Restrictions on Transactional Data using Access Control Engine
Hi Experts,
We are looking and implemting ACE to restrict visibility on Accounts and Transactions in our business. We are using CRM2007
We have an account which is located in 2 Sales Areas, Sales Area 1 and Sales Area2.
As part of our requirement we require a user in Sales Area 1 to be able to see the account but only see Sales Area 1 transactions in the activity assignment block within the Account Details Component. (Sales Area 2 data should not be visible in any manner)
Can ACE provide me with such flexibility?
If so, what would be required to implement such a requirement?
Would ACE standard functionality provide a solution for this or would ABAP enhancements need to be made?
Thanks for your assistance,
Jonathan
Hi Robert,
Thanks for your response. However the authorisation objects will restrict accessing the details of the transaction, but it will not completely hide the transactions in the application.
The transactions will still appear on the Activity/Opportunity/Serivce Search etc. We require that they are not even visible in the search results.
Will ACE provide this functionality in particular relation to the scenario i outlined above?
Thanks,
Jonathan
Similar Messages
-
Problems using access control in sender agreement for SOAP adapter 7.1
I am trying to use Access Control Lists to restrict user access to web services/interfaces which are exposed via PI. This can be configured via the Integration Builder Directory using the u201CAssigned Usersu201D tab of both Communication Components (Business System) and Sender Agreements.
The configuration is via the above mentioned components. However, I understand that itu2019s the adapters which at runtime are responsible for actually applying these checks.
I have been having problems getting the access control to work using a setup involving a SOAP adapter of type SAP BASIS 7.10.
The symptom of the problem is that although the access control works as expected at the Business System level, any settings at the Sender Agreement level appear to have absolutely no effect whatsoever.
I have confirmed that I have no problems if I use an adapter of type SAP BASIS 7.00. However, I really need to get this working on 7.1.
I have looked on the SAP support portal but can not find any notes that relate to this.
Has anyone else had a similar problem? And have you found a fix for it?
Any suggestions would be welcome.
Edited by: Malcolm Dingle on Jun 17, 2009 1:08 PMHi Shai,
Please have a look at the following link and see if it helps you .
It deals with SOAP adapter installation and activation
Re: SOAP adapter installation and activation
Best Regards
Edited by: Prakash Bhatia on May 8, 2009 11:51 AM -
Deleting master data after loading transactional data using flat file
Dear All,
I have loaded transaction data into an infocube using a flat file . While loading DTP i have checked the option "load transactional data with out master data exists" . So transactional data is loaded even if no master data is there in BW.
While loading the flat file, I made a mistake for DIVISION Characteristic where original master data value is '04000' , but i loaded the transactional data with value '4000' .Then i later realized after seeing the data from the infocube and deleted the request. then i reloaded data with value '04000'. Till now every thing is fine.
But when I see the master data for DIVISION , i can see a new entry with value '4000'.
My question is how to delete the entry value '4000' from DIVISION. I tried deleting manually this entry from 'maintaining masterdata' , but it is not allowing me to do so .
I have also checked if any transactional data exists for that value '4000' , as i said earlier I have deleted the transactional data with that values. even tried to delete the entries from the master data table, but i donot see a option to delete entries there.
Please suggest me on this.
Regards,
VeeraHi,
Goto RSA1 right click on the Info object and select Delete Master data. This will delete the master data unused existing in the table.
If this master data is not used any where else just delete the master data completely with SID option.
If even this doesnt work you can delete the complete table entire in SE14. But this will wipe out the entire table. Be sure if you wanna do this.
Hope this helps
Akhan. -
How to use "access control - administrator" in SQL
I have a report with checkboxes to select records for delete. Non administrators can only delete a subset of the records. So for some of the records I would like to hide the checkbox if the user is not an administrator. The checkboxes are created in the select statement.
I would like to know if there is a function that I can use in SQL that will tell me if the current user is administrator or not. I'm using the access control list.
Edited by: Rene W. on Mar 10, 2011 3:46 AMJust found the apex_access_control table in my schema.
Guess I'll just use that. -
Loading transaction data using an attribute field in the BW cube
I am trying to load transaction data into BPC. All but one of my dimensions are referencing technical fields. One of my fields is referencing an attribute of a technical field. The technical field is called 0MAT_PLANT and the attribute of that field is 0PROFIT_CTR. In my mapping section of my transaction file I set the PROFIT_CTR dimension to 0MAT_PLANT__0PROFIT_CTR. The transaction file validates and processes fine but when I try to import I get the error message: 0MAT_PLANT__0PROFIT_CTR is not a valid command or column 0MAT_PLANT__0PROFIT_CTR does not exist in source
Does anyone know how to complete this successfully?
THANK YOU!
Karen B. ThibodeauHi,
If is mapped fine and still getting same errors, maybe you can try to check if the IO attribute it's checked in the options in the data package.
