Kontakt

Ansicht
Dokumentation

VC_ACE_RIGHTS - Create Rights

VC_ACE_RIGHTS - Create Rights

rdisp/max_wprun_time - Maximum work process run time   CL_GUI_FRONTEND_SERVICES - Frontend Services  
This documentation is copyright by SAP AG.
SAP E-Book

Creating Work Packages and Assigning Objects to a Work Package

A work package is an organizational unit of the Access Control Engine (ACE), which combines user groups and enables them for one or several object types.

The superobject type assignment ensures that users of the user group(s) are only active ACE users of the respective superobject types and their subobjects. For information about active ACE users, see chapter Active ACE Users in this document.

  • Create a work package
  • Assign the superobject type to a work package

Create User Groups and Assign Members to a User Group

You can create user groups and assign users to them either as single users, or as members of a role, or as members of another user group. The aim is to give users authorizations for objects.

User groups are assigned to work packages.

Note:

Because a user group can be assigned to one work package only, assigning user groups to other user groups may result in non-unique package assignments. For example, group G1 is assigned to package P1. Additionally, group G1 is assigned to group G2, which in turn is assigned to package P2. The relationship of the user group to package P1 is therefore not valid, because the user group is also assigned to package P2 through the assignment to group G2. As a result, user group G1 is not assigned uniquely.

P2 P1
| |
G2 |
\ /
G1

You can perform this validity check of user groups by using the activityActivate/Deactivate Work Packages and Rights.

  • Create a user group and assign it to a work package
  • Then assign the users to the user group. You can select from the following ACE User Group Element Types, when assigning User Group Elements to User Group IDs:
  • U = User

If you select User, enter the User that was created in transaction SU01 in the field User Group Element.
  • G = User group

If you select User Group, enter an ACE user group in the field User Group Element.
  • R = Role

If you select Role, enter the Role that was created in the transaction PFCG in the field User Group Element.

Active ACE Users

Definition

A user is an active ACE user if he or she is a member of an activated ACE user group.

ACE user groups are activated by activating the ACE work packages to which they are assigned. As superobject types are assigned to the ACE work packages and therefore also to the related user groups, an ACE user can be active for specific object types. Conversely, a user can also be inactive for specific object types, if he or she is not assigned to them via ACE user groups and ACE work packages.

Description of the Authorization Check

During every authorization query to the ACE, the system checks whether the user for whom the authorization query is performed, is an active ACE user for the transferred object type. If the user is an active ACE user, the authorization query continues. If not, the check is cancelled and the ACE permits the access.

Create Rights

Rights are used to link objects with users and actions. By using activity Activate/Deactivate Work Packages and Rights to activate rights, authorization data is calculated and is stored in database tables.

You use a right to make the connection between a rule, which provides the objects as well as the actors, and the users, who are stored in the right via the user group. The right also defines the possible actions that the user can execute with the objects of the rule.

Furthermore, you can specify a validity period for the rights and hence control them chronologically.

Prerequisites:

You have already created the following objects:

  • Rules
  • User groups
  • Action groups






ABAP Short Reference   BAL Application Log Documentation  
This documentation is copyright by SAP AG.

Length: 5072 Date: 20240523 Time: 161031     sap01-206 ( 88 ms )