Documente Academic
Documente Profesional
Documente Cultură
S I E B E L S Y S T E M S , I N C .
Access Control
Upgrade and
Migration Guide for
Siebel 7
Revision History:
Date Author Description
7/ 01/2001 B. Garrett Reynolds, Original creation
Senior Configuration
Specialists – Expert
Services
2
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Table of Contents
REVISION HISTORY:.........................................................................................................................2
INTRODUCTION.................................................................................................................................4
UPGRADE ISSUES.............................................................................................................................19
ASSIGNMENT MANAGER...............................................................................................................32
TERMINOLOGY ...............................................................................................................................33
APPENDIX A ......................................................................................................................................34
3
12/21/01 Siebel Systems, Inc. Confidential and subject to change
About this document
The purpose of this document is to provide customers with guidance and direction on the best practices for
upgrading-migrating to 7 specifically around the implementation of Access Control. This document
provides background on Access Group, a new access control mechanism implemented in Siebel 7, and
outlines steps to deploying Access Group access into Siebel eBusiness applications (customer and
employee facing applications). It assumes that the reader is familiar with Siebel application architecture.
It is intended to help Siebel professionals understand Access Group access control mechanism so that they
can properly design and implement proper Access Control designs. This document is intended for
internal and external personnel who are directly involved in the implementation and design of Siebel
eBusiness applications specifically around the Access Control technologies (customer system
administrators, knowledge management experts, Siebel Sales Consulting, Product Marketing, and
Technical Services)
Introduction
Deploying Siebel eBusiness applications over the web channel allows external users, such as customers
and channel partners, with varying access levels, to directly access data and application functionality.
This introduces a new set of data and content access dynamics that our current mechanisms for visibility
are not created for. These dynamics include:
• An exponential increase in the amount of content (Master Data like Products, and Customer Data
like Opportunity) that will be distributed via the Siebel application.
• An exponential increase in the number of users and entities that will access the data and added
complexity of relationships between users (partners, competitors, browsers, customers).
• Significant increase of complexity in access control policies (one data item and group of data
items can be accessed by one or many users and groups, but not by all; and vice versa).
Siebel customers require Siebel eBusiness applications (customer and employee facing applications) to
provide a framework for safely delivering content and application functionality over the web channel and
web client for enterprise applications, but are running into the following limitations with the current 6.x
solution:
• The current model for visibility control cannot be administered for either large numbers of users
with varying access levels or large numbers of content items.
• The current model for visibility does not provide the level of control required to protect partner
data and still maintain a single view of the customer.
Access Group Access Control Mechanism is one solution to these business problems faced by customers,
with the following benefits:
• Data organizing mechanism provided – data access control at the Category and Catalog level
− Extends the Category and Catalog concept; offers capability to organize master data into
hierarchical structure (7), using catalogs and categories. Customer data will be added to the
Access Group functionality in future releases.
− Significantly simplifies the work for system admin:
− Huge amount of data is easier to access and administer in a hierarchical structure;
4
12/21/01 Siebel Systems, Inc. Confidential and subject to change
− Only need to add a new data item into a Category and access control is effective
• Access Group provided as a mechanism for grouping Positions, Orgs, Accounts, Business Units,
and User Lists, each of which contains 1 or many persons
− Significantly simplifies the work for system admin for large number of user
administration – only need to add a new person into a party entity, and access control is
effective
• High flexibility allows for any arbitrary association between Categories and Access Groups
− Good at handling complicated and multiple Access Control rules and policies
Today, many customers have deployed Siebel 6.X products, many of who have deployed Multi Org
functionality to various business objects. For new customers that are in the process of planning for access
control deployment, they need to carefully analyze their Access Control requirements and how Access
Group and Multi Org fit in to this picture. For those customers who have already Multi Org’ed certain
data objects, they need to rethink about the access control in the context of Access Group. This document
is intended to provide guidelines for the customer’s access control planning process.
For a detailed description of Access Group and Multi Org please refer to the Access Control
Documentation.
Responsibilities
Responsibility Access controls access to data at the level of views and screens. In reality, business
enterprises are often organized around functions – engineering, marketing, sales, business development,
finance, etc. Employees inside of these enterprises typically fall into one or multiple of these functions. An
employee belonging to one function may not want to, or shouldn’t be allowed to access data that belong to
another organization. Example: As a marketing manager, one shouldn’t see the sensitive corporate
financial data; as an engineer, one may not want to see all the marketing materials at all. Responsibility
Access is designed in this context to control access according to business functions. This option is
relatively easy to implement, but lack of granularity in data control is a major drawback
Positions
Position Access controls access to data at the level of individual data items, and applies only to Customer
Data (objects like Opportunities, Contacts, Accounts, etc.), not to Master Data (objects like Products,
Literature, etc.). Position Access works in two different contexts – hierarchical and team based.
