
Companies
Org-Unit
Position
Sales Area
We call this types „Actor-Type“
We call the values in the user context „Actor“
Object-context
The function „GetActorFromObject()“ calculate the object-context
Examples for values in the object-context:
Companies
Org-Unit
Actor Lead 10 F4
4
5
Lead
3 F1
1
Parts of a Rule: 2
Rule
Rule ID Actor Type Object GetActors GetActors GetOb-
Type FromUser FromObject jectsByFilter
MyLeads Contact Lead UserS LeadSPartner- *
Contacts Contacts
MyCompa- Partner Lead UserSPartner- LeadSPartner- German
niesLeads Company Companies Companies Leads
3
Parts of a Right:
Lead 01
1. User Group
2. Rule
3. Action: What kind of action can a user do with his objects
4. (Not “Object Type”, makes administration easy)
Rights
Right User Group Object Type Rule Action
R314 All Partner Roles Lead MyCompaniesLeads Read
R315 Partner Manager Lead MyCompaniesLeads Change
R316 All Partner Roles Lead MyLeads Full
Right ID Action
Architecture Section B
Summary Section D
Overview of Authorizations and ACE
SSO
Authentication
Portal Role
Portal User
Authorization EP
Portal Content
Application
CRM User
Implicit
Authorizations
Access
CRM Other
Control
Business Partner concepts
Engine
CRM
Authorization
Objects R/3
Remark:
App-server cache and database cache are the same
Remark:
Start and end-time of a right is only used in the user context, not in
ACL
If a user’s roles change, the administrator has to refresh the user-
context manually
The first step of activating is to copy the design-time data into the
corresponding runtime tables
Changing ACE configuration has no influence on the runtime until they
are activated
You find the list of active rights and user groups by using the
deactivation value-help
N
Enqueue objects in this block and Enqueue objects in this block and
proceed with activation proceed with activation
Commit the work in this LUW and Commit the work in this LUW and
dequeue objects in the block dequeue objects in the block
All business objects under ACE control send change and create
notifications to ACE
There are two different calls from the business object to ACE
HandleNewObjects()
HandleChangedObjects()
Remark
The creator can directly access his created object(s)
Remark:
If only right independent attributes are changed, there is no write access
to the DB
Business objects
2b 1b
1a
2a
Portal Role
Manager
Sales Area
Maier
User
1600/99/34 Object
Schmitt
1010/99/32
Employee
Müller
1520/99/40
Elektro-
Heinz
Rights
Right User Group Object Type Rule Action
R007 Manager Customer MySalesAreasCustomes Full
R008 Empoyee Customer MySalesAreasCustomes Read
The role itself represents the center of all authorization, and it is used
at each "level" (portal role definition, BSP application view, ACE, and
basis authorization) as a kind of anchor in the authorization
model/matrix
Rights/Roles
Portal Administrator
Partner Lead Sales
Roles Manager Manager Manager
(web support
center)
Sales Cycle
Leads R R/M/D R
Testing
Testing
Now let’s look at the actual screen shots involved in setting up ACE
functionality.
The first step in the process is to assign the ‘role’ or ‘user’ ID’s to an
ID or role. In this situation, we are going to tie a user ID to a specific
role. If you are going to assign it to a ‘group’ of people, you would
assign the backend ‘Z’ BASIS security role as shown in the
following Screen Shot
LEAD_CHP_CP_EMP
b) Account (ACCOUNTCRM)
LEAD_CHP_ENDCUST_EMP
b) Account (ACCOUNTCRM)
LEAD_CHP_PROSP_EMP
b) Account (ACCOUNTCRM)
CHP_CONSUMER_EMP
b) Account (ACCOUNTCRM)
Once this is completed successfully, then you will notice all of the
condition ‘traffic lights’ will be green as seen on the next slide.
Architecture Section B
Summary Section D
Summary
Î Public Web:
www.sap.com
SAP Developer Network: www.sdn.sap.com
NetWeaver Developer‘s Guide: www.sdn.sap.com/sdn/developersguide.sdn
SAP Customer Services Network: www.sap.com/services/
Q&A
Thank You !
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose
without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended
strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product
strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics,
links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited
to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use
of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use
of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party
Web pages.