Access Control Engine Functional Documentation

Goodyear Pte Ltd IC Business Transaction Access Control Engine Functional Document

Author: CRM Consultant Huai Ying, Tan

Confidential
Page 1

Access Control Engine Functional Documentation

Pre-Live Version History:

Issue Date Author Details of Change Pages affected

0.1

05/04/2010

Huai Ying

First Draft

Post-Live Version History:

Issue Date Author Details of Change Pages affected

Authorization & Quality Review:

Name Job Title Workstream Team Leader Signature and Date

Document References
No. Document
1 2 Business Blueprint - IC

Location

\\163.243.220.175\share\CRM_Project_Docs\Blueprint\SAP-CRM-IC-BusinessBlueprintSignoff.doc ACE For IC Business Partner \\\163.243.220.175\share\CRM_Project_Docs\Functional Spec\ACE\Phase 1B - IC\ACE For IC Business Partner.pdf

Confidential
Page 2

Access Control Engine Functional Documentation

Contents
1. Access Control Engine ............................................................................................................. 4 1.1 Purpose ........................................................................................................................... 4 1.2 Functional Requirements (Business Scenario & Requirements) .................................... 4 2. Solution Design ....................................................................................................................... 5 2.1 Business Process Model .................................................................................................. 5 3. ACE Customizing ..................................................................................................................... 7 3.1. General Parameter Settings ............................................................................................ 7 3.2. Rules Customizing ........................................................................................................... 7 3.2.1. Actor Type Customizing .............................................................................................. 7 3.2.2. Actor From Object Customizing .................................................................................. 8 3.2.3. Object By Filter Customizing ....................................................................................... 8 3.2.4. Actor For User Customizing ........................................................................................ 9 3.2.5. Rule Customizing......................................................................................................... 9 3.3. Rights Customizing .......................................................................................................... 9 3.3.1. Create Work Package ................................................................................................ 10 3.3.2. Create User Group .................................................................................................... 10 3.3.3. Create Rights ............................................................................................................. 10 3.4. ACE Event Background Job ........................................................................................... 11 4. ACE Maintenance .................................................................................................................. 12 4.1. Activate/Deactivate ACE ............................................................................................... 12 4.2. Analyze Design Data...................................................................................................... 13 4.3. Simulating Runtime Result ............................................................................................ 14 4.4. Update User or Object .................................................................................................. 16 4.4.1. Update User Context ................................................................................................ 16 4.4.2. Update Object Context ............................................................................................. 17 5. ACE Enhancement ................................................................................................................. 17 5.1. DDIC Objects ................................................................................................................. 17 5.1.1. Data Elements ........................................................................................................... 18 5.1.2. Database Tables ........................................................................................................ 18 5.2. Class ZCL_CRM_ACERULE_EMP_NAME ........................................................................ 19 5.2.1. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_USER .......... 19 5.3. Class ZCL_CRM_ACERULE_1O_NON_OE_SR ................................................................ 19 5.3.1. Method IF_CRM_ACE_OBJECTS_BY_FILTER ~ CHECK_OBJECTS_BY_FILTER ............ 19 5.3.2. Method IF_CRM_ACE_OBJECTS_BY_FILTER ~ GET_OBJECTS_BY_FILTER ................ 20 5.3.3. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_OBJECTS ..... 24 6. Appendix ............................................................................................................................... 29

Confidential
Page 3

Access Control Engine Functional Documentation

1. Access Control Engine

1.1 Purpose

The document defines the Goodyear Interaction Center (IC) Agent or Service Professional searching for Business Transaction (Appointment, Task, Sales Visit and Email) by employee responsible. This document collates both functional requirements and technical requirements. No separate document will be created.

1.2

Functional Requirements (Business Scenario & Requirements)

A Customer Transactional Table at Section Error! Reference source not found. will be created to store user name of IC Agent and higher level users such as IC Manager who are allowed to view all transaction data responsible by the agent. Thus, users at high level in the table could see all transactional data created by lower level users.

