Contents

1 Introduction .........................................................................................2 2 Association: Assignment of Authorization Templates to the Business Template ................................................................................3
2.1 Create an Association Between Your Business Template and the ACL Template ............................................................................................... 4 2.2 Create an Association Between Your Business Template and the OTS Template ............................................................................................... 7 2.3 Create an Association Between Your Business Template and the CRM_ORD_LP Template............................................................................ 10 2.4 Create an Association Between Your Business Template and the CRM_ORD_OP Template ........................................................................... 12 2.5 Create an Association Between Your Business Template and the CRM_ORD_TE Template............................................................................ 14

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template ........................................................................17
3.1 General Remarks.................................................................................. 17 3.2 Examples .............................................................................................. 19
3.2.1 CRM_ORD_LP_<object>: CRM_ORD_LP_LEAD................................................... 20 3.2.2 CRM_ORD_OE_<object>: CRM_ORD_OE_LEAD ................................................. 21 3.2.3 CRM_ORD_PR_<object>: CRM_ORD_PR_LEAD.................................................. 23 3.2.4 CRM_ORD_TE_<object>: CRM_ORD_TE_LEAD .................................................. 24 3.2.5 CRM_ORD_OP_<object>: CRM_ORD_OP_LEAD ................................................. 26

4 Define Dynamic Checks: Path-Based Authorization Objects.......28

4.1 General remarks:.................................................................................. 28 4.2 Examples .............................................................................................. 29
4.2.1 CRM_<object>_ORD_LP_DIS_CHANNEL: CRM_LEAD_ORD_LP_DIS_CHANNEL .......................................................................... 30 4.2.2 CRM_<object>_ORD_LP_DIV_ORG: CRM_LEAD_ORD_LP_DIV_ORG................ 31 4.2.3 CRM_<object>_ORD_LP_SALES_ORG: CRM_LEAD_ORD_LP_SALES_ORG..... 33 4.2.4 CRM_<object>_ORD_LP_SERVICE_ORG: CRM_LEAD_ORD_LP_SERVICE_ORG ......................................................................... 34 4.2.5 CRM_<object>_ORD_LP_SLS_GROUP: CRM_LEAD_ORD_LP_SLS_GROUP .... 35 4.2.6 CRM_<object>_ORD_LP_SLS_OFFICE: CRM_LEAD_ORD_LP_SLS_OFFICE .... 37 4.2.7 CRM_<object>_ORD_TE: CRM_LEAD_ORD_TE .................................................. 38 4.2.8 CRM_<object>_ORD_OP: CRM_LEAD_ORD_OP ................................................. 39

5 Logical Conjunction..........................................................................42 6 Examples ...........................................................................................43

6.1 ABAP Authority .................................................................................... 43 6.2 Path-Oriented Authority....................................................................... 44

1 Introduction

1 Introduction
In enterprise search, you have to model the authorization using a path description that runs between the business object (BO) and the user.

To do so, go through the following steps: 1. Association: Connect the relevant BO Node to nodes of the authorization templates for dynamic authorization checks. Precondition for this step: Dynamic authorization checks have to be made persistent by authorization templates (see Authorization Templates [page 3]). 2. Define static authority checks: Connect the static standard authority objects to relevant BO nodes (enterprise search determines the values of the corresponding static authority objects, and checks whether the current user has the static rights to access the BO the values can be used in combination with step 3). Every static authority check is identified by its own check ID. 3. Define dynamic checks: Connect the BO to the user (USER-MAPPING Authority Template) using a path description. Every path description is identified by its own check ID. Logical conjunction: The result for the whole authorization model is a logical expression of the relevant check IDs with the combination of AND, OR, NOT, and brackets. For a description of the authority objects, see ABAP Authority [page 43] and Path-Oriented Authority [page 44]. The following sections describe steps for your one order object.

