Access Control Engine Functional Documentation Confidential Page 1 Goodyear Pte Ltd IC Case Access Control Engine Functional Document Author: CRM Consultant Huai Ying, Tan
Access Control Engine Functional Documentation
Confidential Page 1
Goodyear Pte Ltd IC Case Access Control Engine
Functional Document
Author: CRM Consultant Huai Ying, Tan
Access Control Engine Functional Documentation
Confidential Page 2
Pre-Live Version History:
Issue Date Author Details of Change Pages affected
0.1 07/04/2010 Huai Ying First Draft
Post-Live Version History:
Issue Date Author Details of Change Pages affected
Authorization & Quality Review:
Name Job Title Signature and Date
Workstream Team Leader
Document References
No. Document Location
1 Business Blueprint - IC \\163.243.220.175\share\CRM_Project_Docs\Blueprint\SAP-CRM-IC-BusinessBlueprint-Signoff.doc
2 ACE For IC Business Partner \\\163.243.220.175\share\CRM_Project_Docs\Functional Spec\ACE\Phase 1B - IC\ACE For IC Business Partner.pdf
Access Control Engine Functional Documentation
Confidential Page 3
Contents
1. Access Control Engine ............................................................................................................. 4 1.1 Purpose ........................................................................................................................... 4 1.2 Functional Requirements (Business Scenario & Requirements) .................................... 4
2. Solution Design ....................................................................................................................... 5 2.1 Business Process Model .................................................................................................. 5
3. ACE Customizing ..................................................................................................................... 7 3.1. General Parameter Settings ............................................................................................ 7 3.2. Rules Customizing ........................................................................................................... 7 3.2.1. Actor Type Customizing .............................................................................................. 7 3.2.2. Actor From Object Customizing .................................................................................. 8 3.2.3. Object By Filter Customizing ....................................................................................... 8 3.2.4. Actor For User Customizing ........................................................................................ 9 3.2.5. Rule Customizing ......................................................................................................... 9 3.3. Rights Customizing .......................................................................................................... 9 3.3.1. Create Work Package ................................................................................................ 10 3.3.2. Create User Group .................................................................................................... 10 3.3.3. Create Rights ............................................................................................................. 10 3.4. ACE Event Background Job ........................................................................................... 11
4. ACE Maintenance .................................................................................................................. 12 4.1. Activate/Deactivate ACE ............................................................................................... 12 4.2. Analyze Design Data...................................................................................................... 13 4.3. Simulating Runtime Result ............................................................................................ 14 4.4. Update User or Object .................................................................................................. 16 4.4.1. Update User Context ................................................................................................ 16 4.4.2. Update Object Context ............................................................................................. 17
5. ACE Enhancement ................................................................................................................. 17 5.1. DDIC Objects ................................................................................................................. 17 5.1.1. Data Elements ........................................................................................................... 18 5.1.2. Database Tables ........................................................................................................ 18 5.2. Class ZCL_CRM_ACERULE_EMP_NAME ........................................................................ 19 5.2.1. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_USER .......... 19 5.3. Class ZCL_CRM_CMG_EMP_SR ..................................................................................... 19 5.3.1. Method IF_CRM_ACE_OBJECTS_BY_FILTER ~ GET_OBJECTS_BY_FILTER ................ 19 5.3.2. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_OBJECTS ..... 21
6. Appendix ............................................................................................................................... 24
Access Control Engine Functional Documentation
Confidential Page 4
1. Access Control Engine
1.1 Purpose The document defines the Goodyear Interaction Center (IC) Agent or Service Professional
searching for Case by employee responsible or Processor. This document collates both
functional requirements and technical requirements. No separate document will be created.
1.2 Functional Requirements (Business Scenario & Requirements) A Customer Transactional Table at Section 5.1 will be created to store user name of IC Agent
and higher level users such as IC Manager who are allowed to view all transaction data
responsible by the agent. Thus, users at high level in the table could see all cases created by
lower level users.
Access Control Engine Functional Documentation
Confidential Page 5
2. Solution Design
2.1 Business Process Model Access Control Engine (ACE) Concept involves an Actor which represents the relationship
between User and Object. Cases can only be accessed by the employee responsible or higher
level user in the table. Therefore, IC Agent / Service Professional are the Actor, Case is the
Object and Goodyear Employee is the user.
ACE filtering process requires three technical enhancements as below:
Actor for User filters Goodyear employee and Business Partners he responsible for.
Actor from Object filters Case based on employee responsible or processor.