Confidential
Page 4

Access Control Engine Functional Documentation

2. Solution Design
2.1 Business Process Model

Access Control Engine (ACE) Concept involves an Actor which represents the relationship between User and Object. Business Transaction can only be accessed by the employee responsible or higher level user in the table. Therefore, IC Agent / Service Professional are the Actor, Business Transaction is the Object and Goodyear Employee is the user. ACE filtering process requires three technical enhancements as below: Actor for User filters Goodyear employee and Business Partners he responsible for. Actor from Object filters Business Transaction based on partner functions. Object by Filter filters Goodyear Business Transaction (Appointment/Task/Sales Visit/Email).

Actor For User

Employee Responsible
(Actor)

Employee

User

Business Transaction
(Object)

Object By Filter

Actor From Object

Figure 1: ACE concept for IC Business Transaction filtering

Confidential
Page 5

Access Control Engine Functional Documentation

During creation for Business Transaction, IC Agent / Service Professional can be partner functions as Owner or Employee Responsible depending on the Transaction Type. Table below shows the partner functions of each transaction type. Business Partner of the partner function acts as
Table 1: Table of ACE filtering criteria

Business Transaction ZGAP Appointment

Partner Function Description Activity Partner Owner

Partner Function 00000009 00000022

Example Distributor / Retailer / Consumer IC Agent / Service Professional who create the Appointment Distributor / Retailer / Consumer IC Agent / Service Professional who responsible for the Task Distributor / Retailer / Consumer IC Agent / Service Professional who create the Sales Visit Distributor / Retailer / Consumer IC Agent / Service Professional who create the Email

ZGTA Task

Activity Partner Employee Responsible

00000009 00000014 00000009 00000022

ZGSV Sales Visit

Activity Partner Owner

ZGEI/ZGEO Email

Activity Partner Owner

00000009 00000022

Confidential
Page 6

Access Control Engine Functional Documentation

3. ACE Customizing
3.1. General Parameter Settings
Path: SPRO CRM Basic Functions Access Control Engine Maintain General Parameters
Table 2: Table of ACE Parameter Settings

Parameter ACE_IS_INACTIVE ACE_NOC_EXPIRATION_SECONDS

Parameter Value

Description Mark X to deactivate ACE Leave blank to activate ACE New Objects Cache are deleted at 0 second

3.2. Rules Customizing

Path: SPRO CRM Basic Functions Access Control Engine Rules Create Rules

3.2.1. Actor Type Customizing

Actor Type, ZBUSINESS_PARTNER represents the relation type between user and business object.

Figure 2: Screenshot of Actor Type

Confidential
Page 7

Access Control Engine Functional Documentation

3.2.2. Actor From Object Customizing

Actor From Object (AFO), Z1O_DOC_EMPRESP determines the responsible person from ONE ORDER.

Figure 3: Screenshot of AFO

3.2.3. Object By Filter Customizing

Object by Filter (OBF), Z1O_GYDOC determines the all Goodyear business transaction.

Figure 4: Screenshot of OBF

Confidential
Page 8

Access Control Engine Functional Documentation

3.2.4. Actor For User Customizing

Actor For User (AFU), ZEMP_RESP_USER determines the employee responsible relationship of a user.

Figure 5: Screenshot of AFU

3.2.5. Rule Customizing

Rule, ZIC_1O_RESPONSIBLE is the combination of Actor Type, AFU, AFO and OBF for ACE filtering.

S
Figure 6: Screenshot of ACE Rule

3.3. Rights Customizing

ACE Rights consist of Work Package and User Group. Work package is an organizational unit of the ACE, which combines user groups and enables them for one or several object types.

Confidential
Page 9

Access Control Engine Functional Documentation

User Group consists of user assignment either as single users, or as members of a role, or as members of another user group.

Both assists ACE to identify which user is ACE active and rules selected. Path: SPRO CRM Basic Functions Access Control Engine Create Right

3.3.1. Create Work Package

Reuse the existing Work Package. Refer to Document References table for Document ACE For IC Business Partner at page 2. Assign Object Type ONEORDER.
Table 3: OE Work Package

Work Package ID ZGY_NON_OECU_WP

Work Package Description Work Package for OE Customer

Object Type Assignment ONEORDER

3.3.2. Create User Group

Existing PFCG Role ZGY_CRM_BASIC_IC will be used. Refer to Document References table for Document ACE For IC Business Partner at page 2.

