cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Control Engine ACE not working as desired

Go to solution
Former Member

on ‎12-16-2008 2:41 PM

0 Kudos

Hello Experts,

I am dealing with an issue concerning Access Control Engine.

After configuring as written in the blog I have a problem with starting the SM37 job.

The functionality seems to work because the search hits are reduced to zero.

Because the job ACE_DISPATCHER was not created the tables aren't filled.

Any suggestion on getting the job available.

Regards.

Ab

Edited by: Ab Diko on Dec 18, 2008 9:25 AM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

h_duengelhoef
Advisor
Advisor
‎12-22-2008 2:33 PM
0 Kudos

Hi Ab,

may be I should be more precise. I fear that your select on BUT000 is slow and WRONG. You may check the class CL_CRM_ACERULE_ENDCUSTOMER that shows how to do an ACE rule based on a relationship type (even if it is a different one than yours).

Hermann

Show replies
Show replies
Former Member
‎12-22-2008 2:46 PM
0 Kudos

Hello Hermann,

Thanks again, we will check your comment after we have the functionality working. Must say that we building it slightly different then in the blog. We want the check to be on sales org for BP's.

After we got the functionality working we will make the adjustments, but still the question about the empty tables is there.

Thank you very much.

Former Member
‎12-23-2008 7:21 AM
0 Kudos

Hello, Ab!

After job runned go to tcode ACE_RUNTIME, and check data for your superobject type and rule.

Best regards,

Artur Litvinov.

Former Member
‎12-23-2008 10:35 AM
0 Kudos

Hello Artur,

When we call the TC the right actors are found but the tables aren't filled.

This is what I don't understand.

Thanks for your post!

Ab

Answers (3)

Answers (3)

h_duengelhoef
Advisor
Advisor
‎12-23-2008 10:22 AM
0 Kudos

Hi Ab,

sounds like your ACE implementation class do not return the correct actors. You may debug your implementation in SE24 passing in the BP GUID resp. an authorized user id to see if the correct actors are returned. And again I would recommend to check the above mentioned SAP implementation on how ACE implementations are done in general.

Hermann

Show replies
Show replies
Former Member
‎12-23-2008 10:29 AM
0 Kudos

Hi Hermann,

The actors are correctly pulled when we try se24. The ACE_RUNTIME does returns values al though the tables aren't filled.

Thanks for your remark.

Regards, Ab

Former Member
‎12-23-2008 10:38 AM
0 Kudos

In ACE_RUNTIME you can see the result of ACE inplementation, I mean that you can see which users can see which objects. So here you can see if your ACE methods works fine. If there is no data you must check your methods, job and all ACE parameters. If in this table you can see data so ACE works fine, and it is not necessarily that all ACE tables must be filled.

Best regards,

Artur Litvinov.

Former Member
‎12-23-2008 11:01 AM
0 Kudos

Hi Artur,

Your remarks are very helpful. I now get search hits in my UI.

We are getting somewhere! We get the hits for the testuser that is part of the user group but other users get zero hits in the object types. These users should not be affected by the ACE.

Do you know why?

Thanks for you help so far, regards.

Bram

Former Member
‎12-24-2008 9:18 AM
0 Kudos

Sorry, Ab, but I cannot understand you. Can you specify you issue as fully as it possible?

Best regards,

Artur Litvinov.

Former Member
‎12-24-2008 9:48 AM
0 Kudos

Hello Artur,

Thanks for the reply.

What I am trying to say is when the parameter ACE_IS_INACTIVE is set all users will get no more search hits on the UI. So not only the test user but all users.

Isn't the ACE functionality only active for the users in the User Group?

Regards, Ab

Former Member
‎12-24-2008 9:51 AM
0 Kudos

If ACE is active users from user groups will see only objects you allow them to see in your rights. Other users will see all objects.

Best regards,

Artur Litvinov.

Former Member
‎12-24-2008 10:13 AM
0 Kudos

Hi Artur,

Unfortunately this is not the case at our side. I have posted a message at SAP for this prob.

Hope they will come with a solution.

Thanks Ab

Former Member
‎12-24-2008 10:15 AM
0 Kudos

OK, please inform us when your issue will be solved.

Best regards,

Artur Litvinov.

Former Member
‎12-18-2008 12:29 PM
0 Kudos

Hello!

Go to IMG - CRM - Basic Functions - ACE - Prerequisites and do all the necessary steps. When you create ACE_DISPATCHER in Parameter field enter you client.

Best regards,

Artur Litvinov.

Show replies
Show replies
Former Member
‎12-22-2008 2:27 PM
0 Kudos

Hi Artur,

Your direction really helped me on my way. I should read better.

Since you are familiar with the topic maybe you can help me further.

After the right is activated and the job has run the tables (CRM_ACE_BP_GRP and others) still are empty. Since we are struggling for some time with all sorts of auth issues I am quite sure the ACE will meet our requirements.

Hope you can give the solution.

h_duengelhoef
Advisor
Advisor
‎12-18-2008 10:08 AM
0 Kudos

Hi Ab,

I started reading your web log. I stopped when I saw that you select the complete BUT000 table. This is a no no for performance reasons.

SAP ships some ACE rules that control access to business partners by relationship type similar to your scenario. Some SAP rules use the relationship type "is end customer of". This info should be sufficient to find them.

The coding used there may help you on your implementation.

Hope that helps

Hermann

Show replies
Show replies
Former Member
‎12-22-2008 2:22 PM
0 Kudos

Hi Hermann,

Thanks for your reply. This is something I will keep in mind when we are in the testing and my perfomance gets really slow. For now I am trying to get the functionality working. And this is unfortunately not the case.

Thanks

Ask a Question