Skip to Content
author's profile photo Former Member
Former Member

Calling Access Control Engine (ACE) and UI Authorization Experts

Hi Experts,

We have implemented most of the scenarios sucessfully in ACE, but there is one requirement for which we require some expert advise.

As per my understanding, if for object type AccountCRM, ACE is enabled for some user, everything he can see in Account/Contact search and its edit and display access will be guided by ACE.

But in our scenario, we want to give display access to employees and all organizations to all the users in the system, though ACE will be enabled to them, is there any way by which we can keep some BP role out of ACE purview? So that it applies to all BPs except in role Employee, and some other role if required, if we do it through ACE, then for all the users (more than 1000), we will be putting a lot of entries in ACE table, which doesn;t look like a good idea.

Also, second question is, is there any way by which we can restrict only edit access to any BP on UI other than ACE. Can we use PFCG Role to remove edit access to any BP on WebUI.

Please help me on the same. It will be highly admired.

Thanks and Regards,

Rohit Khetarpal

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • Best Answer
    Posted on Jun 12, 2009 at 10:42 AM

    Hi Rohit,

    Your understanding of ACE is correct. Th central thread, as i see, in the two queries you have is about using parallel authorization schema to ACE. The basis authorizations, as far as i know, does not overwrite ACE authorizations. So i do not see how you can exclude a role from ACE perview so that you save on table entries. I mean i do not see an option of using PFCG roles for few sets of BPs so that they are accessible even though they are not included in ACE. I guess having the entries in ACE table is the only way for you.

    ACE takes precedence as mentioned in SAP documentation quoted below -

    "..if the basis authorization object does allow u201Cchangeu201D, but ACE rule(s) does not ��user is not able to change object(s). So it can act as an additional filter of allowed access..."

    About your second query, I am not completely clear on your requirement. You want a different authorization scheme on Web UI and Win GUI? Please elaborate.


    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Monika Suchy


      Thanks for the reply, i have done complete coding for ace, so that is not a problem 😊 We thought of looking into this universal actor concept, but somehow couldnt find it much relevant for our case.

      If you have used this concept, could you please post a scenario and solution and how it helped. It would be of great use to us.

      Also, as you have already implemented 2 project in ACE, what do you generally suggest as a solution to follow, is it better to use ACE, or is it better to restict the data access using PFCG Role, Badis and search enhancements, from both development and maintenance point of view.

      If someone can provide this valuable guidance, it would help us immensely in solution designing before start of the project.

      Thanks and Regards,

      Rohit Khetarpal

  • Posted on Jun 07, 2009 at 01:11 PM

    Regarding your 2nd question...

    Yes, you can restrict access to BPs via PFCG role. You can use object CRM_BPROLE to say which BP roles users can use (create, change, display or delete).

    And these authorization object are also used for authorazing users, to say which data can users maintain/view:

    B_BUPA_ATT - Business Partner: Authorization Types

    B_BUPA_CRI - Business Partner: BP Role Category / Differentiation Typ

    B_BUPA_FDG - Business Partner: Field Groups

    B_BUPA_GRP - Business Partner: Authorization Groups

    B_BUPA_RLT - Business Partner: BP Roles

    B_BUPR_BZT - Business Partner Relationships: Relationship Categories

    B_BUPR_FDG - Business Partner Relationships: Field Groups

    B_CCARD - Payment Cards

    B_CLEAR - Data Cleansing

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi all,

      be aware that some standard authorization objects do not work properly in WebUI.

      We tried to implement an authorization check based on BP grouping via authorization object B_BUPA_ATT. This does not work in Web UI, because according to SAP 'the authorization object B_BUPA_ATT isn't intended to be used in the CRM WebUI.'.

      There are 2 options for our scenario:

      a) use ACE

      b) implement authorizations in BADI_CRM_BP_UIU_AUTHORITY (check Note 1028531 for details on this)

      Best regards,


  • author's profile photo Former Member
    Former Member
    Posted on Sep 08, 2009 at 09:19 AM

    Combination of ACE and BADI.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      HI Rohit,

      I have similar requiremnt. I want to restrict the read, write & delete access of business partners to User of Two businesses wchich are setup in same crm system .

      My requirement is Users of Business One should have access to only business parners of BuinsessOne. Users of businessTwo should have access to business partners of Business Two Only.

      Please let me know how this can achieved in details.

      Your advice will be highly appreciated,

      Thanks in Advance,


Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.