Object by Filter filters Goodyear cases
Figure 1: ACE concept for IC Cases filtering
Actor From Object
Object By Filter
Actor For User
Employee
Employee
Responsible/
Processor (Actor)
Cases (Object)
User
Access Control Engine Functional Documentation
Confidential Page 6
During creation for Case, IC Agent / Service Professional can be partner functions as
Responsible or Processor. Table below shows the partner functions of each case type.
Table 1: Table of ACE filtering criteria
Business Transaction
Partner Function Description
Example
ZC_1 GY_General Information
Responsible IC Agent/Service Professional who is responsible for the Case
ZC_2 GY_Product Details
Responsible IC Agent/Service Professional who is responsible for the Case
ZC_3 GY_Order Related
Responsible IC Agent/Service Professional who is responsible for the Case
ZC_4 GY_Retailer GDBF
Responsible IC Agent/Service Professional who is responsible for the Case
ZC_5 GY_University
Responsible IC Agent/Service Professional who is responsible for the Case
ZC_6 GY_Complaint
Responsible IC Agent/Service Professional who is responsible for the Case
ZC_7 GY_Tire Adjustment
Responsible IC Agent/Service Professional who is responsible for the Case
Processor IC Agent/Service Professional who will process the Case
ZC_8 GY_New Retailer Alliance
Responsible IC Agent/Service Professional who is responsible for the Case
Access Control Engine Functional Documentation
Confidential Page 7
3. ACE Customizing
3.1. General Parameter Settings Path: SPRO CRM Basic Functions Access Control Engine Maintain General
Parameters
Table 2: Table of ACE Parameter Settings
Parameter
Parameter Value
Description
ACE_IS_INACTIVE Mark „X‟ to deactivate ACE Leave blank to activate ACE
ACE_NOC_EXPIRATION_SECONDS 0 New Objects Cache are deleted at 0 second
3.2. Rules Customizing Path: SPRO CRM Basic Functions Access Control Engine Rules Create Rules
3.2.1. Actor Type Customizing Actor Type, ZBUSINESS_PARTNER represents the relation type between user and business
object.
Figure 2: Screenshot of Actor Type
Access Control Engine Functional Documentation
Confidential Page 8
3.2.2. Actor From Object Customizing Actor From Object (AFO), ZEMPRESP_FROM_CASE determines the responsible person from
CASEMANAGEMENTCRM.
Figure 3: Screenshot of AFO
3.2.3. Object By Filter Customizing Object by Filter (OBF), ZCASE determines the all Goodyear cases.
Figure 4: Screenshot of OBF
Access Control Engine Functional Documentation
Confidential Page 9
3.2.4. Actor For User Customizing Actor For User (AFU), ZEMP_RESP_USER determines the employee responsible relationship
of a user.
Figure 5: Screenshot of AFU
3.2.5. Rule Customizing Rule, ZCASE_RESPONSIBLE is the combination of Actor Type, AFU, AFO and OBF for ACE
filtering.
S Figure 6: Screenshot of ACE Rule
3.3. Rights Customizing ACE Rights consist of Work Package and User Group.
Work package is an organizational unit of the ACE, which combines user groups and
enables them for one or several object types.
Access Control Engine Functional Documentation
Confidential Page 10
User Group consists of user assignment either as single users, or as members of a role,
or as members of another user group.
Both assists ACE to identify which user is ACE active and rules selected.
Path: SPRO CRM Basic Functions Access Control Engine Create Right
3.3.1. Create Work Package
Reuse the existing Work Package. Refer to Document References table for Document “ACE For
IC Business Partner” at page 2. Assign Object Type “CASEMANAGEMENTCRM”.
Table 3: OE Work Package
Work Package ID Work Package Description Object Type Assignment
ZGY_NON_OECU_WP Work Package for OE Customer CASEMANAGEMENTCRM
3.3.2. Create User Group Existing PFCG Role ZGY_CRM_BASIC_IC will be used. Refer to Document References table
for Document “ACE For IC Business Partner” at page 2.
3.3.3. Create Rights ACE Rule, User Group and Action group are assigned to ACE Right, ZOE_ONEORDER. Action
group determines the access given to the user.
ACT_GRP_FULL grant full access to user for Read, Write and Delete.
ACT_GRP_CHANGE grant the Read and Write access.
ACT_GRP_READ grant the Read access only.
Access Control Engine Functional Documentation
Confidential Page 11
Figure 7: Screenshots of ACE Right
3.4. ACE Event Background Job ACE calculates and saves the authorization data through a dispatcher job that is started by
activating rights and the creating/modifying objects by user. During dispatcher runtime, the
worklist can be filled by other activation- or creation/modification processes. Background jobs
are started until the worklists have been completely processed. The dispatcher then shuts down
with a delay while worklists are checked for new objects, and, if necessary, new background
jobs are started.
