one order es 70
TRANSCRIPT
1
Contents1 Introduction .........................................................................................22 Association: Assignment of Authorization Templates to theBusiness Template ................................................................................3
2.1 Create an Association Between Your Business Template and theACL Template ............................................................................................... 42.2 Create an Association Between Your Business Template and theOTS Template ............................................................................................... 72.3 Create an Association Between Your Business Template and theCRM_ORD_LP Template............................................................................ 102.4 Create an Association Between Your Business Template and theCRM_ORD_OP Template ........................................................................... 122.5 Create an Association Between Your Business Template and theCRM_ORD_TE Template............................................................................ 14
3 Define Static Authority Checks: ABAP Authorization Objects inthe Business Template ........................................................................17
3.1 General Remarks.................................................................................. 173.2 Examples .............................................................................................. 19
3.2.1 CRM_ORD_LP_<object>: CRM_ORD_LP_LEAD................................................... 203.2.2 CRM_ORD_OE_<object>: CRM_ORD_OE_LEAD ................................................. 213.2.3 CRM_ORD_PR_<object>: CRM_ORD_PR_LEAD.................................................. 233.2.4 CRM_ORD_TE_<object>: CRM_ORD_TE_LEAD .................................................. 243.2.5 CRM_ORD_OP_<object>: CRM_ORD_OP_LEAD ................................................. 26
4 Define Dynamic Checks: Path-Based Authorization Objects.......284.1 General remarks:.................................................................................. 284.2 Examples .............................................................................................. 29
4.2.1 CRM_<object>_ORD_LP_DIS_CHANNEL:CRM_LEAD_ORD_LP_DIS_CHANNEL .......................................................................... 304.2.2 CRM_<object>_ORD_LP_DIV_ORG: CRM_LEAD_ORD_LP_DIV_ORG................ 314.2.3 CRM_<object>_ORD_LP_SALES_ORG: CRM_LEAD_ORD_LP_SALES_ORG..... 334.2.4 CRM_<object>_ORD_LP_SERVICE_ORG:CRM_LEAD_ORD_LP_SERVICE_ORG ......................................................................... 344.2.5 CRM_<object>_ORD_LP_SLS_GROUP: CRM_LEAD_ORD_LP_SLS_GROUP .... 354.2.6 CRM_<object>_ORD_LP_SLS_OFFICE: CRM_LEAD_ORD_LP_SLS_OFFICE .... 374.2.7 CRM_<object>_ORD_TE: CRM_LEAD_ORD_TE .................................................. 384.2.8 CRM_<object>_ORD_OP: CRM_LEAD_ORD_OP ................................................. 39
5 Logical Conjunction..........................................................................426 Examples ...........................................................................................43
6.1 ABAP Authority .................................................................................... 436.2 Path-Oriented Authority....................................................................... 44
1 Introduction
2
1 IntroductionIn enterprise search, you have to model the authorization using a path description that runsbetween the business object (BO) and the user.
To do so, go through the following steps:
1. Association: Connect the relevant BO Node to nodes of the authorization templates fordynamic authorization checks.
Precondition for this step: Dynamic authorization checks have to be made persistent byauthorization templates (see Authorization Templates [page 3]).
2. Define static authority checks: Connect the static standard authority objects to relevantBO nodes (enterprise search determines the values of the corresponding static authorityobjects, and checks whether the current user has the static rights to access the BO – thevalues can be used in combination with step 3). Every static authority check is identifiedby its own check ID.
3. Define dynamic checks: Connect the BO to the user (USER-MAPPING AuthorityTemplate) using a path description. Every path description is identified by its own checkID.
Logical conjunction: The result for the whole authorization model is a logical expression of therelevant check IDs with the combination of AND, OR, NOT, and brackets.
For a description of the authority objects, see ABAP Authority [page 43] and Path-OrientedAuthority [page 44].
The following sections describe steps for your one order object.
2 Association: Assignment of Authorization Templates to the Business Template
3
2 Association: Assignment of AuthorizationTemplates to the Business TemplateAuthorization templates for one order are already created in the enterprise search:
CRM_ORD_LP OO Authority Object Own Orgunits
CRM_ORD_OP OO Authority Object Own Documents
CRM_ORD_TE OO Authority Object Own Territories
CRM_ACE2_OO_ACL OO (one-order) ACE access control list
CRM_ACE2_OO_UCT OO (one-order) ACE user-contexts
CRM_ACE_USER_OTS ACE users with their active object types
For path-based authorization checks, you have to assign the authorization templates to therelevant business nodes. For more information on this association, see Path-OrientedAuthority [page 44]. This association is the entry point for the authority path to the user.
