CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Special Access Control Topics - Restriction Rule Workforce

3 min read

Restriction Rule Workforce

Understand how the restriction rule "Workforce" works and how to use it in your implementation.

Table of Contents

Special Access Control Topics - Restriction Rule Workforce

The restriction rule "Workforce" is available for the following access contexts:

  • 1015 - Customer Quote, Sales Order, Lead, Opportunity, Contact, Account
  • 1016 - Business Activity (E-mail, Appointment, Visit, PhoneCalls Tasks

This restriction rule considers the employee “supervises/works for" (BUR026) relationships for access control.

This allows for an additional hierarchical relationship structure between employees independent of the organizational model and organizational management assignments.

Please note that the relationship, by default, is delivered inactive and needs to be activated (General Business Partners -> Relationships).

The restriction rule needs to be set up in the business role for the relevant work center views (access context 1015 and/or 1016).

Example Scenario

Below is an example of how this specific rule works.

Let's consider the scenario where you have two employees; Knut Hansen and Mini Gross. Between them, there is a relationship in place in the system.

Sales representative Knut Hansen supervises Mini Gross. The reverse relationship, where Mini Gross works for Knut Hansen, also exists. This can be verified in the employee record for Mini Gross.

Additionally, you also know that Mini Gross supervises another employee, Stefan Sued.

For the new relationship assignment to be reflected in the actual access control setting during runtime, the role assigned to Knut Hansen needs to be updated. You can update through the following path; Administration → Business Role → Assigned Users → Update User.

If you don't want to trigger the update manually, you can wait for the background job, that runs daily (at midnight), to automatically update the users' relationships.

Once the users have been updated with the new relationships, you can immediately check that the access restriction has been changed.

Now, Knut Hansen is able to see all accounts where both Stefan Sued and Mini Gross are assigned in the account team.

As you can see, Knut Hansen can also access the accounts of Stefan Sued even if Stefan does not work directly for Knut.

This means that the resulting relationship hierarchy is also being considered.


This article introduced you to the additional restriction rule "Workforce" and how you can use it to manage access control in your solution. Now, it's your turn to try it out!