5
12/21/01 Siebel Systems, Inc. Confidential and subject to change
This option offers much more granularity in data control than Responsibility Access, but is limited in the
following aspects:
1. Lack of Data organizing mechanism: all data access control is at the record level – Admin nightmare
when having to manage a huge amount of data (however, because of the nature of Customer Data
(which Position Access handles) – small in number, this fortunately wouldn’t be too bad.
2. Sales and Contact Teams are not re-usable: for each data record a system admin needs to build from
ground a new team – Very Poor Scalability means administration nightmare when dealing with huge
amount of data.
3. One record can only have one Sales and Contact Team – Cannot handle complicated and multiple
Access Control policies.
Organization (Multi-Org)
Like Position Access, Organization Access controls access to data at the level of individual data items. In
the real world, access to data often depends on which (physical) organization one belongs. Example:
Siebel sales consultants work closely with many Siebel Partner organizations such as ABC and XYZ to
deploy Siebel products. ABC should be able to see certain data that they are work on, but they should
never be allowed to see what XYZ is working on, like what price XYZ charges its client. Organization
Access is created in this context to control access along the lines of organizations.
In Siebel 2001, Organizations can be placed into a hierarchy. This differs from Siebel 2000, where
Organizations were flat and could not have parents. There is also a new Sub-Org view mode, which
displays customer data for the user's Organization and any Organizations below it in the Organization
hierarchy.
Complex organizations benefit from having the ability to place their internal Organizations into a
hierarchy and provide a view to some users which shows data down the hierarchy. The eChannel
application also benefits from this enhancement because some of our customers who deal with large,
complex Business Partners structure them into Organization hierarchies with HQ, Regional Branches,
local branches, and so on. Providing a view for the regional manager to see data associated to his branch
and all of those below is a great enhancement.
6
12/21/01 Siebel Systems, Inc. Confidential and subject to change
• Service Request
• Service Agreement
• Asset
• Employee
• Position
• Division
*Multi-Org Enabled in 7
This option offers much flexibility for data access control at the organization level and meets the business
requirement in reality, but its usability is limited due to the following constraints:
1. Lack of Data organizing mechanism: all data access control is at the record level – Admin nightmare
when having to manage a huge amount of data
2. Creating Organizations is not flexible: Organizations have specific meaning and are typically not
appropriate for ad hoc groups; creating Organizations is complicated: have to create positions, etc. for
Org-based visibility to take effect.
3. Prior versions of Siebel did not provide for a hierarchical inheritance feature in Multi-Org, for
example,, the hierarchical structure between different organizations is not considered in Organization
Access. The Siebel 7 product release introduces Sub-Org visibility which provides the hierarchical
inheritance that previous Siebel versions lacked. But Multi-Org still does not handle complicated
Access Control Rules.
Access Group
Access Group Access Control Mechanism offers new features to address maintenance and visibility issues
of large, complex customers.
The Access Group Hierarchy is a new feature that allows an Administrator to set up groups and assign
people to them indirectly through Positions, Organizations, Accounts, Households, and User Lists. A
person cannot be directly associated to an Access Group. The groups can be organized into a hierarchy.
A new mechanism is introduced in Siebel 7 that allows visibility to data through being a member of an
Access Group. This Access Control mechanism is only available for Master data in 7.0, which are things
like Products, Literature, Price Lists, Auction Items, Courses, and Decision Issues. These objects
typically have large set of records that is relatively static.
Why Another Visibility Mechanism? Some companies have millions of records in the Product or
Literature tables. On the other side, there could be a huge amount of people and Organizations to relate to
this data. A large, complex customer like XYZ has over 50,000 employees, over 100,000 Partners, and
potentially millions of contacts targeted to use their Siebel applications.
There are more complexities that can be introduced into the equation. A partner can have a different level
of access like Silver, Gold, and Platinum, which allows them a broader access to data. Or one may want
to grant different levels of access to employees within a Partner Organization, depending on profile data
for instance.
One of the major benefits to having Access Groups is that it’s easier to maintain access to content. The
traditional Access Control mechanisms required an Administrator or Assignment Manager to touch each
7
12/21/01 Siebel Systems, Inc. Confidential and subject to change
and every record in order to relate each instance to a person or Organization. This is why a new Access
Control mechanism is introduced.