In the following table you can see the necessary association of a one order object(opportunity).
AssociationOne OrderNode Field
AuthorityTemplate Node Field Fixed Value
CRM_OPP_ACL
BTORDER GUID
CRM_ACE2_OO_ACL
CRM_ACE2_OO_ACL
OBJECT_GUID
CRM_OPP_OTS
CRM_ACE_OTS USER
CRM_OBJECT_TYPE ONEORDER
CRM_OPP_ORD_LP_DIS_CHANNEL BTORGSET
DIS_CHANNEL
CRM_ORD_LP
DIS_CHANNEL
DIS_CHANNEL
CRM_OPP_ORD_LP_DIV_ORG BTORGSET DIVISION
CRM_ORD_LP DIV_ORG DIVISION
CRM_OPP_ORD_LP_SALES_ORG BTORGSET
SALES_ORG
CRM_ORD_LP
SALES_ORG
SALES_ORG
CRM_OPP_ORD_LP_SERVICE_ORG BTORGSET
SERVICE_ORG
CRM_ORD_LP
SERVICE_ORG
SERVICE_ORG
CRM_OPP_ORD_LP_SLS_GROUP BTORGSET
SALES_GROUP
CRM_ORD_LP
SLS_GROUP
SALES_GROUP
CRM_OPP_ORD_LP_SLS_OFFICE BTORGSET
SALES_OFFICE
CRM_ORD_LP
SLS_OFFICE
SALES_OFFICE
CRM_OPP_ORD_TE
BTPARTNERATTR PATH_ID
CRM_ORD_TE ORD_TE PATH_ID
CRM_OPP_ORD_OP
BTPARTNER
BP_PARTNER_GUID
CRM_ORD_OP
CRMT_ES_ORD_USER
PARTNER_GUID
2 Association: Assignment of Authorization Templates to the Business Template
4
2.1 Create an Association Between YourBusiness Template and the ACL Template1. Select the relevant business template.
2. Choose Edit and go to step 5.
3. Define the structure using the Next pushbutton.
4. Select the node that includes the GUID of your object. Normally, this is the root node.
5. Choose Create Association. An empty row and a selection screen appear.
6. Select the required ACL table and the node of this ACL table. The selected node isincluded in the structure.
2 Association: Assignment of Authorization Templates to the Business Template
5
7. Enter an association ID CRM_<Object>_ACL (CRM_LEAD_ACL) and press ENTER.
8. To maintain the foreign key relation, choose the Create pushbutton. An empty rowappears.
9. Select the relevant fields via value help.
2 Association: Assignment of Authorization Templates to the Business Template
6
10. Select your GUID field.
11. Select OBJECT_GUID.
2 Association: Assignment of Authorization Templates to the Business Template
7
12. Save your changes.
2.2 Create an Association Between YourBusiness Template and the OTS Template1. Select the node that includes the GUID of your object. Normally, this is the root node.
2. Choose Create Association. An empty row and a selection screen appear.
2 Association: Assignment of Authorization Templates to the Business Template
8
3. Select CRM_ACE_USER_OTS and the relevant node. The selected node is included in thestructure.
4. Enter an association ID CRM_<Object>_OTS (CRM_LEAD_OTS) and press ENTER.
2 Association: Assignment of Authorization Templates to the Business Template
9
5. Maintain the foreign key relation using the value help.
6. Select CRM_OBJECT_TYPE.
7. In the Value column, maintain the ACE super type of your business template. You canget the relevant information in the table CRM_ACE_OTYPES.
2 Association: Assignment of Authorization Templates to the Business Template
10
8. Save your changes.
2.3 Create an Association Between YourBusiness Template and the CRM_ORD_LPTemplate1. Select the node BTORGSET.
2. Choose Create Association. An empty row and a selection screen appear.
2 Association: Assignment of Authorization Templates to the Business Template
11
3. Select the template CRM_ORD_LP and the node DIS_CHANNEL. The selected node isincluded in the structure. The foreign key relation is filled automatically.
