Show TOC

Component documentationCRM Access Control Engine


The access control engine (ACE) in SAP Customer Relationship Management (SAP CRM) is an additional authorization concept that exists in parallel to the SAP authorization concept. You can implement ACE independent from the SAP authorization concept, but to save time and effort when you create ACE user groups, you can reuse the authorization roles (PFCG roles) that were defined in the SAP authorization concept.

While you can use the SAP authorization concept to limit user access to transactions (such as creating an order) and activities for an object type (such as creating or deleting an order), ACE provides a framework that you can use to control user access to individual business objects and the usage of those business objects. This means that you can define which users see which business objects, and whether those users have the authorization to read, edit, or delete those business objects.

You can see which business objects can be used in the access control engine in Customizing for Customer Relationship Management under Start of the navigation path Basic Functions Next navigation step Access Control Engine Next navigation step ACE-Enabled Objects End of the navigation path.

The access control is based on a combination of rules and rights that you can adjust individually for your internal organizational structures.

Users only see the business objects to which ACE grants them access. However, users do not see the ACE functions on the screen and do not consciously notice ACE.

ACE is of interest to large organizations because it uses organizational units that mirror territory management very effectively. In other areas, the advantage lies in the versatility of the business hierarchies in including external partners in internal business.

Example Example

You can use ACE to define that a partner manager has read authorization and write authorization for her leads, read authorization for the leads of her colleagues, and read authorization and write authorization for all prospects of the company.

End of the example.

Note Note

When you create an object, access authorization can only be controlled with the SAP authorization concept, because ACE can only access an existing business object.

End of the note.


The following functions are available in ACE:

  • ACE provides an administrative tool for all rights and rules that influence access control. The administrator can assign these rights and rules to users and roles.

  • ACE supports changing user integration in business operations, such as changing the role or organizational unit. The new access control for users is calculated in day-to-day operation or asynchronously (time-shifted). If a reorganization affects a large number of participants, an administration tool supports the changes to access control.

  • ACE first gives users temporary full access to new objects that they create. When users save, the system starts a process in the background to calculate the rules-based access control for these objects. The resulting user access rights replace the temporary full access.

  • The system changes the access control for changed objects during runtime. This is done by a process in the background. The new access control is effective after a delay.

  • ACE has a buffer for previously calculated access control information. You can use the buffer to check and monitor the access control during runtime.

  • You can define the relationship between objects and users, for example, for organizational units, partner companies, areas, or product lines. You can define access rights, for example, so that employees of a partner company can access business objects that were created in that partner company, but cannot access business objects that were created in other partner companies.

  • ACE has been designed as an add-on. It can be used in many different ways to take advantage of the business knowledge available in SAP CRM. The ACE framework serves all add-ons centrally. You can develop new add-ons for special enterprise requirements as necessary.

More Information

Differences Between ACE and the SAP Authorization Concept
  • The SAP authorization concept is registry-based.

  • If there are new users or objects, you must make adjustments to the SAP authorization concept.

  • ACE is based on rules, rights, relationships, and hierarchies.

  • Once the ACE rules and rights are set up, it is not necessary to adjust these rules and rights if there are new or changed users or objects.

  • Since ACE is rules-based, it covers changed relationships and hierarchies.

Information About SAP Authorization Concept

For more information about the SAP authorization concept, see SAP Help Portal at published on SAP site Start of the navigation path SAP R/3 and R/3 Enterprise Next navigation step SAP R/3 and R/3 Enterprise 4.70 Next navigation step SAP NetWeaver Components Next navigation step SAP Web Application Server Next navigation step Security Next navigation step Users and Roles (BC-SEC-USR) Next navigation step SAP Authorization Concept End of the navigation path.