Table 4: ACE Event Background Job Attributes
JOB Name Attributes
Transaction Code SM36/SM37
Job Name ACE_DISPATCHER
ABAP Program CRM_ACE_DISPATCHER
Event ID SAP_CRM_ACE_DISPATCHER_REQUEST
Parameter 300 (Client System Number)
Periodic Jobs X
Access Control Engine Functional Documentation
Confidential Page 12
4. ACE Maintenance
4.1. Activate/Deactivate ACE ACE can only be active if user group in a work package and the right are activated. If ACE were
to be permanently stopped, Right must be deactivated before Work Package is deactivated.
Changes on existing ACE Rule or ACE User Groups require reactivation on Work Package in
order to take effect.
Path: SPRO CRM Basic Functions Access Control Engine Activate/Deactivate Work Packages and Rights
Figure 8: Screenshot of Active User Group in Work Package
Figure 9: Screenshot of Active Right
Access Control Engine Functional Documentation
Confidential Page 13
Activating an ACE User Group and Right will trigger ACE rule to calculate the accessible object.
It is required to be manually triggered if:
- new ACE rule is added;
- existing ACE rule is amended;
- user table in section 5.1 is updated.
Any Failed Object can be sent to Update Tool for recalculation.
Figure 10: Screenshot of Monitoring Object
4.2. Analyze Design Data ACE Design Report is used to show all objects for a right, user group, or object type defined in
section 0 in a tree structure. ACE Administrator could use the Design Report to add/remove new
ACE user via PFCG role or perform the changes on ACE Rules and Rights.
Path: SPRO CRM Basic Functions Access Control Engine Create and Analyze Design Data
Access Control Engine Functional Documentation
Confidential Page 14
Figure 11: Screenshot of ACE Design Report based on User Group
4.3. Simulating Runtime Result ACE Rules and Rights have been created can be simulated via ACE Runtime Report to ensure that result works as expected. Report provides several filters to allow ACE Administrator perform a detailed simulation and testing. Any wrong result such as incorrect Object or User appears in simulation result can be sent to Update Tool which system will be triggered to recalculate the object and user followed by updating ACE tables. Path: SPRO CRM Basic Functions Access Control Engine Analyze Runtime Data
Access Control Engine Functional Documentation
Confidential Page 15
Figure 12: Screenshot of ACE Simulation Report and Filters
Figure 13: Screenshot of ACE Simulation Result
Access Control Engine Functional Documentation
Confidential Page 16
4.4. Update User or Object Performing User/Object Update triggers the system to calculate users and objects which meet the rule defined in section 3.2 and 3.3. Users and Objects are stored in list of ACE related tables for easy access. Hence, performing this update step will recalculate the user/object in the ACE tables. Path: SPRO CRM Basic Functions Access Control Engine Update User- and Object Context
4.4.1. Update User Context
ACE Update User context is required to if a user is newly assigned to the PFCG role and should
be an ACE active user. Removing a user from PFCG role in Section 4.2 requires ACE
Administrator to perform additional step to update User Context to deactivate the particular user
from ACE Active user list.
Figure 14: Screenshot of ACE Active User List based on Role
Access Control Engine Functional Documentation
Confidential Page 17
4.4.2. Update Object Context
ACE Update Object context is required if system is returning the object which does not meet the
rule. ACE Administrator should update the particular object in order to trigger the system on
recalculating the object and updating to ACE tables.
5. ACE Enhancement
During Rule creation, each rule requires an ACE class in order to perform the search filtering Criteria and mapping of User and Object via Actor from a customer table.
5.1. DDIC Objects Transactional Table is created to maintain user name in sequence from lower level (User Level 3) to higher level (User Level 0) as shown in Figure below. For example: User at Level 0 is allowed to view and process all the cases created by all the levels: Level 1, Level 2 and Level 3. However, for user at Level 3, he is only able to search for his own case. He is not able to search or view the cases created by other person.
Figure 15: Screenshot of ACE Active User List based on Role
In this section, all the necessary information to create a Transactional Database is shown in table format.
Access Control Engine Functional Documentation
Confidential Page 18
5.1.1. Data Elements
Data Element is declared for user name which will be used in Database table. Table 5: Data Elements
Name Domain Data Type No. Characters
ZUNAME3 ZUNAME3 CHAR 12
ZUNAME2 ZUNAME2 CHAR 12
ZUNAME1 ZUNAME1 CHAR 12
ZUNAME0 ZUNAME0 CHAR 12
5.1.2. Database Tables
Table below shows the Database Maintenance and the Field Name.