The other major benefit to categorization of data, besides the ease of administration, is that it also makes
navigation by end users through the data much easier. Another benefit is that by creating the Access
Group hierarchy, child groups have access to data down the hierarchy. This means that groups can see
data to which their parents, grandparent, and so on up the chain, have access.
Categorization of Content is another new feature. Although categorization of data was available in
prior versions, it wasn’t tied to visibility until Siebel 2001. This categorization refers only to master data
(examples being Products, Literature, Solutions, Price Lists) in Siebel 7. This feature allows an
Administrator to create classifications and associate instances of data to these categories. These can also
be set up in a hierarchy.
The benefits to categorizing data are that it simplifies Access Control administration. Also, data is more
manageable when grouped into categories. In prior versions, there was just a flat list of records like the
Product and Literature screens where a user would need to query for keywords with wildcards to try and
locate the correct record and then scroll through the list to find the exact match. The categories help
organize the data and assist in locating the correct record faster and easier than before.
Catalogs and Categories are created to represent classifications for the master data. It is up to the
customer to decide what these catalogs and categories will be. The Catalog is really just a root directory
and not used for visibility. The Categories can be arranged in a hierarchy. Then master data items are
related to the categories. Products, Literature, and any other master data can be related to the same
category. As stated before, prior versions of Siebel had the ability to categorize data into Catalogs and
Categories, but it wasn’t used for visibility. Another difference is that a Category could be related to
multiple Catalogs before. The new design for 7.0 does not allow for this and a Category can only belong
to one Catalog.
Categories are marked either public or private. If the category is Public, it is visible to everyone. If the
category is Private, Access Group visibility it is applied. The private attribute is downward overriding. If a
catalog or a parent category is marked private, all its children categories will be automatically marked as
private and cannot be changed back to public if the parent category remains private. The public attribute is
not overriding. A catalog or a parent category can be public whereas some of its children categories are
marked private. When originally marking a catalog or category private but then change it back to public,
the categories below that specific catalog and category remain private until manually change them to
public.
Categories can be associated to the Access Groups once master data has been organized into categories,
and persons to Access Groups indirectly through Position, Organization, Account, Household, and User
List associations. Having access to a category means having access to all the Master Data items contained
in the Category.
On the Access Group side, a user will have access to categories to which a parent Access Group is
related through the Access Group hierarchy. This is enabled via that denormalized Access Group
relationship that is stored in the S_PARTY_RPT_REL table.
This upward inheritance feature embedded in Access Group hierarchy is run-time enforced. In an
administrative view, when a parent Access Group is associated with a category, its children Access
Groups will not be explicitly associated with that particular category. Users cannot disassociate the
children Access Groups from the category because the association is not displayed at all. However, the
8
12/21/01 Siebel Systems, Inc. Confidential and subject to change
application will run-timely determine that a user can access that category by verifying that the user
belongs to or is a member of the child Access Group to the Access Group which is associated with the
category.
Upward inheritance in Access Group hierarchy is not an optional feature. There is no switch to turn off
the upward inheritance capability of a child Access Group.
On the data side, an Access Group may also have visibility down a category tree if the Administrator
selects to cascade the category. When cascade for a parent category is ticked, all its children directories
are visible to the Access Group associated. Although cascade is displayed in a field format, it functions as
a button because there is no “cascade” column in the data table. Un-tick cascade will not disassociate the
children categories from the Access Group. In such a case, cascade delete functionality is available if an
Administrator removes an Access Group’s from a catalog and category – by doing this, he effectively
removes this access group from all children categories.
Cascade is development-time enforced, which means the Access Group is explicitly associated with the
children categories when ticking the “Cascade” field.
Access Group Access Control offers the most flexibility for data access control and provides the following
benefits.
1. Provides Data organizing mechanism – data access control is at the Category and Catalog level
2. Significantly simplifies the work for system admin – only need to add a new piece of data into a
Category and access control is effective
3. Provides Access Group as a mechanism for grouping Positions, Orgs, and User Lists – which contains
1 or many persons
4. Significantly simplifies the work for system admin – only need to add a new person into a party
entity- access control is effective
5. High flexibility allows for any arbitrary association between Categories and Access Groups
6. Good at handling complicated and multiple Access Control Rules
Let’s look at a real-life business scenario. Assume one wants to use the level of their resellers to determine
which of the “knowledge” resources they have access to. The resellers include partner organizations and
some individual consultants that are not associated with a partner organization.