2 Association: Assignment of Authorization Templates to the Business Template

2 Association: Assignment of Authorization Templates to the Business Template

Authorization templates for one order are already created in the enterprise search: CRM_ORD_LP CRM_ORD_OP CRM_ORD_TE CRM_ACE2_OO_ACL CRM_ACE2_OO_UCT CRM_ACE_USER_OTS OO Authority Object Own Orgunits OO Authority Object Own Documents OO Authority Object Own Territories OO (one-order) ACE access control list OO (one-order) ACE user-contexts ACE users with their active object types

For path-based authorization checks, you have to assign the authorization templates to the relevant business nodes. For more information on this association, see Path-Oriented Authority [page 44]. This association is the entry point for the authority path to the user. In the following table you can see the necessary association of a one order object (opportunity).
One Order Node Authority Template CRM_ACE 2_OO_AC L CRM_ACE _OTS

Association CRM_OPP_ ACL

Field

Node CRM_ACE2 _OO_ACL USER

Field OBJECT_G UID CRM_OBJE CT_TYPE

Fixed Value

BTORDER CRM_OPP_ OTS CRM_OPP_ ORD_LP_DI S_CHANNE L CRM_OPP_ ORD_LP_DI V_ORG CRM_OPP_ ORD_LP_S ALES_ORG CRM_OPP_ ORD_LP_S ERVICE_OR G CRM_OPP_ ORD_LP_SL S_GROUP CRM_OPP_ ORD_LP_SL S_OFFICE CRM_OPP_ ORD_TE CRM_OPP_ ORD_OP

GUID

ONEORDER

BTORGSET

DIS_CHANN EL

CRM_ORD _LP CRM_ORD _LP CRM_ORD _LP

DIS_CHANN EL

DIS_CHANN EL

BTORGSET

DIVISION SALES_OR G

DIV_ORG SALES_OR G

DIVISION SALES_OR G

BTORGSET

BTORGSET

SERVICE_O RG SALES_GR OUP SALES_OFF ICE PATH_ID BP_PARTN ER_GUID

CRM_ORD _LP CRM_ORD _LP CRM_ORD _LP CRM_ORD _TE CRM_ORD _OP

SERVICE_O RG SLS_GROU P SLS_OFFIC E ORD_TE CRMT_ES_ ORD_USER

SERVICE_O RG SALES_GR OUP SALES_OFF ICE PATH_ID PARTNER_ GUID

BTORGSET

BTORGSET BTPARTNE RATTR BTPARTNE R

2 Association: Assignment of Authorization Templates to the Business Template

2.1 Create an Association Between Your Business Template and the ACL Template
1. Select the relevant business template. 2. Choose Edit and go to step 5. 3. Define the structure using the Next pushbutton. 4. Select the node that includes the GUID of your object. Normally, this is the root node.

5. Choose Create Association. An empty row and a selection screen appear.

6. Select the required ACL table and the node of this ACL table. The selected node is included in the structure.

2 Association: Assignment of Authorization Templates to the Business Template

7. Enter an association ID CRM_<Object>_ACL (CRM_LEAD_ACL) and press ENTER.

8. To maintain the foreign key relation, choose the Create pushbutton. An empty row appears. 9. Select the relevant fields via value help.

2 Association: Assignment of Authorization Templates to the Business Template

10. Select your GUID field.

11. Select OBJECT_GUID.

2 Association: Assignment of Authorization Templates to the Business Template

12. Save your changes.

2.2 Create an Association Between Your Business Template and the OTS Template
1. Select the node that includes the GUID of your object. Normally, this is the root node.

2. Choose Create Association. An empty row and a selection screen appear.

2 Association: Assignment of Authorization Templates to the Business Template

3. Select CRM_ACE_USER_OTS and the relevant node. The selected node is included in the structure.

4. Enter an association ID CRM_<Object>_OTS (CRM_LEAD_OTS) and press ENTER.

2 Association: Assignment of Authorization Templates to the Business Template

5. Maintain the foreign key relation using the value help.

6. Select CRM_OBJECT_TYPE. 7. In the Value column, maintain the ACE super type of your business template. You can get the relevant information in the table CRM_ACE_OTYPES.

2 Association: Assignment of Authorization Templates to the Business Template

8. Save your changes.

2.3 Create an Association Between Your Business Template and the CRM_ORD_LP Template
1. Select the node BTORGSET.

2. Choose Create Association. An empty row and a selection screen appear.

10

2 Association: Assignment of Authorization Templates to the Business Template

3. Select the template CRM_ORD_LP and the node DIS_CHANNEL. The selected node is included in the structure. The foreign key relation is filled automatically.