Regards -
Upload Of Transaction Data Using E-CATT
Dear All,
I am trying to upload purchase order Data for transaction ME21 through E-catt. But I am not able to upload multiple line item data as the Test Script allows only one item data to be uploaded because I have uploaded only one item data in my recording. So I am not able to upload multiple line item data. Can anybody help me with the steps to upload multiple line item data for ME21 transaction through E-CATT.Hi,
Did you solve this problem of uploading more than 1 line item? If you have solved, please share me your solution as Im also encountering the same problem. Thanks in advance for your help! -
Extracting transaction data using flat files in nw2004s
Hi BW Gurus,
I am trying to load the Infocube from flat file. flat file is in csv format with comma diliminator, when i am loading the datasource with the flat file. flat file is actually consist of 20 columns with column headings, 5 columns has no data it consist only headings.
When I am loading data to the datasource, it is reading only 15 columns which is having values, I tried to enter the values in the empty column and extracted to datasource still it is not uploading that values.
Please help me.
Thanking you,
RaviHi
Please check your transfer structure should match with your flat file.
Order of fields in your flat file should be in the same order as the transfer structure..
Hope it helps you...
Teja -
Problem mit dem Access Control Engine (ACE)
Hallo zusammen,
ich habe eine ACE Regel ZTerritory mit folgenden SAP-Standard auswählbaren Komponenten erstellt:
ACE-Regel:
Object Typ: ACCOUNTCRM
Aktor Type: ZTerritory (CRM-GEBIET)
AFU class ID : Z_ICM_AFU_BP (IICM: AFU FÜR GESCHÄFTSPARTNER)
AFO class ID: Z_ICM_AFO_BP_STAFFU (ICM GP: TEAM- & EINHEITEN-AFO)
OBF class ID: Z_OBF_ACCOUNT_ALL (OBJEKTFILTER FÜR ALLE ACCOUNTS)
ACE-Recht:
Object Type: ACCOUNTCRM
Regel ID: ZTerritory
Benutzergruppen ID: ZGroup (für zwei IC_AGENTS) die User werden über die PFCG-Rolle gefunden.
Action Group ID: ACT_GRP_CHANGE (lesen und bearbeiten)
Ich habe bereits in der Transaktion PFCG den erforderlichen Berechtigugsprofil erzeugt und generiert. Hier habe ich auch die für notwendigen Berechtigungen für den Geschäftspartner (Rolle) aktiviert.
Meine Testaccounts haben die Rolle: Organisation
Ebenfalls habe ich auch wie in der Voraussetzung für ACE beschrieben, über die Transaktion SM36 einen Job ACE_Dispatcher angelegt.
Nachdem ich die ACE-Rechte und Benutzergruppen aktiviert habe, konnte ich mit meinen IC Agents im WebUi keine Accounts mehr finden. Sobald ich die Benutzergruppe und das Recht deaktiviere kann ich die Accounts finden.
Hat jemand schon mit der ACE gearbeitet und gibt es noch Einstellungen die ich vornehmen muss?
*Die ACE soll hauptsächlich für die regionale Einschränkung der IC Agents dienen. Beispielweise darf der IC Agent von der Region Nord keine Geschäftspartner von Süden sehen, bearbeiten oder löschen.Die IC Agents sind bereits im Organisationsmodell zum zuständigen Bereich zugewiesen. *
Ich danke euch im Voraus für eure Antworten und Tipps.Hi, erst mal vielen Dank für deine Antwort und dein Interesse.
Unter System -> Status -> Komponentenversion steht SAP CRM ABAP 7.0.
Wenn du eine andere Version benötigst dann brauche ich die Anleitung für die Informationsuche :).
Viele Grüß -
How to transfer the transactional dat a using ale
hi to all abap gurus
i heard that we can transfer the transactional data ( like so data , po data ) using message control technique by ale technology . . can u please give all steps in message control technique with one exapmle . i searched in the forum but i did not get answer . pls points will be rewrared for good answers. if u want to give links pls give exact links .Hi ,
here is the configuration.
MESSAGE CONTROL (USING EDI / ALE)
For Purchase order (Message control using EDI and message type ORDERS) STEPS
Settings to be done in the Sending system
From NACE
Choose Application EF ( Purchase order), press on condition record
Output type NEU Purchase order / double click ;choose Purchasing output determination:Doc type/purc org/vendor . Key in the data (Purchasing doc type NB, Purc organisation 0001, Venor vendor11) execute. Key in the data (vendor vendor11, name name1, partner function - VN, Partner Vendor11,Medium 6 (EDI), time 4(send immediately), language EN).