§ In addition to basic product information, provide the “premier” resellers access to more sales-specific
resources: marketing FAQs, documents that provide guidance on customer decision issues, and sales
training classes.
§ In addition to product and sales resources, provide strategic resellers access to resources to help
design entire marketing campaigns: competitive briefs and training classes.
§ As the status of a reseller changes, the administration required to change the reseller’s access to data
must be minimal.
9
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Figure 1 illustrates the logical relations of Reseller Community and Reseller Resources Catalog, and how
they should be associated. Figure 2 illustrates one access control structure that solves this simple business
problem.
Product Resources
Strategic
Premier
Sales Resources
Base
Planning
Resources
Resellers Community
BASE RESELLERS
Partner 6, Partner 7, Partner 8, User List 3
PREMIER RESELLERS
Partner 3, Partner 4, Partner 5, User List 2
STRATEGIC RESELLERS
Partner 1, Partner 2, User List 1
10
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Reseller Resources Catalog
PRODUCT RESOURCES
SALES RESOURCES
PLANNING RESOURCES
This solution assumes that the resellers are stored as organizations, in which employees are associated
with positions. The consultants exist as users. That is, they have responsibilities, but not positions, and are
not associated with an organization (when they log in however, dynamically they are associated with an
organization through PROXY Employee to have a Position. For more refer to Authentication and Access
Control Administration Guide, Siebel 7, for more).
The Resellers Community is an access group hierarchy. Each node is an access group whose members are
reseller organizations and a single user list. The user list in each node contains all consultants of the
appropriate status.
The Reseller Resources catalog is constructed of categories containing data and nodes that are empty
categories to define levels in the hierarchy.
§ Construct the Reseller Resources Catalog such that the least restricted resources are visible to all.
Product resources are available to all resellers, so the PRODUCT RESOURCES node is at the top.
Categories of PLANNING RESOURCES and SALES RESOURCES are children nodes to the
PRODUCT RESOURCES node. The PLANNING RESOURCES category is child nodes to the
SALES RESOURCES category.
The following implementation procedure effectively restricts the base resellers’access to product resources
only, premier resellers’access to product resources and sales resources; and strategic resellers’access to
all resources.
1. Construct the Reseller Resources Catalog, and specify it as private, with access provided to the BASE
access group. Access to the catalog is also granted to the PREMIER and STRATEGIC RESELLERS
access groups because access group access is upward inherited.
2. Associate the BASE access group with the PRODUCT RESOURCES category. Make sure that the
cascade feature in this category is turned off. This gives all nodes in the Resellers Community access
to PRODUCT RESOURCES, but not other resources, in the Reseller Resources Catalog.
3. Associate the PREMIER access group with the SALES RESOURCES category. Make sure that the
cascade feature in this category is turned off. Now the PREMIER node and its descendant node, the
STRATEGIC RESELLER access group, have access to the SALES RESOURCES category.
4. Associate the STRATEGIC RESELLERS node with the PLANNING RESOURCES category. Now
only the STRATEGIC RESELLERS node has access to all three categories in the Reseller Resources
Catalog.
This structure meets the minimal maintenance requirement. If the status of a partner organization
changes, add the partner to the appropriate access group and delete the partner from the old access group.
If the status of a consultant changes, add the user to the appropriate user list, and delete the user from the
old user list. Re-categorized consultants and employees are granted appropriate new access as defined by
the structure.
This is only one option that one can use to implement their access control plan; there are many other
options available, specially attention however, should be paid to the aforementioned features such as
upward inheritance, downward cascade, etc.
12
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Siebel 7 Data Model
There have been several major data model changes in the Siebel 7 release. The largest data model change
was for the Party and Single Person model, which is fundamental to the entire Siebel 7 release. This new
model was not done specifically for the Access Control mechanism, but Access Control does benefit from
it. With the new model, Accounts, Organizations, Internal Divisions, Contacts, Employees, Positions, and
Households are all considered Parties and can be referenced from the same table, S_PARTY. The prior
tables that housed these data entities still exist and are still used, but they are now extension tables to the
new base table and the data is brought into the business components through an implicit join. The other
two major data model changes are also related to this new model. Employees and Contacts have been
combined into the same table (S_CONTACT) and similarly, internal and external Organization Units
have been combined into one table (S_ORG_EXT).