3.3.3. Create Rights

ACE Rule, User Group and Action group are assigned to ACE Right, ZOE_ONEORDER. Action group determines the access given to the user. ACT_GRP_FULL grant full access to user for Read, Write and Delete. ACT_GRP_CHANGE grant the Read and Write access. ACT_GRP_READ grant the Read access only.

Confidential
Page 10

Access Control Engine Functional Documentation

Figure 7: Screenshots of ACE Right

3.4. ACE Event Background Job

ACE calculates and saves the authorization data through a dispatcher job that is started by activating rights and the creating/modifying objects by user. During dispatcher runtime, the worklist can be filled by other activation- or creation/modification processes. Background jobs are started until the worklists have been completely processed. The dispatcher then shuts down with a delay while worklists are checked for new objects, and, if necessary, new background jobs are started.
Table 4: ACE Event Background Job Attributes

JOB Name Transaction Code Job Name ABAP Program Event ID Parameter Periodic Jobs

Attributes SM36/SM37 ACE_DISPATCHER CRM_ACE_DISPATCHER SAP_CRM_ACE_DISPATCHER_REQUEST 300 (Client System Number) X

Confidential
Page 11

Access Control Engine Functional Documentation

4. ACE Maintenance
4.1. Activate/Deactivate ACE
ACE can only be active if user group in a work package and the right are activated. If ACE were to be permanently stopped, Right must be deactivated before Work Package is deactivated. Changes on existing ACE Rule or ACE User Groups require reactivation on Work Package in order to take effect. Path: SPRO CRM Basic Functions Access Control Engine Activate/Deactivate Work Packages and Rights

Figure 8: Screenshot of Active User Group in Work Package

Figure 9: Screenshot of Active Right

Confidential
Page 12

Access Control Engine Functional Documentation

Activating an ACE User Group and Right will trigger ACE rule to calculate the accessible object. It is required to be manually triggered if: new ACE rule is added; existing ACE rule is amended; user table in section 5.1 is updated.

Any Failed Object can be sent to Update Tool for recalculation.

Figure 10: Screenshot of Monitoring Object

4.2. Analyze Design Data

ACE Design Report is used to show all objects for a right, user group, or object type defined in section 0 in a tree structure. ACE Administrator could use the Design Report to add/remove new ACE user via PFCG role or perform the changes on ACE Rules and Rights. Path: SPRO CRM Basic Functions Access Control Engine Create and Analyze Design Data

Confidential
Page 13

Access Control Engine Functional Documentation

Figure 11: Screenshot of ACE Design Report based on User Group

4.3. Simulating Runtime Result

ACE Rules and Rights have been created can be simulated via ACE Runtime Report to ensure that result works as expected. Report provides several filters to allow ACE Administrator perform a detailed simulation and testing. Any wrong result such as incorrect Object or User appears in simulation result can be sent to Update Tool which system will be triggered to recalculate the object and user followed by updating ACE tables. Path: SPRO CRM Basic Functions Access Control Engine Analyze Runtime Data

Confidential
Page 14

Access Control Engine Functional Documentation

Figure 12: Screenshot of ACE Simulation Report and Filters

Figure 13: Screenshot of ACE Simulation Result

Confidential
Page 15

Access Control Engine Functional Documentation

4.4. Update User or Object

Performing User/Object Update triggers the system to calculate users and objects which meet the rule defined in section 3.2 and 3.3. Users and Objects are stored in list of ACE related tables for easy access. Hence, performing this update step will recalculate the user/object in the ACE tables. Path: SPRO CRM Basic Functions Access Control Engine Update User- and Object Context

4.4.1. Update User Context

ACE Update User context is required to if a user is newly assigned to the PFCG role and should be an ACE active user. Removing a user from PFCG role in Section 4.2 requires ACE Administrator to perform additional step to update User Context to deactivate the particular user from ACE Active user list.

Figure 14: Screenshot of ACE Active User List based on Role

Confidential
Page 16

Access Control Engine Functional Documentation

4.4.2. Update Object Context

ACE Update Object context is required if system is returning the object which does not meet the rule. ACE Administrator should update the particular object in order to trigger the system on recalculating the object and updating to ACE tables.

5. ACE Enhancement
During Rule creation, each rule requires an ACE class in order to perform the search filtering criteria and mapping of User and Object via Actor from a customer table.

