Kontakt

Ansicht
Dokumentation

CRM_CMG_ACE_IMPL - ACE Implementation for Case Management

CRM_CMG_ACE_IMPL - ACE Implementation for Case Management

General Material Data   ABAP Short Reference  
This documentation is copyright by SAP AG.
SAP E-Book

This documentation describes a sample scenario and the steps used to create an Access Control Engine (ACE) implementation in CRM Case Management. By default, SAP delivers the runtime implementation of ACE for Case Management. You can activate or deactivate this as required. This example implements a simple scenario.

The ACE can check the access rights for the actions "read", "write" and "delete" for business objects in their entirety (not at field level) available in the CRM. The ACE rules and rights are customer-specific and should be developed by the customer. For more information on ACE functions, choose Customer Relationship Management -> Basic Functions -> Access Control Engine.

Note: Specific rules are required for ACE. If you want to create your own implementation that is different from the one delivered, define these rules and rights using the IMG activity Create Rules.

Scenario

In this scenario, the ACE authorizations are based on the CRM organizational units. The user is assigned to one or more organizational units via the organizational model created by the following activities:

Note: This scenario does not cover the actions required for these two activities. It assumes the organizational model has already been created.

The case is linked to organizational units via the Business Partner list (the main partner with partner function Responsible Group).

The scenario involves:

  • Actors, which here are organizational units,
  • User contexts, describing organizational units in the context of the user in the ACE,
  • Rules, which here are a set of methods defining how to find the actors of a user, actors of an object, and objects by a filter, in order to calculate the relation between user and business object
  • Rights, which here is the assignment of rules and actions (read, write, delete) to user groups

Additional scenario factors are as follows:

  • The ACE object is the case (the supertype is also the case).
  • The ACE actor is the organizational unit
  • The ACE actions are Display and Modify
  • The ACE groups are Service Manager and Service Representative.
  • Service Representatives can only display the cases of their organizational unit

  • Service Managers can read, modify and delete the cases of their organizational unit

Users

This scenario has the following users:

  • SERVREP1
  • SERVREP2
  • SERVMAN1

These users are each assigned to three business partners (BP Role Employee), and then the BP employees are assigned to organizational units:

  • SERVREP1 is assigned to Montreal
  • SERVREP2 is assigned to Hamburg
  • SERVMAN1 is assigned to Montreal, Vancouver, and Hamburg

Note: When creating a new organizational unit, a business partner is created only if the switch HRALX/HRAC in the table T77S0 is enabled. (See SAP Note 550055).

Implementing the Scenario

This section describes the settings made and the required steps used in the sample ACE scenario for CRM Case Management.

Creating and Defining the ACE Work Package

  1. You create a new ACE work package. In the IMG choose Customer Relationship Management -> Basic Functions -> Create Rights.
  2. Create new entries and enter the following values:
    1. Work Package ID: SAP_CRM_CMG
    2. Description: Case Management Work Package
  3. You must assign the work package to the object case. Select the work package you just created and go to Object Type Assignment for Work Packages. In the Object Type field enter CASEMANAGEMENTCRM.
  4. Define the ACE User Groups. In this implementation it is SAP_CRM_CMG.The the User Group Entries are defined.
  5. Under User Group Definition, you create two user group IDs each with a unique description and use the newly created work package ID:
    1. User Group IDs SAP_CRM_CMG_SERV_MAN (service manager for CRM Case Management) and SAP_CRM_CMG_SERV_REP (service representative for CRM Case Management)
    2. Work package SAPCRM_CMG
  6. For each of the user group IDs you created, you now have to assign them to their groups. You can create multiple entries to assign to the group.

    Define the User Group Entries for each user group ID you created, and define the group. In the sample implementation the user group ID is SAP_CRM_CMG_SERV_MAN, the user group element is SERVMAN1 and the user group element type is User. You can assign users, roles or groups of users.
  7. Define the ACE rights by creating a Right ID. In the sample implementation, two sets of rights are delivered, CASES_OF_MANAGER and CASES_OF_REP. They are assigned their own descriptions but are part of the same object type (CASEMANAGEMENTCRM) and have the same Rule ID (CASES).
Depending on the user groups, you can assign different rights to the different groups. In this implementation the manager group has full access rights (ACT_GRP_FULL - read, write delete), while the service representative group has only read access (ACT_GRP_READ). You can also specify group read and write access (ACT_GRP_CHANGE).

Assigning Cases

In the sample implementation, a case type is assigned to a partner determination procedure with at least one responsible group.

You do this in the IMG activity Define Partner Determination Procedure (Customer Relationship Management -> Basic Functions -> Partner Processing). See the documentation for more information. After this is completed, the organizational unit is assigned to the case in the business partner list.

Note: In order for the organizational unit to be displayed, the ACE work package has to be activated with the activation tool. In the IMG choose Customer Relationship Management -> Basic Functions- > Access Control Engine -> Activate/Deactivate Work Packages and Rights.

