SAP CRM-ACE refers to the Access Control Engine and this is a framework which is used for evaluating the user.
Dependent access rights on object level. The channel management enables it to originate the ACE; and works on the PCUI functionalities. However, if the user wants to use it with the other environment like IC Web client or through the SAP GUI then it may not function appropriately.
The Access Control Engine (ACE) in SAP Customer Relationship Management (SAP CRM) is referred to as an additional authorization concept which exists in parallel to the SAP authorization concept. The user can implement ACE independent from the SAP authorization concept, however for saving time and effort when the user creates ACE user groups, he can reuse the authorization roles (PFCG roles) which were defined in the SAP authorization concept.
While the user can utilize the SAP authorization concept for limiting the user access to transactions (like creating an order) and activities for an object type (like creating or deleting an order), ACE provides a framework which can be used by the user for controlling the user access to individual business objects and the usage of those business objects. The user can define which users get to see which business objects and if those users are authorized for reading, editing or deleting those business objects.
For example, the user must specify the role i.e. if some user wants to view the data from sales organization. The user should have 30 roles if he has 30 sales organizations. This is known as static authorizations. In ACE if the user wants to view all the customers using for the sales area to which they are linked in to, the user should clearly specify the role to all the users. Which means, if the user has 30 sales organizations he should have only one role. If the user wants to modify the sales rep from one organization to another, he is not required to modify the user authorizations, these authorizations are referred to as dynamic authorizations.
An actor is a basic element, used in the concept of ACE. This can be defined as the linking and filtering between the use and the object. The actor regulates whether the user had a better option to view the object or not.
CRM Ace Functionality
The following functions are available in ACE:
- ACE provides an administrative tool for all rights and rules which influence the access control. The administrator can typically assign these rights and rules to users and roles.
- ACE provides support by altering the changing user integration in business operations, like modifying the role or the organizational unit. The new access control for users is calculated in day-to-day operation or asynchronously (time-shifted). An administration tool supports the changes to access control, incase a reorganization affects many participants.
- ACE gives users temporary full access to new objects which have been created. The system initiates a process in the background meant for calculating the rules-based access control for these objects when the users save. The resulting user access rights provide a substitute for the temporary full access.
- The system modifies the access control for changed objects during the runtime. All of this is done by a process in the background. The new access control is quite an effective post delay.
- ACE comes in with a buffer for the previously calculated access control information. The user can utilize the buffer for checking as well as monitoring the access control during the runtime.
- The user can define the relationship between the objects and users, for instance, for organizational units, partner companies, areas, or product lines. The user can define access rights, for e.g. so that employees of a partner company can access business objects which were created in that partner company, however, cannot access business objects which were created in other partner companies.
- ACE has been designed as an add-on and can be used in various ways for taking advantage of the business knowledge available in SAP CRM. The ACE framework serves all add-ons centrally. The user can develop new add-ons for special enterprise requirements as required.