The new S_PARTY table is the primary table in the Party and Single Person model and is the base table
for all Party BusComps. It is a single entity to store organization units (both external and internal),
positions, access groups (new), user list (new), household (new), contacts, and employees. The single
party model is implemented with Siebel extension tables - S_USER, S_EMPLOYEE, S_CONTACT,
S_ORG_EXT, S_POSTN, and S_BU. Each non-person party directly or indirectly has person members –
employees, contacts. The data model was converted to the single party design, but the BusComps, view
modes, and views were kept the same as in Siebel 6.x release.
The S_PARTY_PER table contains relationships between parties such as Access Groups, Accounts and
Organizations, Positions, Households, Persons, and User Lists to support visibility. It replaces the
S_EMP_POSTN, which stored Employees and Positions relationships.
The S_PARTY_REL table contains ad-hoc, informational relationship between parties. For example,,
ABC Company’s accounting firm is Acme LLP; Joe Jones influences Mike Harris. This table replaces the
S_ORG_REL, S_CONTACT_REL, and S_PER_ORG_UNIT tables. This will not be a forced move for
7. Little (if any) relationships use this table in standard Siebel configuration for 7 (horizontal)
There are three pre-built hierarchies within Siebel 7 which are implemented via the S_PARTY_RPT_REL
table – Positional, Organizational, and Access Group. (Note that these hierarchies are 1 to many.) This is
a system table that contains denormalized party relationships. Not all party relationships are
denormalized here, only visibility hierarchy relationships. The Positional denormalization is the one to
enable Manager’s visibility. But this denormalized relationship was formally stored in
S_POSTN_RPT_REL, which this new table replaces. This table will be used if customers configure a
Sub-Org view which shows data for a users Organization and all of those Organizations below it in the
hierarchy. The Access Group hierarchy is also denormalized into this table, allowing visibility to Access
Groups above their in the hierarchy, rather than below. S_PARTY.PAR_PARTY_ID is used to create
these hierarchies, for example, Access Group-to-Access Group, Position-to-Position, and Organization-to-
Organization. These denormalized relationships enable the Manager and Sub-Organization View modes.
The new Single Party Design has made several tables obsolete. The S_EMPLOYEE table is obsolete as its
functionality was merged into the S_CONTACT table. The S_ORG_INT table is obsolete, as its
functionality has been merged into S_ORG_EXT. S_EMP_POSTN has been replaced by
S_PARTY_PER.
There are several other new tables in the data model supporting the consolidation of S_EMPLOYEE with
S_CONTACT and of S_ORG_INT with S_ORG_EXT. The S_USER table stores Siebel User
information. The S_EMP_PER stores attributes for Brand-Owner Employees and Partner Users who are
S_PARTY_CTGRY is an intersection table between the catalogs and Siebel Parties. It will be used to
control access across parties to the categories.
In addition, the catalogs and categories still maintain the hieratical relationship. With that, anyone that
have access to the parent catalog, can also access all catalogues defined under it.
14
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Shared Categories Party
Catalog
Catalog Access Business
Unit
Org
Category Category - Account
Access - Corporation
- Govt Agency
- etc.
Master Data
Person
Literature Category - Employee
Product Item - Contact
Price List
Solution
etc.
Customer Data
Org Party Relationsh
Opty Team Role
Quote - Person role
Order Owner - Employment
SrvReq Team - etc.
etc.
Contact
Team
Party
Party
User List Access Group (new) S_PARTY
Another enhancement is the ability to restrict visibility to data in child applets of Detail Views. This can
be achieved by setting the visibility mode on the Link within Tools. The benefits of this can be illustrated
in the eChannel application. If Organization visibility is set on the Account and Opportunity Link,
Partners with access to the Account>Opportunities view will only see Opportunities which belong to their
Organization.
Refer to Siebel Bookshelf for complete documentation on dock objects and visibility.
Note: To assist in migrating the columns and data to the new tables, Siebel applications will generate a
report during the upgrade that lists those fields on business components that reference columns which will
need to be moved to facilitate this process. It is important to note that Siebel applications may have added
new columns which provide functionality that in prior versions required extension columns. Customers
should analyze the new data model to see if that the new Siebel 7 standard column can be used in place of
their custom extension columns before creating all of the custom extensions from their previous
repository.
It is important to understand the difference between Multi-Org and Access Control before making any
decision of migration at all. In describing the difference, this document will use the framework
provided in the Siebel Access Group Access Control Tech Note Refer to the document for details.
Readers familiar with the basic Siebel data model and concepts of Multi Org and Access Group can
refer to the following table for a comparison between the two. For detailed introduction to these two
mechanisms please refer to the afore-mentioned Tech Note.