4. Enter an association ID CRM_<object>_ORD_LP_DIS_CHANNEL(CRM_LEAD_ORD_LP_DIS_CHANNEL) and press ENTER.
5. Repeat step 4 with the following association IDs:
CRM_<object>_ORD_LP_DIV_ORG
CRM_<object>_ORD_LP_SALES_ORG
CRM_<object>_ORD_LP_SERVICE_ORG
CRM_<object>_ORD_LP_SLS_GROUP
CRM_<object>_ORD_LP_SLS_OFFICE
After the maintenance you will see the following associations:
2 Association: Assignment of Authorization Templates to the Business Template
12
6. Save your changes.
2.4 Create an Association Between YourBusiness Template and the CRM_ORD_OPTemplate1. Select the node BTPARTNER.
2. Choose Create Association. An empty row and a selection screen appear.
3. Select the template CRM_ORD_OP and the node CRMT_ES_ORD_USER. The selectednode is included in the structure.
2 Association: Assignment of Authorization Templates to the Business Template
13
4. Enter an association ID CRM_<Object>_ORD_OP (CRM_LEAD_ORD_OP) and pressENTER.
5. Maintain the foreign key relations using the value help.
6. Select BP_PARTNER_GUID.
7. Maintain the second key field using the value help.
2 Association: Assignment of Authorization Templates to the Business Template
14
8. Select PARTNER_GUID.
9. Save your changes.
2.5 Create an Association Between YourBusiness Template and the CRM_ORD_TETemplate1. Select the node BTPARTNERATTR.
2 Association: Assignment of Authorization Templates to the Business Template
15
2. Choose Create Association. An empty row and a selection screen appear.
3. Select the template CRM_ORD_TE and the node ORD_TE. The selected node is includedin the structure. The foreign key relation is filled automatically.
4. Enter an association ID CRM_<Object>_ORD_TE (CRM_LEAD_ORD_TE) and pressENTER.
2 Association: Assignment of Authorization Templates to the Business Template
16
5. Save your changes.
3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
17
3 Define Static Authority Checks: ABAPAuthorization Objects in the BusinessTemplateFor the ABAP authority checks, use the authority objects and their check IDs. For a list of theauthority objects and their check IDs, see ABAP Authority [page 43].
3.1 General Remarks1. Since the check ID has to be unique, replace _OPP with the identifier of your object
(_LEAD).
2. To maintain the ABAP authority object, select the root node BTORDER and choose thetabs Authorization and ABAP Auth. Objects.
3. For the first check ID CRM_<Object>, use the authority object related to your businessobject type, instead of CRM_OPP.
You can find the related authority object in the function moduleCRM_ORDER_CHECK_AUTH_BUS_OBJCT.
4. Choose the Import pushbutton.
3 Define Static Authority Checks: ABAP Authorization Objects in the BusinessTemplate
18
5. Enter your authorization object and choose Import.
6. Close the window.
Now you can use the authorization object.
7. Choose the Add pushbutton for every check ID. An empty row appears.
8. Fill the columns Check-ID and Check-ID Description.
9. Select the ABAP authority object name using value help. The selected authorizationobject appears in the row. In the right-hand screen area Details: Fields of AuthorizationObject <…>, the fields of the authorization object appear.
Now maintain the relevant fixed values for a field, or select the path and the field that arerelevant for the check. If a field can be ignored, you do not have to do anything.