5.1. DDIC Objects

Transactional Table is created to maintain user name in sequence from lower level (User Level 3) to higher level (User Level 0) as shown in Figure below. For example: User at Level 0 is allowed to view and process all the transactional data created by all the levels: Level 1, Level 2 and Level 3. However, for user at Level 3, he is only able to search for his own transactional data. He is not able to search or view the transactional data created by other person.

Figure 15: Screenshot of ACE Active User List based on Role

In this section, all the necessary information to create a Transactional Database is shown in table format.

Confidential
Page 17

Access Control Engine Functional Documentation

5.1.1.

Data Elements

Data Element is declared for user name which will be used in Database table.
Table 5: Data Elements

Name ZUNAME3 ZUNAME2 ZUNAME1 ZUNAME0

Domain ZUNAME3 ZUNAME2 ZUNAME1 ZUNAME0

Data Type CHAR CHAR CHAR CHAR

No. Characters 12 12 12 12

5.1.2.

Database Tables

Table below shows the Database Maintenance and the Field Name.
Table 6: Database Table Maintenance

Table Maintenance Delivery Class Data Class Size Category Function Group Maintenance Screen type
Table 7: Database Fields

Value A APPL0 0 ZGY_ACE One Step

Table Name Field Name MANDT ZUNAME3 ZUNAME2 ZUNAME1 ZUNAME0

ZGY_ACE_IC_ORG Key Initial Data Element X X X X X X X X X X MANDT ZUNAME3 ZUNAME2 ZUNAME1 ZUNAME0

Confidential
Page 18

Access Control Engine Functional Documentation

5.2. Class ZCL_CRM_ACERULE_EMP_NAME

5.2.1. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_USER

This method collects the login user to the actor list.

METHOD IF_CRM_ACE_ACTORS_FROM_USER~GET_ACTORS_FROM_USER . APPEND im_usr_name TO ex_actor_id_table. ENDMETHOD.

5.3. Class ZCL_CRM_ACERULE_1O_NON_OE_SR

5.3.1. Method IF_CRM_ACE_OBJECTS_BY_FILTER ~ CHECK_OBJECTS_BY_FILTER

This method checks objects applied to rule.

METHOD IF_CRM_ACE_OBJECTS_BY_FILTER~CHECK_OBJECTS_BY_FILTER. ex_object_guid_table[] = im_object_guid_table[]. ENDMETHOD.

Confidential
Page 19

Access Control Engine Functional Documentation

5.3.2.

Method IF_CRM_ACE_OBJECTS_BY_FILTER ~ GET_OBJECTS_BY_FILTER

This method filters for Goodyear Transactional Data only.

METHOD if_crm_ace_objects_by_filter~get_objects_by_filter. CALL FUNCTION 'ZCRM_ACE_GET_ORDER_OBJECTS_CHM' EXPORTING iv_activity_request = 'X' iv_tasks_request = 'X' iv_opp_request = 'X' IMPORTING ex_object_guid_table = ex_object_guid_table. ENDMETHOD.

Function Module: ZCRM_ACE_GET_ORDER_OBJECTS_CHM This function module filters for Goodyear Activities, Task and Opportunity.
FUNCTION zcrm_ace_get_order_objects_chm . *"---------------------------------------------------------------------*"*"Local Interface: *" IMPORTING *" REFERENCE(IV_LEAD_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_ACTIVITY_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_ORDERS_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_TASKS_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_OPP_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_BUDGETRES_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_BPO_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_BPO_FOR_CHANGE_WITH_STAT) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_FUND_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_CLAIM_REQUEST) TYPE BOOLEAN OPTIONAL *" REFERENCE(IV_BPO_FOR_CHANGE_WITHOUT_STAT) TYPE BOOLEAN OPTIONAL *" EXPORTING *" REFERENCE(EX_OBJECT_GUID_TABLE) TYPE CRMT_ACE_OBJECT_GUID *"---------------------------------------------------------------------DATA: lt_object_guid TYPE crmt_ace_object_guid. DATA: lt_object_guid_filter TYPE crmt_ace_object_guid. DATA: BEGIN OF wa_proc_type, process_type TYPE crmt_process_type, END OF wa_proc_type, lt_proc_type LIKE STANDARD TABLE OF wa_proc_type. * create a range to select Custom Process Type RANGES: s_proctype FOR crmd_orderadm_h-process_type. s_proctype-sign = 'I'. s_proctype-option = 'GE'.