21
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Planning and Design
It is very important for customers implementing Access Control to put the proper time and effort into
the analysis, planning, and design of their Access Control model. Proper design and implementation
of these structures is very important to the usability and functionality of the application.
The differences between the two visibility control mechanisms, Multi-Org and Access Group, was
described in the section “Multi-Org vs. Access Group”. Because of these differences, Multi Org and
Access Group are used differently in Siebel applications. This section will discuss two processes to
decide when and where to use each mechanism. These two processes are designed respectively for
customers that have deployed Multi-Org and are now in the process of migrating to Siebel 7, and
customers who have not deployed Multi-Org but are thinking of doing so or are planning
implementing Siebel 7.
The two decision processes are heavily centered on the “Data” component in access control. Before
going into the two processes however, customers should first go through the following relatively
simply exercise centered on the “Users” component in access control. Often, this exercise can help
make a quick decision as to which mechanism to use:
All Siebel applications customers either on 6.x Siebel products or ready to purchase Siebel 7 fall into
the following three categories:
§ They have deployed neither Access Group (not available until 7) nor Multi-Org
§ They have multi-org enabled selected Master Data objects (in 6.x no Customer Data objects were
multi-org enabled), or
§ Customers currently using Multi-Org who are remaining with Multi-Org and not implementing
Access Control Access Group
Start (for
Customers who
Have Deployed
Multi Org
Already)
Yes
Explanation to Figure 1:
Step 1: Is the Access Control Decision in the Context of Already Multi-Org’ed Data or on New Data
that's not Multi-Org’ed Yet? For all new access control projects (not on data already Multi-Org’ed) under
Step 2: Follow the Instruction for Customers who have not Deployed Multi Org Yet. This step is self-
explanatory.
Step 3: Is the Data Volume Large? Refer back to the description to Step 4 in flow chart 1 explanation for
more.
Step 4: Is there any Inherent Hierarchy Relationship between the Data? Refer back to the description to
Step 3 in flow chart 1 explanation for more.
Step 5.1 and 2: Building up Hierarchical Catalog and Category Data Structures; How to convert Multi-
Org and Multi-Org enabled data into Access Group and Access Group controlled data. In real life,
customers deploy Multi-Org in very different contexts, and when they plan to migrate the data to Access
Group, the Access Group hierarchies they want to build can vary wildly, depending on their specific
requirements. But no matter how differently they build their Access Group hierarchies and structure their
data, the following steps need to be performed:
• Build Access Group hierarchies – need to adapt the existing organizations into these hierarchies
• Build hierarchical data structure. When doing this bear in mind the Access Groups that have
been created earlier.
• Create the association between Access Group and Category and Catalog.
For customers considering following these steps to move Multi-Org enabled data, to be Access Group
controlled, it should be noted that it might (but not necessarily have to) be a long and hard process to
build up the catalog and category hierarchical structure of data and to build one or multiple Access Group
hierarchies. Before these data and user hierarchies are built, Multi Org still plays an important role in
controlling access to data by users.
Alternatively, the standard configuration provides some upgrade scripts which automatically migrate
Multi Org access controlled data into Access Group access controlled. Note that the purpose of the script
is only to guarantee uninterrupted upgrade and not to produce the most appropriate catalog and category
and access group structure. It is highly recommended that when (if) customers do choose to use the script,
they use it only for the transition period – between when they upgrade their system to 7 and when they
follow the above steps to build up their own catalog and category, access group structure. Please see
Appendix B for a description of the migration script algorithm.
Step 6: Is it Highly Likely that the Data Volume will grow significantly, sooner or later? This is a critical
question because although currently the data volume may not be large, it may grow over time and soon the
system administrators will run into problems associated with huge volume of data. In case where the
volume is likely to grow significantly, following the logic in Step 3, it is recommended customers to use
Access Group.
Step 7: Did the Multi-Org enable the Data for the Purpose of Data Partitioning? For a description of
“Data Partition” refer to Appendix A. When one reaches this step in the flow chart, it means that he’s not
dealing with a large amount of data, and the data is unlikely to grow in volume either. In this case, if the
data is Multi-Org’ed for the sake of data partition, which is what multi org is created for, it is
recommended that customer stick with it. If not, the general recommendation is that customers should use
Access Group to replace Multi Org, although not doing so due to limited resource is also acceptable.