3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
19
10. To maintain the path, select the relevant field and choose Select Path. A selection screenwith all nodes appears.
11. Select the relevant node. In the second screen area, the fields of the selected nodeappear.
12. Select the relevant field. The selected path and field are displayed.
13. Save your changes.
3.2 ExamplesIn the following sections, you can find the steps for the following check IDs:
CRM_ORD_LD_<object>
CRM_ORD_OE_<object>
CRM_ORD_PR_<object>
CRM_ORD_TE_<object>
CRM_ORD_OP_<object>
3 Define Static Authority Checks: ABAP Authorization Objects in the BusinessTemplate
20
3.2.1 CRM_ORD_LP_<object>: CRM_ORD_LP_LEAD
3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
21
3.2.2 CRM_ORD_OE_<object>: CRM_ORD_OE_LEAD
3 Define Static Authority Checks: ABAP Authorization Objects in the BusinessTemplate
22
3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
23
3.2.3 CRM_ORD_PR_<object>: CRM_ORD_PR_LEAD
3 Define Static Authority Checks: ABAP Authorization Objects in the BusinessTemplate
24
3.2.4 CRM_ORD_TE_<object>: CRM_ORD_TE_LEAD
3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
25
3 Define Static Authority Checks: ABAP Authorization Objects in the BusinessTemplate
26
3.2.5 CRM_ORD_OP_<object>: CRM_ORD_OP_LEAD
3 Define Static Authority Checks: ABAP Authorization Objects in the Business Template
27
4 Define Dynamic Checks: Path-Based Authorization Objects
28
4 Define Dynamic Checks: Path-BasedAuthorization ObjectsFor the path-oriented authority object checks, use the authority objects and their check IDs.For a list of the authority objects and their check IDs, see Path-Oriented Authority [page 44].In the following table you can see the necessary check IDs.
Check ID Description
CRM_OO_ACL Check ACE Rules One Order
CRM_OO_OTS Check ACE is active for One Order
CRM_OPP_ORD_LP_DIS_CHANNEL Check own Distr. Channel
CRM_OPP_ORD_LP_DIV_ORG Check own Division
CRM_OPP_ORD_LP_SALES_ORG Check own Sales Org
CRM_OPP_ORD_LP_SERVICE_ORG Check own Service Org
CRM_OPP_ORD_LP_SLS_GROUP Check own Sales Group
CRM_OPP_ORD_LP_SLS_OFFICE Check own Sales Office
CRM_OPP_ORD_TE Check own Territories
CRM_OPP_ORD_OP Check own Documents
4.1 General RemarksThe check IDs CRM_OO_ACL and CRM_OO_OTS are generic and can be used for everyone order object. Other check IDs have to be unique, so replace _OPP_ with the identifier ofyour object (_LEAD_).
When checking your own orgunits using the IDs CRM_<object>_ORD*, check which onesyou really need in your business template.
1. To maintain the path-oriented authority object, select the root node BTORDER and choosethe tabs Authorization and Auth. Objects.
4 Define Dynamic Checks: Path-Based Authorization Objects
29
2. Choose the Add pushbutton for every check ID. An empty row appears.
3. For the first two check IDs (CRM_OO_ACL and CRM_OO_OTS), fill the column Check-ID.The rest are filled automatically.
4. For the other check IDs, fill the columns Check-ID and Check-ID Description.
5. Choose Select Path. A selection screen with all relations appears.
6. Select the relevant template node and association.
7. Select the node USER_MAPPING.USER_MAPPING at the end. In the second screen areaof the selection screen, the fields of the node appear.
8. Select the field USER_ID. The path and selected field are included in the current row.
9. Save your changes.
4.2 ExamplesIn the following sections, you can find examples for creating path-oriented authority checks.
4 Define Dynamic Checks: Path-Based Authorization Objects
30
4.2.1 CRM_<object>_ORD_LP_DIS_CHANNEL:CRM_LEAD_ORD_LP_DIS_CHANNEL
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
31
4.2.2 CRM_<object>_ORD_LP_DIV_ORG:CRM_LEAD_ORD_LP_DIV_ORG
4 Define Dynamic Checks: Path-Based Authorization Objects
32
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
33
4.2.3 CRM_<object>_ORD_LP_SALES_ORG:CRM_LEAD_ORD_LP_SALES_ORG
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
34
4.2.4 CRM_<object>_ORD_LP_SERVICE_ORG:CRM_LEAD_ORD_LP_SERVICE_ORG
4 Define Dynamic Checks: Path-Based Authorization Objects
35
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4.2.5 CRM_<object>_ORD_LP_SLS_GROUP:CRM_LEAD_ORD_LP_SLS_GROUP
4 Define Dynamic Checks: Path-Based Authorization Objects
36
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
37
4.2.6 CRM_<object>_ORD_LP_SLS_OFFICE:CRM_LEAD_ORD_LP_SLS_OFFICE
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
38
4.2.7 CRM_<object>_ORD_TE: CRM_LEAD_ORD_TE
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
39
4.2.8 CRM_<object>_ORD_OP: CRM_LEAD_ORD_OP
4 Define Dynamic Checks: Path-Based Authorization Objects
40
Select USER_MAPPING.USER_MAPPING. In the Details area, select the USER_ID field.
