Show TOC

Background documentationAccess Rights for Roles Locate this document in the navigation structure

 

You want to:

  • Guarantee access rights

  • Manage a set of users or groups within their assigned area of responsibility

  • Block access to business objects for other parts of the organization

The administration tool lets you guarantee access rights for subsets of users to assigned objects.

As the administrator, you use the relationships between the business objects and users in order to enable individual roles and user groups to access the objects.

Using the levels of read access, change access, and full access, the administrator can define the access rights for every role and every relationship. Full access includes reading, writing, and deleting as possible actions; change access includes reading and writing.

The table shows the administration interface for defining access rights. A right is the assignment of relationships to groups of roles and users, and the definition of actions for this assignment.

Right

User Group

Object Type

Rule ID

Action Group

R314

All partner roles

Lead

TransactionCreatedByPartner

Read

R315

Partner managers

Lead

TransactionCreatedByPartner

Change

R316

All partner roles

Lead

LeadCreatedByMySelf

Full

R317

All partner roles

Opportunity

TransactionCreatedByPartner

Full

The entries in the table have the following meanings:

  • "All partner roles" is a group of roles that includes all partner roles (partner managers, partner employees, partner administrators, ...)

  • LeadCreatedByMySelf is the relationship: Lead – Business Partner: Contact – User.

  • TransactionCreatedByPartner is the relationship:

    • Business transaction – Business partner: Contact – Business partner: Company

      and

    • Business partner: Company – Business partner: Contact – User

The relationships in the rights are relative to the users in the role. This means, for example, if user Miller is the partner manager and contact for the company SAMPLECO, then access right R315 allows user Miller to change all business transactions for SAMPLECO. All business transactions with relationships to contacts for other partner companies have no relationship to the company SAMPLECO, so Miller has no access to these business transactions.

Access Control at Runtime

ACE provides consistent implementation of access control for the most important SAP Customer Relationship Management (SAP CRM) business objects.

Example Example

A user is logged on and starts a product selection. SAP CRM checks the user’s access rights to products and provides only the products for which the user does not have any read restrictions.

End of the example.