Table 6: Database Table Maintenance
Table Maintenance Value
Delivery Class A
Data Class APPL0
Size Category 0
Function Group ZGY_ACE
Maintenance Screen type One Step
Table 7: Database Fields
Table Name ZGY_ACE_IC_ORG
Field Name Key Initial Data Element
MANDT X X MANDT
ZUNAME3 X X ZUNAME3
ZUNAME2 X X ZUNAME2
ZUNAME1 X X ZUNAME1
ZUNAME0 X X ZUNAME0
Access Control Engine Functional Documentation
Confidential Page 19
5.2. Class ZCL_CRM_ACERULE_EMP_NAME
5.2.1. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_USER
This method collects the login user to the actor list.
METHOD IF_CRM_ACE_ACTORS_FROM_USER~GET_ACTORS_FROM_USER .
APPEND im_usr_name TO ex_actor_id_table.
ENDMETHOD.
5.3. Class ZCL_CRM_CMG_EMP_SR
5.3.1. Method IF_CRM_ACE_OBJECTS_BY_FILTER ~ GET_OBJECTS_BY_FILTER
This method collects the Business Partners (Actor) from Case.
METHOD if_crm_ace_objects_by_filter~get_objects_by_filter.
CALL FUNCTION 'ZGY_ACE_CASE_SR'
CHANGING
ex_object_guid_table = ex_object_guid_table.
ENDMETHOD.
Function Module: ZGY_ACE_CASE_SR
This function module filters for Goodyear Cases onyl.
FUNCTION zgy_ace_case_sr.
*"----------------------------------------------------------------------
*"*"Local Interface:
*" CHANGING
*" REFERENCE(EX_OBJECT_GUID_TABLE) TYPE CRMT_ACE_OBJECT_GUID
*" OPTIONAL
*"----------------------------------------------------------------------
DATA: BEGIN OF ty_case_type,
case_type TYPE scmgcase_type,
END OF ty_case_type.
DATA: lt_case_type LIKE STANDARD TABLE OF ty_case_type,
lt_case_guids TYPE scmg_tt_case_guid,
ls_ace_guid LIKE LINE OF ex_object_guid_table.
Access Control Engine Functional Documentation
Confidential Page 20
FIELD-SYMBOLS: <fs_guid> LIKE LINE OF lt_case_guids.
CLEAR ex_object_guid_table.
* create a range to select Custom Case Type
RANGES: s_casetype FOR scmg_t_case_attr-case_type.
s_casetype-sign = 'I'.
s_casetype-option = 'GE'.
s_casetype-low = 'Z'.
APPEND s_casetype.
* select all the case
SELECT case_guid
FROM scmg_t_case_attr
INTO TABLE lt_case_guids
WHERE case_type IN s_casetype
AND ( processor <> '' OR
responsible <> '' ).
LOOP AT lt_case_guids ASSIGNING <fs_guid>.
ls_ace_guid-object_guid = <fs_guid>.
APPEND ls_ace_guid TO ex_object_guid_table.
ENDLOOP.
ENDFUNCTION.
Access Control Engine Functional Documentation
Confidential Page 21
5.3.2. Method IF_CRM_ACE_ACTORS_FROM_USER ~ GET_ACTORS_FROM_OBJECTS
This method prepares the related partner functions which are needed to map Actors to Objects.
METHOD if_crm_ace_actors_from_object~get_actors_from_objects.
TYPES: BEGIN OF ty_case,
case_guid TYPE scmg_case_guid,
END OF ty_case.
DATA: ls_objects TYPE ty_case,
lt_objects TYPE TABLE OF ty_case.
DATA: ls_object_actor TYPE crms_ace_object_actors,
lt_case TYPE TABLE OF scmg_t_case_attr,
ls_actor TYPE crms_ace_actor_id,
lt_actor TYPE crmt_ace_actor_id,
ls_failed_object TYPE crms_ace_object_guid.
FIELD-SYMBOLS: <fs_object> TYPE crms_ace_object_guid,
<fs_case> TYPE scmg_t_case_attr.
REFRESH: lt_actor.
* convert guid 16 to guid 32
LOOP AT it_object_guids ASSIGNING <fs_object>.
ls_objects-case_guid = <fs_object>-object_guid.
APPEND ls_objects TO lt_objects.
ENDLOOP.
* read processor and person responsible of case
SELECT case_guid ext_key
processor responsible FROM scmg_t_case_attr
INTO CORRESPONDING FIELDS OF TABLE lt_case
FOR ALL ENTRIES IN lt_objects
WHERE case_guid = lt_objects-case_guid.