Confidential
Page 20

Access Control Engine Functional Documentation

s_proctype-low = 'Z'. APPEND s_proctype. * select all lead object BUS2000108 IF iv_lead_request NE space. SELECT guid FROM crmd_lead_h INTO TABLE lt_object_guid. "#EC CI_NOWHERE ex_object_guid_table = lt_object_guid. ENDIF. * select all Activities BUS2000126 IF iv_activity_request NE space. SELECT guid FROM crmd_activity_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE task NE 'X'. * filter the results SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid_filter FOR ALL ENTRIES IN lt_object_guid WHERE guid = lt_object_guid-object_guid AND process_type IN s_proctype. * merge the results APPEND LINES OF lt_object_guid_filter TO ex_object_guid_table. ENDIF. * select all Tasks BUS2000125 IF iv_tasks_request NE space. SELECT guid FROM crmd_activity_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE task = 'X'. * filter the results SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid_filter FOR ALL ENTRIES IN lt_object_guid WHERE guid = lt_object_guid-object_guid AND process_type IN s_proctype. * merge the results APPEND LINES OF lt_object_guid_filter TO ex_object_guid_table. ENDIF. * select all Orders IF iv_orders_request NE space. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE object_type = 'BUS2000115' AND process_type IN s_proctype. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. * select all Opportunities

Confidential
Page 21

Access Control Engine Functional Documentation

IF iv_opp_request NE space. SELECT guid FROM crmd_opport_h INTO TABLE lt_object_guid. "#EC CI_NOWHER E SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid_filter FOR ALL ENTRIES IN lt_object_guid WHERE guid = lt_object_guid-object_guid AND process_type IN s_proctype. * merge the results APPEND LINES OF lt_object_guid_filter TO ex_object_guid_table. ENDIF. * select all Reservation Objects BUS2000313 IF iv_budgetres_request NE space. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE object_type = 'BUS2000313'. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. * select all Budget Posting Objects BUS2000402 IF iv_bpo_request NE space. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE object_type = 'BUS2000402'. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. * select all Budget Posting Objects BUS2000402 of type Transfer. IF iv_bpo_for_change_without_stat NE space. CLEAR lt_proc_type. SELECT process_type FROM crmc_bpo_prctype INTO TABLE lt_proc_type WHERE budget_tran_type IN ('TRANSFER', 'ABTRANS'). IF NOT lt_proc_type IS INITIAL. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOW HERE FOR ALL ENTRIES IN lt_proc_type WHERE object_type = 'BUS200 0402' AND process_type = lt_proc_type-process_type. ENDIF. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. * select all Budget Posting Objects BUS2000402 of type Extension and Renewal .

Confidential
Page 22

Access Control Engine Functional Documentation

IF iv_bpo_for_change_with_stat NE space. CLEAR lt_proc_type. SELECT process_type FROM crmc_bpo_prctype INTO TABLE lt_proc_type WHERE budget_tran_type IN ('EXTEND', 'RENEW'). IF NOT lt_proc_type IS INITIAL. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOW HERE FOR ALL ENTRIES IN lt_proc_type WHERE object_type = 'BUS200 0402' AND process_type = lt_proc_type-process_type. ENDIF. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. * select all Fund Objects BUS2000401 IF iv_fund_request NE space. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE object_type = 'BUS2000401'. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. * select all Claims objects BUS2000311 IF iv_claim_request NE space. SELECT guid FROM crmd_orderadm_h INTO TABLE lt_object_guid "#EC CI_NOFIE LD WHERE object_type = 'BUS2000311'. * merge the results APPEND LINES OF lt_object_guid TO ex_object_guid_table. ENDIF. ENDFUNCTION.

Confidential
Page 23

Access Control Engine Functional Documentation

5.3.3.

Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_OBJECTS

This method prepares the related partner functions which are needed to map Actors to Objects.
METHOD if_crm_ace_actors_from_object~get_actors_from_objects. CONSTANTS: lc_actity_fct lc_owner_fct lc_prospect_fct lc_emp_resp_fct TYPE TYPE TYPE TYPE crmt_partner_fct crmt_partner_fct crmt_partner_fct crmt_partner_fct VALUE VALUE VALUE VALUE '00000009', '00000022', '00000021', '00000014'.

