Welcome to CY Consulting,

  a professional SAP Solution consulting company
  aligning with you for your better business.
  Chinese  Site Map

Access Control Engine (ACE) for CRM Authorization

   ACE Overview

The CRM Access Control Engine (ACE) controls access to- and use of business objects. The access control is based on a collaboration of rules and rights that you can adjust individually to your internal organizational structures.

It is practical to use ACE when you want to control, on object level, which users are to have read-, write-, and/or delete access.

The user only sees the objects to which ACE grants him or her access. However, the user does not see the ACE functions in the screen and does not consciously perceive the ACE.

ACE is of interest to large organizations because it uses organizational units that mirror territory management very well. In other areas, the advantage lies in the versatility of the business hierarchies in including external partners in internal business.



The following functions are available to you in ACE:

● ACE provides an administrative tool for all rights and rules that control access control. The administrator can assign these rights and rules to users and roles.

● ACE supports the changes in user integration in business operations, such as changing the role or organizational unit. The new access control for users is calculated in day-to-day operation or asynchronously (time-shifted). If reorganization affects a large number of participants, an administration tool supports the changes to access control.

● ACE allows control of newly created objects during runtime. The system calculates the access control for these objects asynchronously.

● The system changes the access control for updated objects during runtime. This is done by a process in the background. The new access control comes into effect with a delay.

● ACE has a buffer for previously calculated access control information. You can use the buffer to check and monitor the access control during runtime.

● You can define the relationship between objects and users, for example, for organizational units, partner companies, areas, or product lines. You can define access rights, for example, so that employees of a partner enterprise can access business objects that were created in this partner enterprise, but cannot access business objects that were created in other partner enterprises.

●The ACE has been designed as an add-on. It can be used in many different ways to take advantage of the business knowledge available in the CRM system. The ACE framework serves all add-ons centrally. You can develop new add-ons for special enterprise requirements as necessary.


   ACE General Concepts

Large and complex (international) CRM installations all face the same problem: how do we show the users only the data that they need to see? We don’t mean authorizations related to functionality, but related to business content. Imagine you run a big business and have a million customers worldwide. Then a sales rep responsible for a group of customers in Belgium should not see any customers from Asia in his search results. Or a sales rep with responsibility for a certain branche should not be bothered with customers of other branches. Furthermore, if the structure of the sales organisation changes, you don’t want to end up changing all kind of authorization profiles.

To solve these issues, SAP came up in CRM for the PCUI with a pretty nice solution: CRM-ACE. This stands for Access Control Engine and is a framework to calculate user dependent access rights on object level. It originates from Channel Management but works in all PCUI functionalities. Now ACE works for SAP CRM Web UI as well.

Difference with ‘normal’ authorizations
What is the real difference with the ‘normal’authorization concept we are all familiar with? In this traditional concept you have to specify all values is the role; e.g. the sales organisation which the user is allowed to see data from. If you have 30 sales organisations you need 30 roles. These are static autorisations. In ACE you can specify in one role that all users who have this role can see customers for the sales area to which they are linked to. So with 30 sales organisations you only need one role. If a sales rep moves from one organisation to another you don’t even need to change his authorizations. These are dynamic authorizations.

The concept of ACE
The basic element in the concept of ACE is the actor. To explain this in the most easy way you can say this is the linking and filtering element between the user and the object. The actor determines if the user should see the object or not. As an example look at the following picture which explains the scenario that a user is only allowed to see business partners where he is in the sales team. The user is linked to an employee and these employees are stored in the sales teams of the business partners.


From the user’s perspective you can determine the employee id which is in the sales team. Also from the business partners perspective you can see who are in his sales team. If both of them match, the user can see the object. If you understand the concept of the actor you understand the ACE for 75% already.

How the actor from both perspectives is determined is stored in a rule. Here are three methods defined: how to determine the actors from the user, how to determine the actors for an object, and a method to specify which objects to take into account in the first place. This is shown in the following pic:


An ACE rule is a combination of a role and an action (read, write, delete). These rules you can assign to ACE user groups which you can link to individual users or in most cases to dummy ‘normal’ authorization roles which you can assign in the user master.

The nice thing about the concept of ACE is that when you activate it it fills the ACE tables with data so it can later during runtime determine very fast who is allowed to see what data objects. Basically it determines beforehands for all users and for all objects what it’s actors are and stores this in tables. During runtime it knows your user so can quickly read your actors and then read all objects which have the same actor. If a new object is created after the activation it automatically in the background determines the actors and updates the corresponding tables. Really nice!

We are skilled and experienced in CRM ACE since SAP CRM 4.0 . Please feel free to contact us for help and more information about the authorization for complicated business, large organization scenarios.

   Related Topics

Last Updated@ 2009

Better Business