4 Define Dynamic Checks: Path-Based Authorization Objects
41
5 Logical Conjunction
42
5 Logical ConjunctionTo maintain the logical conjunction for the authority check, you can use the following logicalconjunction as a template:
( ( CRM_LEAD & CRM_ORD_PR_LEAD & CRM_ORD_OE_LEAD ) | (CRM_ORD_TE_LEAD & CRM_LEAD_ORD_TE ) | ( CRM_ORD_LP_LEAD & (CRM_LEAD_ORD_LP_SALES_ORG | CRM_LEAD_ORD_LP_SERVICE_ORG |CRM_LEAD_ORD_LP_SLS_OFFICE | CRM_LEAD_ORD_LP_SLS_GROUP |CRM_LEAD_ORD_LP_DIV_ORG | CRM_LEAD_ORD_LP_DIS_CHANNEL ) ) | (CRM_ORD_OP_LEAD & CRM_LEAD_ORD_OP ) ) & ( CRM_OO_ACL | ( -CRM_OO_OTS ) )
Replace _LEAD_ with the identifier of your one order object.
6 Examples
43
6 Examples6.1 ABAP Authority
Foreign Key Relation
Check ID Description ABAPAuthorityObject
Field Node Field Fixedvalue
Object-Specific
GeneralOneOrder
CRM_OPP Object Type CRM_OPP ACTVT 45 X
CRM_ORD_LP_OPP
Process Typesof own Orgunits
CRM_ORD_LP
ACTVT 02;03 X
CHECK_LEV
PR_TYPE BTADMINH
PROCESS_TYPE
CRM_ORD_OE_OPP
Static Orgunits CRM_ORD_OE
ACTVT 02;03 X
DIS_CHANNE
BTOrgSet DIS_CHANNEL
SALES_GROU
BTOrgSet SALES_GROUP
SALES_OFFI
BTOrgSet SALES_OFFICE
SALES_ORG
BTOrgSet SALES_ORG
SERVICE_OR
BTOrgSet SERVICE_ORG
CRM_ORD_PR_OPP
Static ProcessTypes
CRM_ORD_PR
PR_TYPE BTADMINH
PROCESS_TYPE X
CRM_ORD_TE_OPP
Process Typesof ownTerritories
CRM_ORD_TE
PR_TYPE BTADMINH
PROCESS_TYPE X
TERR_ASSGN
CRM_ORD_OP_OPP
Partnerfunctions of owndocuments
CRM_ORD_OP
PARTN_FCTT
BTPartner PARTNER_PFT X
PARTN_FCT
BTPartner PARTNER_FCT
6 Examples
44
6.2 Path-Oriented AuthorityForeign Key Relation
Check IDPath AuthorityObject Node Field BOL Field
FixedValue
Object-Specific
GeneralOneOrder
CRM_OO_ACL
CRM_ACE2_OO_ACL ACE_ACL
OBJECT_GUID
BTADMINH GUID X
CRM_OO_OTS
CRM_ACE_OTS USER
CRM_OBJECT_TYPE
ONEORDER X
CRM_OPP_ORD_LP_DIS_CHANNEL CRM_ORD_LP
DIS_CHANNEL
DIS_CHANNEL
BTORGSET
DIS_CHANNEL X
CRM_OPP_ORD_LP_DIV_ORG CRM_ORD_LP DIV_ORG DIVISION
BTORGSET DIVISION X
CRM_OPP_ORD_LP_SALES_ORG CRM_ORD_LP
SLS_GROUP
SALES_GROUP
BTORGSET
SALES_GROUP X
CRM_OPP_ORD_LP_SERVICE_ORG CRM_ORD_LP
SLS_OFFICE
SALES_OFFICE
BTORGSET
SALES_OFFICE X
CRM_OPP_ORD_LP_SLS_GROUP CRM_ORD_LP
SALES_ORG
SALES_ORG
BTORGSET SALES_ORG X
CRM_OPP_ORD_LP_SLS_OFFICE CRM_ORD_LP
SERVICE_ORG
SERVICE_ORG
BTORGSET
SERVICE_ORG X
CRM_OPP_ORD_TE CRM_ORD_TE ORD_TE PATH_ID
BTPartnerAttr PATH_ID X
CRM_OPP_ORD_OP CRM_ORD_US
ER
CRMT_ES_ORD_USER
PARTNER_GUID
PTPARTNER
BP_PARTNER_GUID X