Press on output types , choose NEU Purchase order, double click, Access sequence 0001(doctype/purcorg/vendor) tick mark the access to condition, go to default values (dispatch time send immediately, Transmission medium EDI, Partner function VN)
Create RFC destination from SM59 (ZNARA_ALE_EDI).
Create a port from ZNARA_ALE.
Create partner profile vendor11 under LI and not LS. PARTNER NUMBER SHOULD BE SAME AS THAT OF VENDOR SET IN THE CONDITION TYPE.
In the outbond parameters of the partner profile Vendor11 key in the data (Reciever port -> ZNARA_ALE,
Basic type ORDERS05, Message type ORDERS ) Go to the message control and key in the data (Application EF, Message type NEU, Process code ME10, Transfer immediately )
Create a purchase order from ME21 with data (Purchasing doc type NB, Purc organisation 0001, Venor vendor11). System will generate an outbond Idoc automatically which can be seen from WE02.
For Purchase order (Message control using ALE and Message type ORDERS) - STEPS
To transfer the idoc from Client 555 to 500
Settings do be done in 555.
From NACE
Choose Application EF Purchase order, press on condition record
Output type NEU Purchase order / double click ;choose Purchasing output determination:Doc type/purc org/vendor . Key in the data (Purchasing doc type NB, Purc organisation 0001, Venor vendor11) execute. Key in the data (vendor vendor11, name name1, partner function - VN, Partner Vendor11,Medium A (ALE), time 4(send immediately), language EN).
Press on output types , choose NEU Purchase order, double click, Access sequence 0001(doctype/purcorg/vendor) tick mark the access to condition, go to default values (dispatch time send immediately, Transmission medium ALE, Partner function VN)
From SALE create two logical systems and assign them to the respective clients (ZALERECV_N 500, ZALESEND_N 555).
From SM59 create RFC destination with the same name as that of the receiving logical system (ZALERECV_N).
From BD 64(distribution model), create a model view with Technical name ZNARA_PO (message type ORDERS, Sender ZALESEND_N, Receiver ZALERECV_N). Generate partner profiles. Distribute.
Note that partner profile will be generated under LS.
Settings do be done in 500.
From NACE create two logical systems and assign them to the respective clients (ZALERECV_N 500, ZALESEND_N 555).
From BD 64(distribution model), keep the cursor on Technical name ZNARA_PO. Generate partner profiles. Note that partner profile will be generated under LS. Change the process code to ORDE in the inbond parameters .
Now in client 555, Create a purchase order from ME21 with data (Purchasing doc type NB, Purc organisation 0001, Venor vendor11). System will generate an outbond Idoc automatically which can be seen from WE02. The purchase order details will be updated in 555 thru the inbond idoc.
IMP data for message control in Sales order creation.
Partner profile to be created under KU.
Outbond parameters in the partner profile (Message type ORDRSP, Basic type ORDERS02, partner profile - SP) In Message control (Application V1, Message type BA00, Process code SD10)
Notes:
Check the entries in the NAST table to see whether outbond idoc has been created successfully or not
If you have choosen collect idocs in the partner profile, use trans code BD87 to process them
Table EDP13 - Partner Profile: Outbound (technical parameters)
Table EDP21 - Partner Profile: Inbond (technical parameters)
Please reward if useful. -
Using Roles with Access Control Pages
Hi,
I was curious if someone might be able to shed some light for me on an issue. I have a matrix of users
who can read or write on different pages. So there are various roles created
Admin can write all pages
Reader can read all pages
Medium Users can read some pages and write some pages
Power User can Write most pages and read some pages
I am thinking of using access control pages but I dont want to have to enter every single user for each page.
I am wondering if I can create some sort of Roles that I can apply to access control lists. And set the role
at login time and based on that decide what data they can edit or just view?
Thanks in advance!Hi,
Have you check or try use Authorization Schemes ?
http://download.oracle.com/docs/cd/E14373_01/appdev.32/e11838/sec.htm#sthref1943
Br, Jari -
How can I use table control to enter data
Hi all,
I want to use table control to enter data, instead of using textboxes.
So that the user can enter many data at once and just click the save button at the end of the work, only one click.
How can I use the table control at this context?
Thanks.
Deniz.Hi deniz,
go through it:
/people/ravishankar.rajan/blog/2007/02/23/an-easier-way-of-displaying-and-editing-data-using-table-control
https://www.sdn.sap.com/irj/sdn/wiki?path=/display/snippets/code%2bto%2bhandle%2bmultiple%2brecords%2bin%2bbdc%2btable%2bcontrol
Regards, -
Can we use LSMW to load Transaction data
Hi.
Can we use LSMW to load transactional data.Or it is used only for Master Data.
