Setting Up Authorizations

Investigative case management (ICM) authorizations apply a combination of the standard static authorization subsystem and the newer Access Control Engine (ACE) framework.

You make the settings required for authorizations in Customizing for Customer Relationship Management under Start of the navigation path Industry-Specific Solutions Next navigation step Public Sector Investigative Case Management General Settings Authorizations End of the navigation path

For information about the standard static authorization subsystem, see Case Authorizations.

To ensure the integrity of the ICM authorization business rules, you should familiarize yourself with the ACE subsystem. For more information about ACE, see CRM Access Control Engine.

Note Note

The RESTRICTIVE _MODE parameter in Customizing for Customer Relationship Management under Start of the navigation path Basic Functions Next navigation step Access Control Engine Maintain General Parameters End of the navigation path is mandatory for ICM. The system performs a check when users assigned to the Detective business role logon. The RESTRICTIVE_MODE parameter must be activated to ensure that all users are subject to ACE.

End of the note.

Features

ICM authorizations are granted based on the following:

Step	Description	UI	More Information
Security levels	Security levels restrict access to confidential entities within ICM by establishing a threshold.	Customizing	Customer Relationship Management Industry-Specific Solutions Public Sector Investigative Case Management General Settings Authorizations Define Security Levels
Staff and units	If you are assigned to a case or lead you automatically have read and edit authorization.	CRM WebClient UI	Case or Lead overview page
Hidden attribute	Hidden cases, leads, business partners and locations can only be viewed and edited by users that are assigned to the case or lead, independent of the security level assigned to the user.	CRM WebClient UI	Case or Lead overview page

Example

The following are some examples of how standard static authorization object attributes and the Access Control Engine (ACE) framework are combined to determine ICM authorizations:

You can view all volume crime cases (for example, robberies and assaults), but you cannot view homicide cases.
You can view all persons, locations, and activities assigned to a case, but you cannot view those classified as Top Secret.
You can create relationships of a type is a close friend of, but you cannot create relationships of a type is informant to.
You can view all persons, but you cannot view their profiles.
You can view all cases, but you cannot view a particular case that involves a government official.
You can only maintain cases that are assigned to you by your supervisor.

In each of these examples ACE compares your security levels for each entity to those that have been established as authorization thresholds for each entity. The security levels are stored as standard static authorization object attributes.