4. Enter an association ID CRM_<object>_ORD_LP_DIS_CHANNEL (CRM_LEAD_ORD_LP_DIS_CHANNEL) and press ENTER. 5. Repeat step 4 with the following association IDs: CRM_<object>_ORD_LP_DIV_ORG CRM_<object>_ORD_LP_SALES_ORG CRM_<object>_ORD_LP_SERVICE_ORG CRM_<object>_ORD_LP_SLS_GROUP CRM_<object>_ORD_LP_SLS_OFFICE After the maintenance you will see the following associations:

11

2 Association: Assignment of Authorization Templates to the Business Template

6. Save your changes.

2.4 Create an Association Between Your Business Template and the CRM_ORD_OP Template
1. Select the node BTPARTNER.

2. Choose Create Association. An empty row and a selection screen appear.

3. Select the template CRM_ORD_OP and the node CRMT_ES_ORD_USER. The selected node is included in the structure.

12

2 Association: Assignment of Authorization Templates to the Business Template

4. Enter an association ID CRM_<Object>_ORD_OP (CRM_LEAD_ORD_OP) and press ENTER. 5. Maintain the foreign key relations using the value help.

6. Select BP_PARTNER_GUID. 7. Maintain the second key field using the value help.

13

2 Association: Assignment of Authorization Templates to the Business Template

8. Select PARTNER_GUID.

9. Save your changes.

2.5 Create an Association Between Your Business Template and the CRM_ORD_TE Template
1. Select the node BTPARTNERATTR.

14

2 Association: Assignment of Authorization Templates to the Business Template

2. Choose Create Association. An empty row and a selection screen appear.

3. Select the template CRM_ORD_TE and the node ORD_TE. The selected node is included in the structure. The foreign key relation is filled automatically.

4. Enter an association ID CRM_<Object>_ORD_TE (CRM_LEAD_ORD_TE) and press ENTER.

15

2 Association: Assignment of Authorization Templates to the Business Template

5. Save your changes.

16

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
For the ABAP authority checks, use the authority objects and their check IDs. For a list of the authority objects and their check IDs, see ABAP Authority [page 43].

3.1 General Remarks

1. Since the check ID has to be unique, replace _OPP with the identifier of your object (_LEAD). 2. To maintain the ABAP authority object, select the root node BTORDER and choose the tabs Authorization and ABAP Auth. Objects.

3. For the first check ID CRM_<Object>, use the authority object related to your business object type, instead of CRM_OPP. You can find the related authority object in the function module CRM_ORDER_CHECK_AUTH_BUS_OBJCT. 4. Choose the Import pushbutton.

17

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

5. Enter your authorization object and choose Import. 6. Close the window. Now you can use the authorization object. 7. Choose the Add pushbutton for every check ID. An empty row appears. 8. Fill the columns Check-ID and Check-ID Description. 9. Select the ABAP authority object name using value help. The selected authorization object appears in the row. In the right-hand screen area Details: Fields of Authorization Object <>, the fields of the authorization object appear.

Now maintain the relevant fixed values for a field, or select the path and the field that are relevant for the check. If a field can be ignored, you do not have to do anything.

18

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

10. To maintain the path, select the relevant field and choose Select Path. A selection screen with all nodes appears. 11. Select the relevant node. In the second screen area, the fields of the selected node appear. 12. Select the relevant field. The selected path and field are displayed. 13. Save your changes.