Rules

This section covers the customizing of specific tables for the rules and the interface implementation required for developing the rules.

Customizing Database Tables

In order for the rules to function as needed, the following database tables are customized for the sample ACE implementation. They are all client-independent, except for the last two.

  • CRM_ACE_ACTTYP: Contains the definition for the actor type.
  • Actor Type ID: ORG_UNIT

  • Description: CRM Organizational Unit

  • CRM_ACE_ANGRP and CRM_ACE_ANGRPS: Contain the definitions for actions and action groups (read, write, delete access). You do not need to make any modifications to these tables
  • CRM_ACE_OTYPES: Contains information on all object types available for the ACE
  • CRM Object Type: CASEMANAGEMENTCRM

  • CRM_ACE_ST_ACC: For each super type defines which database tables are to hold the Access Control List, the ACL group, and User Context information. Three tables have been created for Case Management and are part of the standard delivery:
  • Super Type: CASEMANAGEMENTCRM

  • ACL Table Name: CRM_ACE2_CG_ACL

  • GRP Table Name: CRM_ACE2_CG_GRP

  • UCT Table Name: CRM_ACE2_CG_UCT

  • CRM_ACE_U_GRP / CRM_ACE_U_GRPS (client-dependent): The first table contains the definitions of a single user group for each user group ID, whereas CRM_ACE_U_GRPS contains multiple user groups

Implementing Interfaces

To develop a rule, you have to implement specific interfaces. For this sample implementation, those interfaces are:

  • IF_CRM_ACE_ACTORS_FROM_OBJECT: Ensures that the ACE framework can determine all actors of an object or of a list of objects
  • This interface has been implemented in class CL_CRM_CMG_ACE_AFO_ORGUNIT

  • The method GET_ACTORS_FROM_OBJECTS calls the function CRM_CMG_ACE_GET_PARTNER

For each case GUID the function returns the list of organizational units attached to the case.
  • IF_CRM_ACE_ACTORS_FROM_USER: Ensures that the ACE framework can determine all actors of a user
  • This interface has been implemented in Class CL_CRM_CMG_ACE_AFU_ORGUNIT

  • The method GET_ACTORS_FROM_USER calls the function CRM_CMG_ACE_USER_ORGUNIT_GET

The function returns the list of organizational units attached to the user.
  • IF_CRM_ACE_OBJECTS_BY_FILTER: This interface ensures that the ACE framework can determine all objects according to this rule's filter.
  • This interface has been implemented in Class CL_CRM_CMG_ACE_OBF_ORGUNIT

  • The method CHECK_OBJECTS_BY_FILTER checks if there is a Main Org Unit attached to the case with the partner function Responsible Group

  • The method GET_OBJECTS_BY_FILTER returns all cases containing a main business partner with a partner function responsible group.

Although each interface has a specific purpose, you can use a single class that implements all these interfaces. Unless specified otherwise, you must implement all interfaces and their corresponding methods as described here.

Customizing Database Tables for Interface Classes

In order to enable the above mentioned interface classes in this implementation, the following database tables are customized.

  • CRM_ACE_AFO_CL (client-independent): Contains settings for how to find actors of an object
  • Object Type: CASEMANAGEMENTCRM

  • Actor Type ID: ORG_UNIT

  • AFO Class ID: AFO_CMG_ORGUNIT

  • CRM_ACE_AFU_CL (client-independent): Contains settings for how to find actors of a user
  • Actor Type ID: ORG_UNIT

  • AFU Class ID: AFU_USER_ORGUNIT

  • AFU Class: CL_CRM_CMG_ACE_AFU_ORGUNIT

  • AFO Class: CL_CRM_CMG_ACE_AFO_ORGUNIT

  • CRM_ACE_OBF_CL (client-independent): Contains settings for how to find objects using a filter
  • Object Type: CASEMANAGEMENTCRM

  • OBF Class ID: OBF_CMG

  • OBF Class: CL_CRM_CMG_ACE_OBF_ORGUNIT

  • CRM_ACE_RULES (client-independent): Key fields are the object type being used, and a rule ID
  • Object Type: CASEMANAGEMENTCRM

  • Rule ID: Cases

  • CRM_ACE_RIGHTS (client-dependent): Key field is ensuring it has a unique ID for each right (such as read and write access).
  • CRM_ACE_CUSTOM (client-dependent): Contains indicators controlling the general behavior of the Access Control Engine. In general, you do not need to make any modifications to the contents of this table. Examples of these settings are:
  • switching off the ACE

  • defining the number of seconds until a user context expires






CL_GUI_FRONTEND_SERVICES - Frontend Services   General Material Data  
This documentation is copyright by SAP AG.

Length: 15101 Date: 20240523 Time: 164143     sap01-206 ( 170 ms )