DATA: lt_partner_pft TYPE crmt_partner_fct_tab, ls_partner_pft TYPE crmt_partner_fct. * assign partner function ls_partner_pft = lc_actity_fct. INSERT ls_partner_pft INTO TABLE lt_partner_pft. ls_partner_pft = lc_owner_fct. INSERT ls_partner_pft INTO TABLE lt_partner_pft. ls_partner_pft = lc_prospect_fct. INSERT ls_partner_pft INTO TABLE lt_partner_pft. ls_partner_pft = lc_emp_resp_fct. INSERT ls_partner_pft INTO TABLE lt_partner_pft. CALL FUNCTION 'ZCRM_ACE_GET_10_OWNER' EXPORTING OBJECTS = it_object_guids partner_pft_tab = lt_partner_pft IMPORTING actor_ids = et_actor_ids failed_objects = et_failed_objects. ENDMETHOD.

Function Module: ZCRM_ACE_GET_1O_OWNER This function module looks up the partner functions of each transaction data and maps to Actor.
FUNCTION zcrm_ace_get_10_owner. *"---------------------------------------------------------------------*"*"Local Interface: *" IMPORTING *" REFERENCE(OBJECTS) TYPE CRMT_ACE_OBJECT_GUID *" REFERENCE(PARTNER_PFT_TAB) TYPE CRMT_PARTNER_FCT_TAB *" EXPORTING

Confidential
Page 24

Access Control Engine Functional Documentation

*" REFERENCE(ACTOR_IDS) TYPE CRMT_ACE_OBJECT_ACTORS *" REFERENCE(FAILED_OBJECTS) TYPE CRMT_ACE_OBJECT_GUID *"---------------------------------------------------------------------DATA: lt_objects lt_partners ls_object_actor ls_actor lt_actor lt_uname ls_failed_object lv_user TYPE TYPE TYPE TYPE TYPE TYPE TYPE TYPE crmt_inherit_guid_struc_tab, crmt_partner_external_wrkt, crms_ace_object_actors, crms_ace_actor_id, crmt_ace_actor_id, crmt_ace_actor_id, crms_ace_object_guid, sy-uname.

FIELD-SYMBOLS: <fs_partner> TYPE crmt_partner_external_wrk, <fs_partner_pft> TYPE crmt_partner_fct, <fs_object> TYPE crmt_inherit_guid_struc. RANGES: rt_partner_pft FOR <fs_partner>-ref_partner_fct. IF partner_pft_tab[] IS INITIAL. EXIT. ELSE. rt_partner_pft-sign = 'I'. rt_partner_pft-option = 'EQ'. LOOP AT partner_pft_tab ASSIGNING <fs_partner_pft>. rt_partner_pft-low = <fs_partner_pft>. APPEND rt_partner_pft. ENDLOOP. ENDIF. lt_objects[] = objects[]. CALL FUNCTION 'CRM_PARTNER_READ_MULTI_OB' EXPORTING it_ref_objects = lt_objects IMPORTING et_external_wrk = lt_partners. LOOP AT lt_objects ASSIGNING <fs_object>. CLEAR lt_actor[]. READ TABLE lt_partners WITH KEY ref_guid = <fs_object>-guid BINARY SEARCH TRANSPORTING NO FIELDS. IF sy-subrc EQ 0. LOOP AT lt_partners FROM sy-tabix