Step 8: Keep the Current Multi-Org Structure Unchanged. Multi Org and Access Group would co-exist in
7 and beyond. All the hard work customers have invested into building up the multi-org structure and
24
12/21/01 Siebel Systems, Inc. Confidential and subject to change
enabling Master Data is not wasted if they choose not to apply Access Group to the Multi-Org enabled
data.
25
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Customers not currently using Multi-Org who are implementing Access
Control
Start (for
Customers who
Have not
Deployed Multi
Org Yet
No
Doing it in the Near Future
Master Data (Typically Large in Volume
and have Inherent Hierarchy)
Yes Yes
Step 5: Categorize No
Data into Step 6: Categorize
hierarch(ies) Data (not
necessarily into
hierarchy)
End
Explanation to Figure 2:
Step 1: Which Data Type is one trying to Control Access to? A limitation of Access Group in 7 is
that it only applies to Master Data. One uses this step to differentiate between Customer Data and
Master Data. Note however, that it is on the plan that Customer Data will be Access Group enabled
in the next major release.
Step 2: Is one doing it Now or in the near Future (6 -12 months)? Since Access Group is not an
option for Customer Data, if the customer is planning to deploy access control to Customer Data
now, they have no choice but use Multi Org. If however, they are planning to do it in 6-12 months
from now, as observed is the case with many customers, Access Group would be applied to
Customer Data and therefore they might want to decide differently.
Step 4: Is the Data Volume Large? In the case of there being no hierarchical structure within the
data, a critical question to ask is the data volume. Huge data volume typically translates into
administration nightmare if Multi-Org is used. In the case of one major Siebel applications client for
example,, they have up to 1 million data records for a certain business object – there’s not
necessarily a strong hierarchical structure within the data. When using Multi Org to control access
to the data however, system administrators need to go through each one of the million records and
manually associate one or multiple organizations with each one of them. Further, even if some of the
records area associated with the same set of organizations, the “set of organizations” cannot be re-
used. In this case, Access Group offers a much more scalable solution than Multi Org, to be
described in Step 6.
Step 5: Categorize Data into hierarchies. This step is straight forward – when there’s hierarchical
structure within the data, one should map this hierarchy into the data structure (using categories and
catalogs) design.
Step 6: Categorize Data (not necessarily into hierarchy). Following Step 4 – if there’s no
hierarchical structure within data but the data volume is huge, one can use category and catalog to
categorize data that are common to certain business units (e.g., organizations) together. Because
Access Groups are re-usable, simply associating various Access Groups with categories will do the
access control, rather than having system administrators go through every single data record and
associate multiple organizations with each one of them.
27
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Customers currently using Multi-Org who are remaining with Multi-Org
and not implementing Access Control Access Group
Customers who have implemented Multi-Org and have decided not to implement Access Control will
have to make some adjustments to the standard Siebel 7 configuration. The visibility properties of several
objects have been changed to take advantage of the Access Group functionality. The visibility of those
objects will have to be reset to organization visibility settings for those customers that are not implanting
Access Group and are staying with the Multi-Org functionality. Business component “Popup Visibility
Type” property has been changed from Organization to catalogue visibility to support the Access Group
functionality and the applet query mode has been put in query mode.
1. Find all business components currently set with popup visibility mode of “Catalog”. A query can
easily be run in Siebel Tools to bring this list back. The following is a list from Standard Siebel
applications (more important business components are bolded):
The popup visibility mode for these business components should be changed from catalog to
organization.
Change property "Auto Query Mode" of the pick applets to NULL from “New Query” or “None”.
3. Make sure that any views with visibility applet type of “Catalog” are accurate.
• Change the [Service Solution List View (SCW)] view from catalogue visibility to
organization visibility. This view had sales rep visibility in Siebel 6, which kind of doesn't
make sense. It probably should have had Org visibility.
4. The other thing worth documenting is that there is no flat list of literature in eChannel Partner
Portal in Siebel 7. The screen and view still exist in Tools, but they are not active in the
application. If customers want to use the view they will have to make it active in Tools.
29
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Administration and Setup
Administrators will create catalogs, categories, and build the category hierarchy. Of course, the design of
these should be well thought-out. Once these are created, data items can be related to the categories.
Different types of master data can be related to the same category. A customer could create a Catalog
called ‘Software’and a category for ‘Customer Relationship Management Software’. The administrator
will associate all of the Product, Literature, Courses, and other master data items that should be related to
this category.
Administrators will also build the Access Groups and hierarchies. Of course, the design of these should
be well thought-out. User Lists can also be created and Employees and Contacts associated to them.