3.2 Examples
In the following sections, you can find the steps for the following check IDs: CRM_ORD_LD_<object> CRM_ORD_OE_<object> CRM_ORD_PR_<object> CRM_ORD_TE_<object> CRM_ORD_OP_<object>

19

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

3.2.1 CRM_ORD_LP_<object>: CRM_ORD_LP_LEAD

20

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

3.2.2 CRM_ORD_OE_<object>: CRM_ORD_OE_LEAD

21

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

22

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

3.2.3 CRM_ORD_PR_<object>: CRM_ORD_PR_LEAD

23

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

3.2.4 CRM_ORD_TE_<object>: CRM_ORD_TE_LEAD

24

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

25

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

3.2.5 CRM_ORD_OP_<object>: CRM_ORD_OP_LEAD

26

3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template

27

4 Define Dynamic Checks: Path-Based Authorization Objects

4 Define Dynamic Checks: Path-Based Authorization Objects

For the path-oriented authority object checks, use the authority objects and their check IDs. For a list of the authority objects and their check IDs, see Path-Oriented Authority [page 44]. In the following table you can see the necessary check IDs. Check ID CRM_OO_ACL CRM_OO_OTS CRM_OPP_ORD_LP_DIS_CHANNEL CRM_OPP_ORD_LP_DIV_ORG CRM_OPP_ORD_LP_SALES_ORG CRM_OPP_ORD_LP_SERVICE_ORG CRM_OPP_ORD_LP_SLS_GROUP CRM_OPP_ORD_LP_SLS_OFFICE CRM_OPP_ORD_TE CRM_OPP_ORD_OP Description Check ACE Rules One Order Check ACE is active for One Order Check own Distr. Channel Check own Division Check own Sales Org Check own Service Org Check own Sales Group Check own Sales Office Check own Territories Check own Documents

4.1 General Remarks

The check IDs CRM_OO_ACL and CRM_OO_OTS are generic and can be used for every one order object. Other check IDs have to be unique, so replace _OPP_ with the identifier of your object (_LEAD_). When checking your own orgunits using the IDs CRM_<object>_ORD*, check which ones you really need in your business template. 1. To maintain the path-oriented authority object, select the root node BTORDER and choose the tabs Authorization and Auth. Objects.

28

4 Define Dynamic Checks: Path-Based Authorization Objects

2. Choose the Add pushbutton for every check ID. An empty row appears. 3. For the first two check IDs (CRM_OO_ACL and CRM_OO_OTS), fill the column Check-ID. The rest are filled automatically. 4. For the other check IDs, fill the columns Check-ID and Check-ID Description. 5. Choose Select Path. A selection screen with all relations appears. 6. Select the relevant template node and association. 7. Select the node USER_MAPPING.USER_MAPPING at the end. In the second screen area of the selection screen, the fields of the node appear. 8. Select the field USER_ID. The path and selected field are included in the current row. 9. Save your changes.

4.2 Examples
In the following sections, you can find examples for creating path-oriented authority checks.

29

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.1 CRM_<object>_ORD_LP_DIS_CHANNEL: CRM_LEAD_ORD_LP_DIS_CHANNEL

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

30

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.2 CRM_<object>_ORD_LP_DIV_ORG: CRM_LEAD_ORD_LP_DIV_ORG

31

4 Define Dynamic Checks: Path-Based Authorization Objects

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

32

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.3 CRM_<object>_ORD_LP_SALES_ORG: CRM_LEAD_ORD_LP_SALES_ORG

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

33

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.4 CRM_<object>_ORD_LP_SERVICE_ORG: CRM_LEAD_ORD_LP_SERVICE_ORG

34

4 Define Dynamic Checks: Path-Based Authorization Objects

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

4.2.5 CRM_<object>_ORD_LP_SLS_GROUP: CRM_LEAD_ORD_LP_SLS_GROUP

35

4 Define Dynamic Checks: Path-Based Authorization Objects

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

36

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.6 CRM_<object>_ORD_LP_SLS_OFFICE: CRM_LEAD_ORD_LP_SLS_OFFICE

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

37

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.7 CRM_<object>_ORD_TE: CRM_LEAD_ORD_TE

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

38

4 Define Dynamic Checks: Path-Based Authorization Objects

4.2.8 CRM_<object>_ORD_OP: CRM_LEAD_ORD_OP

39

4 Define Dynamic Checks: Path-Based Authorization Objects

Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.

