- Basics of access control and business roles
- Access Control Management: Access restrictions explained - Access Context (this blog)
- Access Control Management: Access restrictions explained - Restriction Rules (coming soon)
- Access Control Management Example: Global versus local admin (coming soon)
- Access Control Management Example: Access forwarding (coming soon)
- How to analyze access control issues (coming soon)
The previous blog mentioned that each object is controlled by the access context. This access context is a characteristic of the work center view/business object. In the following screenshot, you can see that the work center view Account has the access context 1015 – Employee or Territory or Sales Data.
The access context 1015 is also relevant for Opportunities, Sales Quotes and other business objects. Other business objects such as the product may have different access contexts assigned. The access context is a characteristic bound to the work center view/business object. It is defined by the standard set up of the business object and cannot be changed or enhanced. Hence the access control capabilities for a certain business object works in the defined structure of the access context. That also implies – if there is no access context defined for a work center view/business object a distinct instance base access control setup is not possible for that particular entity.
For custom BOs created with the SAP cloud development studio access control can be inherited from a standard business object through association. In addition it is also possible to define a custom BO specific access control context related to employees or territories.
Example for Access Context:
The work center view “Accounts” has the access context 1015 assigned (Employee or Territory or Sales Data). This implies that the access to an account can (only) be controlled based on the following criteria:
EMPLOYEES directly assigned in the account team --> I have access to all accounts where I am member of the account team (independent of the role assigned); or my manager has access to all accounts of EMPLOYEES of the functional unit (organization) for which he is assigned as a manager.
TERRITORY team --> I have access to all accounts which are assigned to a territory I am a member of. Accounts assigned to territories which are sub territories of my territory are also accessible. Please note that the work center territories where the territories can be maintained works with a different access context - 1010 Employee!
SALES DATA - This is a new capability introduced with 1508 --> I have access to all accounts which are assigned to a sales area I am eligible for. The assignment of my relevant sales areas can be maintained in the employee master independent of my actual organizational assignment.
Read/Write access can be restricted on Work Center View (Business Object) level.
Question:
Consider the following scenario for account Widgets Inc.:
For Widgets, Inc, Violet is assigned as the owner of the account. She is the designated employee responsible. Violet’s business role provides access context to accounts by employee. Violet’s business role provides her only access to accounts that are owned by Peter.
The question is: Can Violet see the account Widgets, Inc?
The answer is no: Violet cannot see it because access context outweighs the role employee responsible. Even though she is the employee responsible, her access restriction settings in the role assigned to her only provides access to accounts that are owned by Peter.