Show TOC

Process documentationAdministration of the CRM Access Control Engine (ACE) Locate this document in the navigation structure

 

All administration of the Access Control Engine (ACE) is done in Customizing.

Process

You manage ACE in Customizing for Customer Relationship Management under   Basic Functions   Access Control Engine  .

Preparations for Implementing ACE

  • Prerequisites

    In Customizing, check the   Prerequisites   document for information about the following prerequisites for implementing ACE:

    • Authorization objects

      You require special authorization objects for ACE administration.

    • Job processing

      The system uses background processing to calculate the ACE authorization data. For this reason, you must plan a periodic job.

  • Maintain general settings

    Define the ACE parameters in Customizing under   Maintain General Parameters  . You can use these parameters to activate ACE or control ACE background processing, for example.

Create ACE Rules

One of the main elements of ACE are the rules. Among other things, rules determine the objects that ACE controls and the actors for users and objects. You enter rules and their components in Customizing under   Rules   Create Rules  . You also edit the following objects in this Customizing activity:

  • Actions

  • Action groups

  • Superobject types

  • Object types

For a detailed description of the individual elements, see the corresponding documentation.

Create ACE Rights

Another main element of ACE are the rights. Rights link components of the ACE rules with user groups and action groups. Work packages used as higher-level hierarchy nodes link multiple user groups to an organizational unit of ACE. Through unique assignment of user groups to work packages, the rights that are each assigned to a user group are also implicitly assigned to the work packages.

Define the work packages, user groups, and rights in Customizing under   Create Rights  .

For a detailed description of the individual elements, see the corresponding documentation.

Activate ACE Rights

To generate authorization data, you must activate the ACE rights. In doing so, actors are used to link the objects that were defined with rules to the users that were defined with user groups. An object and a user that share the same actor create a relationship. These relationships are stored in the ACE runtime tables and can be called up directly, with no further calculations necessary.

Activate a right in Customizing under   Activate/Deactivate Work Packages and Rights  .

For a detailed description of the activation process, see the corresponding documentation.

Other Customizing Activities

  • Create and Analyze Design Data

    You can use this Customizing activity to view the various ACE elements mentioned above, such as rights and user groups, in a tree structure, in order to analyze them. In addition, you can edit elements and create new ones.

  • Analyze Runtime Data

    This Customizing activity gives you a glimpse of the authorization data that is currently stored in the ACE runtime tables. You can filter by object type, right, user, action, or object, for example.

  • Update User- and Object Context

    You can use this activity to start the context calculation for users and objects manually. Normally, the system calculates the user context periodically and the object context when the object is changed.

    The context creates the ACE-internal links between object and users using actors.