Access Rights for Roles
You want to:
Guarantee access rights
Manage a number of users or groups within their assigned area of responsibility
Block access to business objects for other parts of the organization
The administration tool lets you guarantee access rights for subsets of users to assigned objects.
As the administrator, you use the relationships between the business objects and users to enable individual roles and user groups to access the business objects.
Using the levels of read access, change access, and full access, the administrator can define the access rights for every role and every relationship. Full access includes reading, writing, and deleting as possible actions; change access includes reading and writing.
You define access rights in Customizing activity Create Rights
in dialog structure Right Definition
. A right is the assignment of relationships to groups of roles and users, and the definition of actions for this assignment.
The following table lists examples of access rights:
Right ID |
User Group |
Object Type |
Rule ID |
Action Group ID |
R314 |
All partner roles |
Lead |
TransactionCreatedByPartner |
Read |
R315 |
Partner managers |
Lead |
TransactionCreatedByPartner |
Change |
R316 |
All partner roles |
Lead |
LeadCreatedByMySelf |
Full |
R317 |
All partner roles |
Opportunity |
TransactionCreatedByPartner |
Full |
The entries in the table have the following meanings:
"All partner roles" is a group of roles that includes all partner roles (partner managers, partner employees, partner administrators, and so on)
LeadCreatedByMySelf is the relationship: Lead – Business Partner: Contact – User.
TransactionCreatedByPartner is the relationship:
Business transaction – Business partner: Contact – Business partner: Company
and
Business partner: Company – Business partner: Contact – User
The relationships in the rights are relative to the users in the role. This means, for example, if user Miller is the partner manager and contact for the company SAMPLECO, then access right R315 allows user Miller to change all business transactions for SAMPLECO. All business transactions with relationships to contacts for other partner companies have no relationship to the company SAMPLECO, so Miller has no access to these business transactions.
Access Control at Runtime
The Access Control Engine (ACE) provides consistent implementation of access control for the most important business objects in SAP Customer Relationship Management (SAP CRM).
Example
A user is logged on and starts a product selection. SAP CRM checks the user’s access rights to products and provides only the products for which the user does not have any read restrictions.