Confidential
Page 25

Access Control Engine Functional Documentation

ASSIGNING <fs_partner> WHERE ref_guid = <fs_object>-guid AND ref_handle = space AND ref_kind = 'A' AND ref_partner_fct IN rt_partner_pft. . IF <fs_partner>-ref_guid NE <fs_object>-guid. EXIT. ENDIF. * read user name CALL FUNCTION 'BP_CENTRALPERSON_GET' EXPORTING iv_bu_partner_guid = <fs_partner>-bp_partner_guid IMPORTING ev_username = lv_user EXCEPTIONS no_central_person = 1 no_business_partner = 2 no_id = 3 OTHERS = 4. APPEND lv_user TO lt_actor. ENDLOOP. IF sy-subrc EQ 0. IF NOT lt_actor IS INITIAL. DELETE ADJACENT DUPLICATES FROM lt_actor COMPARING actor_id. CALL FUNCTION 'ZGY_ACE_READ_ORG_USER' CHANGING ct_actor_id = lt_actor. IF NOT lt_actor IS INITIAL. CLEAR ls_object_actor. ls_object_actor-object_guid = <fs_object>-guid. ls_object_actor-actors = lt_actor. APPEND ls_object_actor TO actor_ids. ELSE. CLEAR ls_failed_object. ls_failed_object-object_guid = <fs_object>-guid. APPEND ls_failed_object TO failed_objects. ENDIF. ENDIF. ELSE. CLEAR ls_failed_object. ls_failed_object-object_guid = <fs_object>-guid. APPEND ls_failed_object TO failed_objects. ENDIF. ENDIF. ENDLOOP. ENDFUNCTION.

Confidential
Page 26

Access Control Engine Functional Documentation

Function Module: ZGY_ACE_READ_ORG_USER This function module reads users in Section Error! Reference source not found. who is allowed to view and process the Transactional Data.
FUNCTION zgy_ace_read_org_user. *"---------------------------------------------------------------------*"*"Local Interface: *" CHANGING *" REFERENCE(CT_ACTOR_ID) TYPE CRMT_ACE_ACTOR_ID OPTIONAL *"---------------------------------------------------------------------DATA: ls_itab lt_itab TYPE zgy_ace_ic_org, TYPE TABLE OF zgy_ace_ic_org.

DATA: ls_actor_id TYPE crms_ace_actor_id, lt_actor_id TYPE crmt_ace_actor_id. CHECK ct_actor_id IS NOT INITIAL. lt_actor_id = ct_actor_id. REFRESH: lt_itab, ct_actor_id. LOOP AT lt_actor_id INTO ls_actor_id. CLEAR ls_itab. REFRESH lt_itab. SELECT * FROM zgy_ace_ic_org INTO TABLE lt_itab WHERE level3 = ls_actor_idactor_id. IF sy-subrc = 0. * convert 3rd level user name to BP guid * read level 2 that related to level 3 users CLEAR ls_itab. LOOP AT lt_itab INTO ls_itab. APPEND ls_itab-level2 TO ct_actor_id. APPEND ls_itab-level1 TO ct_actor_id. APPEND ls_itab-level0 TO ct_actor_id. ENDLOOP. APPEND ls_itab-level3 TO ct_actor_id. ELSE. * 3rd level user not found * look up user name in 2nd level CLEAR ls_itab. REFRESH lt_itab. SELECT * FROM zgy_ace_ic_org INTO TABLE lt_itab WHERE level2 = ls_actor_id-actor_id. IF sy-subrc = 0. " append level 3 user names to itab LOOP AT lt_itab INTO ls_itab. APPEND ls_itab-level1 TO ct_actor_id. APPEND ls_itab-level0 TO ct_actor_id. ENDLOOP.

Confidential
Page 27

Access Control Engine Functional Documentation

APPEND ls_itab-level2 TO ct_actor_id. ELSE. * 2nd level user not found * look up user name in 1st level SELECT * FROM zgy_ace_ic_org INTO TABLE lt_itab WHERE level1 = ls_actor_id-actor_id. IF sy-subrc = 0. APPEND ls_itab-level1 TO ct_actor_id. LOOP AT lt_itab INTO ls_itab. APPEND ls_itab-level0 TO ct_actor_id. ENDLOOP. ELSE. * 1st level user not found * look up user name in level 0 SELECT SINGLE * FROM zgy_ace_ic_org INTO ls_itab WHERE level0 = ls_actor_idactor_id. IF sy-subrc = 0. APPEND ls_itab-level0 TO ct_actor_id. ENDIF. ENDIF. ENDIF. ENDIF. ENDLOOP. SORT ct_actor_id BY actor_id ASCENDING. DELETE ADJACENT DUPLICATES FROM ct_actor_id. DELETE ct_actor_id WHERE actor_id = ''. ENDFUNCTION.

Confidential
Page 28

Access Control Engine Functional Documentation

6. Appendix

Confidential
Page 29