Persons will also be associated to Positions, Accounts, and Organizations. Then Positions, Accounts,
Organizations, Households, and User Lists can be associated to the Access Groups.
Refer to the “Authentication and Access Control Administration Guide” for complete documentation on
administration procedures.
Note however, using Catalogs and Categories to build up a Data Hierarchy is SEPARATE from Access
Group Access – it is a way to organize data, and applying Access Group is just one way to manipulate the
organized data, and Access Group Access happens to only apply to Categorized data for 7.
Create the categories and catalogs, access groups, and hierarchies based on individual category and
catalog and access groups in a test environment once the Access Control strategy and design have been
created. The design should be thoroughly tested to make sure that the access control policies work in the
way that they are intended.
Content Management's publish features will be used to move the Access Control model including
catalogs, categories, groups from one environment to another – test to staging or test to production.
Content Center (aka content management) supports publishing data from one environment to another
based on EAI. It is much more that simply changing a status flag, which has specific limitations included
inability to update or delete an in process piece of content without affecting the application.
The basic idea is I build content (e.g. InfoCenter catalog or product catalog) in a staging environment and
test it. When I am happy with it, I publish it to my live environment, which makes all the necessary
31
12/21/01 Siebel Systems, Inc. Confidential and subject to change
Assignment Manager
Assignment Manager SQL has been converted to use new single party tables. So joins to S_PARTY and
it queries from new tables (e.g. S_EMP_PER vs. S_EMPLOYEE). The admin UI is now enabled for
HTML thin client, but the functionality is still the same. The Assignment Manager Algorithm for Siebel
7 is same as Siebel 6.x
Assignment Manager does not support Access Groups in 7, because Access Groups only work with master
data and do not work with transactional data. They are planning to enable it for the next major release.
When this is done, Assignment Manager will be able to assign items to Access Groups.
Term Definition
Access Control Refers to all mechanisms to control visibility within Siebel eBusiness
applications
Party Single entity to store Account, Contact, Organization, Division, Employee,
Group and Position (one table, with several extension tables to store entity-
specific columns)
Access Group Mechanism to bundle Party entities
Category Used to organize data into a hierarchical structure
Catalog Highest level of category
Master Data Data that is relatively static (for example, Products, Literature,Solution and
FAQ, Resolution, Decision Issue, Training, Auction Item, Asset)
Customer Data Data that is typically dynamic, transactional (for example, Accounts,
Contacts, Activities, Service Requests, Opportunities)
User List Contains Siebel Persons as its members
They are created on an ad hoc basis, not restricted to organizations the
persons belong to or the positions they hold
This section discusses “Hierarchical structure” within data and access controlling data for the purpose of
“Data Partition.”
• “Hierarchical Data”: often, some inherent hierarchical structure exists within certain data type.
Example: IBM has hundreds of thousands of products. All IBM products can be divided into
hardware products and software products; software products can be further segmented into
mainframe software, web software, etc. Within web software, there’s the IBM Websphere
application server, IBM Secureway directory, IBM eCommerce application products, etc. Within
IBM Secureway directory, there’s directory server and directory SDK. Within the directory
server, there are different versions and for different languages. As walking through this series of
description, it is essentially navigating through a hierarchical structure.
Because of the hierarchical structure existing within the data, when it comes to access control, users need
to have a mechanism that considers the hierarchy nature of the data – for example,, users can control the
visibility to different branches and at different levels, and carries certain inheritance rules (such as – if I
have access to a parent level, than I can see all the children levels, etc.)
• “Data Partition”: many times, there’s no or hardly strong hierarchical structure within data.
Example: Siebel System, Inc. has many customers across a lot of industries. Every customer in
and of itself is an account and a separate entity, for example,, users do not often see one account
as being the “parent” account of another. In many cases, there’s not a strong hierarchical
structure amongst accounts. Note however, a very important nature of this type of data is that
there’s a need to “partition” the data. Following the example: for Siebel sales representatives
working on different accounts, representative A working on account A should see Account B’s
information to avoid conflict of interest; the same applies to representative B working on Account
B, who shouldn’t be allowed to see Account A’s information.
From an access control perspective, this is to say, there’s a need to “partition” data into different sections
– certain data are intended for certain eyes while others for other eyes. That is what is called “data
partition”. Bear in mind that there is no hierarchical structure among the data.
• “Hierarchical” type of data and “Data Partition” apply to both Customer Data and Master Data;
often, however, users have observed from our customer deployment, that Master Data tends to be
more “Hierarchical” and Customer Data more “Data Partition”.