LOOP AT lt_case ASSIGNING <fs_case>.
REFRESH lt_actor.
IF <fs_case>-responsible IS NOT INITIAL.
APPEND <fs_case>-responsible TO lt_actor.
ENDIF.
IF <fs_case>-processor IS NOT INITIAL.
APPEND <fs_case>-processor TO lt_actor.
ENDIF.
IF NOT lt_actor IS INITIAL.
DELETE ADJACENT DUPLICATES FROM lt_actor COMPARING actor_id.
CALL FUNCTION 'ZGY_ACE_READ_ORG_USER'
Access Control Engine Functional Documentation
Confidential Page 22
CHANGING
ct_actor_id = lt_actor.
IF NOT lt_actor IS INITIAL.
CLEAR ls_object_actor.
ls_object_actor-object_guid = <fs_case>-case_guid.
ls_object_actor-actors = lt_actor.
APPEND ls_object_actor TO et_actor_ids.
ELSE.
CLEAR ls_failed_object.
ls_failed_object-object_guid = <fs_case>-case_guid.
APPEND ls_failed_object TO et_failed_objects.
ENDIF.
ENDIF.
ENDLOOP.
ENDMETHOD.
Function Module: ZGY_ACE_READ_ORG_USER
This function module reads users in Section 5.1 who is allowed to view and process the case.
FUNCTION zgy_ace_read_org_user.
*"----------------------------------------------------------------------
*"*"Local Interface:
*" CHANGING
*" REFERENCE(CT_ACTOR_ID) TYPE CRMT_ACE_ACTOR_ID OPTIONAL
*"----------------------------------------------------------------------
DATA: ls_itab TYPE zgy_ace_ic_org,
lt_itab TYPE TABLE OF zgy_ace_ic_org.
DATA: ls_actor_id TYPE crms_ace_actor_id,
lt_actor_id TYPE crmt_ace_actor_id.
CHECK ct_actor_id IS NOT INITIAL.
lt_actor_id = ct_actor_id.
REFRESH: lt_itab, ct_actor_id.
LOOP AT lt_actor_id INTO ls_actor_id.
CLEAR ls_itab. REFRESH lt_itab.
SELECT * FROM zgy_ace_ic_org INTO TABLE lt_itab
WHERE level3 = ls_actor_id-
actor_id.
IF sy-subrc = 0.
* convert 3rd level user name to BP guid
* read level 2 that related to level 3 users
CLEAR ls_itab.
LOOP AT lt_itab INTO ls_itab.
Access Control Engine Functional Documentation
Confidential Page 23
APPEND ls_itab-level2 TO ct_actor_id.
APPEND ls_itab-level1 TO ct_actor_id.
APPEND ls_itab-level0 TO ct_actor_id.
ENDLOOP.
APPEND ls_itab-level3 TO ct_actor_id.
ELSE.
* 3rd level user not found
* look up user name in 2nd level
CLEAR ls_itab. REFRESH lt_itab.
SELECT * FROM zgy_ace_ic_org INTO TABLE lt_itab
WHERE level2 = ls_actor_id-actor_id.
IF sy-subrc = 0.
" append level 3 user names to itab
LOOP AT lt_itab INTO ls_itab.
APPEND ls_itab-level1 TO ct_actor_id.
APPEND ls_itab-level0 TO ct_actor_id.
ENDLOOP.
APPEND ls_itab-level2 TO ct_actor_id.
ELSE.
* 2nd level user not found
* look up user name in 1st level
SELECT * FROM zgy_ace_ic_org INTO TABLE lt_itab
WHERE level1 = ls_actor_id-actor_id.
IF sy-subrc = 0.
APPEND ls_itab-level1 TO ct_actor_id.
LOOP AT lt_itab INTO ls_itab.
APPEND ls_itab-level0 TO ct_actor_id.
ENDLOOP.
ELSE.
* 1st level user not found
* look up user name in level 0
SELECT SINGLE * FROM zgy_ace_ic_org INTO ls_itab
WHERE level0 = ls_actor_id-
actor_id.
IF sy-subrc = 0.
APPEND ls_itab-level0 TO ct_actor_id.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
ENDLOOP.
SORT ct_actor_id BY actor_id ASCENDING.
DELETE ADJACENT DUPLICATES FROM ct_actor_id.
DELETE ct_actor_id WHERE actor_id = ''.
ENDFUNCTION.
Access Control Engine Functional Documentation
Confidential Page 24
6. Appendix