40

4 Define Dynamic Checks: Path-Based Authorization Objects

41

5 Logical Conjunction

5 Logical Conjunction
To maintain the logical conjunction for the authority check, you can use the following logical conjunction as a template: ( ( CRM_LEAD & CRM_ORD_PR_LEAD & CRM_ORD_OE_LEAD ) | ( CRM_ORD_TE_LEAD & CRM_LEAD_ORD_TE ) | ( CRM_ORD_LP_LEAD & ( CRM_LEAD_ORD_LP_SALES_ORG | CRM_LEAD_ORD_LP_SERVICE_ORG | CRM_LEAD_ORD_LP_SLS_OFFICE | CRM_LEAD_ORD_LP_SLS_GROUP | CRM_LEAD_ORD_LP_DIV_ORG | CRM_LEAD_ORD_LP_DIS_CHANNEL ) ) | ( CRM_ORD_OP_LEAD & CRM_LEAD_ORD_OP ) ) & ( CRM_OO_ACL | ( CRM_OO_OTS ) ) Replace _LEAD_ with the identifier of your one order object.

42

6 Examples

6 Examples
6.1 ABAP Authority
Foreign Key Relation Check ID Description ABAP Authority Object Field Node Field Fixed value ObjectSpecific General One Order

CRM_OPP

Object Type

CRM_OPP

ACTVT

45

CRM_ORD_LP _OPP

Process Types of own Orgunits

CRM_ORD _LP

ACTVT CHECK_LE V PR_TYPE BTADMIN H PROCESS_TYPE

02;03

CRM_ORD_O E_OPP

Static Orgunits

CRM_ORD _OE

ACTVT DIS_CHANN E SALES_GR OU SALES_OFF I SALES_OR G SERVICE_O R BTOrgSet BTOrgSet BTOrgSet BTOrgSet BTOrgSet DIS_CHANNEL SALES_GROUP SALES_OFFICE SALES_ORG SERVICE_ORG

02;03

CRM_ORD_P R_OPP

Static Process Types

CRM_ORD _PR

PR_TYPE

BTADMIN H

PROCESS_TYPE

CRM_ORD_T E_OPP

Process Types of own Territories

CRM_ORD _TE

PR_TYPE

BTADMIN H

PROCESS_TYPE

TERR_ASS GN

CRM_ORD_O P_OPP

Partner functions of own documents

CRM_ORD _OP

PARTN_FC TT PARTN_FC T

BTPartner

PARTNER_PFT

BTPartner

PARTNER_FCT

43

6 Examples

6.2 Path-Oriented Authority

Foreign Key Relation Path Authority Object Fixed Value ObjectSpecific General One Order

Check ID

Node

Field

BOL

Field

CRM_OO_AC L CRM_OO_OT S CRM_OPP_O RD_LP_DIS_ CHANNEL CRM_OPP_O RD_LP_DIV_ ORG CRM_OPP_O RD_LP_SALE S_ORG CRM_OPP_O RD_LP_SERV ICE_ORG CRM_OPP_O RD_LP_SLS_ GROUP CRM_OPP_O RD_LP_SLS_ OFFICE CRM_OPP_O RD_TE CRM_OPP_O RD_OP

CRM_ACE2_O O_ACL CRM_ACE_OT S

ACE_ACL USER DIS_CHA NNEL

OBJECT_G UID CRM_OBJE CT_TYPE DIS_CHAN NEL

BTADMIN H

GUID ONEOR DER

X X

CRM_ORD_LP

BTORGS ET BTORGS ET BTORGS ET BTORGS ET BTORGS ET BTORGS ET BTPartner Attr PTPARTN ER

DIS_CHANN EL

CRM_ORD_LP

DIV_ORG SLS_GR OUP SLS_OFF ICE SALES_O RG SERVICE _ORG ORD_TE CRMT_E S_ORD_ USER

DIVISION SALES_GR OUP SALES_OF FICE SALES_OR G SERVICE_ ORG PATH_ID PARTNER_ GUID

DIVISION SALES_GRO UP SALES_OFFI CE

CRM_ORD_LP

CRM_ORD_LP

CRM_ORD_LP

SALES_ORG SERVICE_O RG PATH_ID BP_PARTNE R_GUID

CRM_ORD_LP CRM_ORD_TE CRM_ORD_US ER

X X

44