CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Access Control Management - How to Analyze Access Control Issues

7 min read


How to analyze access control issues.

This article will provide instructions and checks that you can perform for some of the most common access control issues in SAP Sales Cloud and SAP Service Cloud solution.

Table of Contents

How to Analyze Access Control Issues easily

"Access control is not working!". This is an issue often reported to SAP. However, in most cases the system is working correctly, but the access control was not set up properly. Prior to creating an incident, read and familiarize yourself with the following topics in order to successfully set up access control on your system.

Below you will find the most frequently used check-scenarios that you can use to solve access control issues on your system. 

Check the system’s business role setup

The restriction rules of the business role might not be considering the current organizational assignments, territory assignments, or other types of structural data. 
In order to make sure that the business role is reflecting the current assignment status, perform the following:

  1. Access the business role from the Administrator work center
  2. Choose the function Assigned Users 
  3. Click Assigned Users, and select Update Users

This function triggers a background job, updating each user’s access rights according to the current setup and restriction rules.

Note: If you re-assign an employee to a different organization, the background job is triggered automatically.

Even if this is not the case, it is recommended to run the job in case you have larger structural changes, such as moving a sales unit with several employees from one sales organization to another.

Please also check the validity of the organizational unit and the employee assignment, as this often reveals itself as a cause of access control issues.

The background job is processed on a daily basis (midnight). Hence, starting the job manually is rather an exceptional action in case the access control does not behave as you expect.

Check for user access restriction error messages

The restriction rules are applied to individual user’s access rights. For example, depending on the territory or organizational assignment, the user receives access to an opportunity or an account assigned to that same territory.

In this instance, the user of that role must be assigned to a territory. If this is not the case, the system is not able to identify a restriction for that user, and will then indicate this with an error message.

As a result, the work center view will not even be available to the affected user, even though it is assigned in the business role.

Note: The messages can be reviewed in the business role under the assigned business user tab, or from the business user view details.

Check the current access rights for users

The restriction rules in a business role are generic access rights. The restriction rules are transformed into individual business user’s access rights.

The business user’s access rights then control the access to a business object instance. Checking the actual access settings for the business user often clarifies an unclear access behavior.

This check is an important exercise if the system is encountering access control issues. Here are the steps on how you can check this:

  1. Check the business object details
    1. For example, what data (such as employees, territories, organizational units) does the transaction or master data require for it to become accessible

  2. Compare the business object details with the user access rights:
    1. Navigate to Administrator -> Business Users
    2. Select the relevant user
  3. Edit -> Access Rights -> Access RestrictionsThen, select the relevant work center view.

Now you will see that the system displays the access rights by access group (for example, Employee, Territory, Sales Organization) that are relevant for that particular business user.

Managing “Homeless” Objects

In some cases, administrators (key users) may wonder why an account can be accessed by all users, even though access restrictions have been maintained for them.

The additional access may be caused due to the account not having one or more of the following:

  • An account team member
  • A territory
  • Assigned sales data

This means that no access relevant data has been maintained in the business object instance (master data or business document). Therefore, the system is not able to identify any access restrictions.

In this case, the system does not restrict access to the object instance, thereby making it accessible to all users.

In order to achieve access restriction to this object instance, at least some access relevant data must be maintained. For example, an account team member or a territory assignment.

Related Views with different access rights

The Opportunity Work Center view, and the Opportunity Pipeline Simulation, are two different work center views. However, both grant access to the same "Opportunities" business document.

If you have access to an opportunity through one of the work center views, you will also have access the document through the other work center view.

It may be the case that the Opportunity Pipeline Simulation has unrestricted access. This access setting will also be relevant for the Opportunity Work Center view, even if a different setting has been maintained.

In this case, the users receive the “correlation” of authorizations granted from both work center views.

Note: Confirm that both work center views are maintained with the same access restrictions.

Access Forwarding

Access Forwarding is sometimes also a reason for an unexpected access behavior. For more information about this, please read the article here.


In case a user has access to more work centers/work center views and data than assigned in their role, check if that user is a delegate.

Delegates are maintained by the Administrator. In order to check or create a Delegate:

  1. Navigate to Administrator
  2. Select “Delegates” from the popup menu

Delegates get all access rights from the employee they are the substitute for. This is only limited by a validity period.


This article introduced you to the main scenarios to check/verify in the case that you are facing access control issues. However, this list is not exhaustive, and there may be other scenarios that you may run into.

If you have encountered other scenarios, or have additional guidelines and experience to share, please leave a comment below this article. We are always looking to improve the experience, and help others to run the solution more smoothly.