With Best Regards
MamathaHi,
you can do upload of transactional data using,
Standard Programs,
Batch Input Recording,
BAPI method,
IDoc,
best regards,
Thangesh -
Creating SOD matrix with the help of Access control default ruleset
I am creating the SOD matrix for the existing roles of CRM and HR modules. As I am the security consultant therefore does not have the functional knowledge about the conflicts for CRM and HR transactions. My question is can I use the function/actions/risks conflicts provided with the Access control 5.3 default ruleset. We are not using Access control for these systems, so I want to know whether I can take the help of AC 5.3 default risks to create the SOD matrix based on it.
For e.g, like H001 default HR risk, I would make sure not to assign PA30(maintain HR data) with the PA03/PA04(maintain personal control record) as this will result in the providing conflict "Modify payroll master data and then process payroll".
Once I have the SOD list based upon AC 5.3, I can consult the Business approver/auditor to verify and modify as per the business requirement.
Maybe I am thinking the wrong way, please provide your inputs so I can work on it. Any help appreciated.
Thanks,
Sanjay DesaiThe most important thing to keep in mind is that you need to build a rule set that reflects the customers real business risk!
What you build there will influence the way the customer will be able to continue work, assign access and perform control activities. The input HAS to come from the business!
You can use the SAP standard risk definitions as a starting point for discussions, and the HR functions are an excellent building block to identify the transactions and necessary authorization objects that allow users to perform the actions.
But the real challenge is to identify the risks as perceived/accepted by the business!
Frank. -
Is there a "best practice" for transaction data conversions from a legacy system into R/3? I am in a project where I have to create a strategy for SCM transaction data (PO's, Inventory, Vendor Invoices, and so on). I would like to know the pros and cons of migrating a PO in their various stages (Open, G/R but not yet invoiced, Partial G/R). Basically a strategy to propose to my client regarding their SCM transaction data.
Thanks for your help!!!!hi,
For uploading the GLs :-->
Use FB50 entry Dr GL a/c Credit Data migration a/c or controlling a/c
For uploading the Vendor balances : -->
Use FB60 entry Dr Data migration a/c or controlling a/c and credit Vendor a/c (individually)
For uploading the Customers balances :-->
Use FB70 entry Dr Customers a/c (individually) Cr Data migration a/c or controlling a/c
For uploading the Assets-->
AS91 -> for uploading assets in AA
OSAV --> for uploading assets in GL entry Dr Asset (invidiually) Cr Data Migration account or controlling account
You can use LSMW for uploading all these things
After uploading all, your data migration account will become zero.
For posting the transactional data use LSMW for relevant TCODES
Radha -
An access control proxy in front of my JSP pages
Hi All,
I want to protect the access to my jsp pages. If for example the user types in his browser www.abc.com/page1.jsp, I want to capture that request and pass it to an access control engine. If the user is authorized then he should get that page if not he should be directed to another page.
any answers will be appreciated ... I'm using tomcat 5.5.For example the user types in his browser www.abc.com/page1.jsp, I want to capture that request and pass it to an access control engine. If the user is authorized then he should get that page if not he should be directed to another page.
Focus a bit on your design: Ask yourself how will the whole world accessing the page can be identified?
It is via machine to machine authentication and handshake or user authentication and authorisation?
Machine to machine will happen on a VPN infrastracture where specified connections are directed to a host port else the other, or user authentication and authorisation where user login to determine which bit of yourr page he has access to, then using MVC framework you can say hang-on! base on your credential you're authorised to use this page instead.
Note if no one is identifying him/herself on your system before having access to the required resource then your design aim sounds excuse me to say abit difficult to achieve. Again from the look at things you're trying to achieve this using acccess router, please if that is the case then think otherwise because it is not possible,
Edited by: bidox on Mar 29, 2008 9:25 AM
Maybe you are looking for
-
hi all:- i have an error when i run a simple form this return an error in oc4j configuration when i run the form , it open the explorer(firefox) for one second and close and return the following error in oc4j:- 09/09/13 11:37:04 FormsServlet init():
-
How to connect Nintendo Wii to WRT54G (Wireless Router)
Does anyone know how to find the "password or key" for my secure wireless router? The Wii game is asking for "password or key" to access my wireless network and I do not know what it is. Thanks, TWolfe
-
Save Not Applicable(NA) as response to hundreds of required numeric fields
We have to save Not-Applicable as a possible response to hundreds of required fields on a data entry form for numeric/statistical values on fund performance. The intent is to query/perform data analysis on fund performance trends after the initial da
-
Need Help on tcUserOpsIntf API
Hello Friends.. Hello Friends I am new to OIM and I need help on tcUserOpsIntf API. What is this API and specially for what purpose it is used, If i want to know more about it then where I will get help on this API. Please know me. Thanks and Regards
-
Tips on Implementing Row Level Security
Dear All,I am currently trying to implement row level security in Hyperion Intelligent version 8.2. The user guide is straight forward on explaining the steps. However, when I tried it, the row level security does not filter the information at all ev