CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Access Control Management – Restriction Rules

7 min read

How to Manage Restriction Rules for Access Control Management.

Learn how to use restriction rules to restrict access for your users and lower the maintenance effort by reducing the use of specific user rules.

Table of Contents

Restriction Rules Fundamentals

Restriction rules are defined to handle access restriction for specific users.

For example, let's say that you created a role for sales representatives.

This role provides access to the work center views of Account, Contacts, Opportunity and Sales Quote. 

Now, you want to assign this role to all of your global sales representatives in the different organizations. Choose the restriction rule Assigned Territories and Employees (for Managers). The system will automatically provide access restriction to the accounts where a user is assigned in the account team or in the territory team. It is unnecessary to create a role for each individual territory since the system automatically generates an access restriction for the user.

User Experience Based on Restrictions

Now, the question you might be asking yourself is, how does the system actually translate the access restrictions for the individual business users?

The sections below will provide you with a clear answer.

Sales Representative - Employee

Starting from the example above, consider the following scenario where Nils Watt is your sales representative.

Nils is a sales representative with the following features:

  • He is assigned to the corporate organizational unit of the company.
  • He is a member of the territory “Germany” which has further sub-territories assigned.
  • He is assigned the role of “BFT DE SALES ASSISTANT”.

For the Accounts work center view, select the access restriction rule “Assigned Territories and Employees (for Managers)”.

The below images show access rights for the account work center view of the business user, Nils Watt. These access rights were automatically generated.

Nils is assigned as an employee (and not as a manager) to his organizational unit. He is granted access to those accounts and contacts where he is a member of the account team.  He does not have access to other account team members accounts.

As Nils is also assigned to the territory "Germany", he has access to all accounts which are assigned to this territory. In addition, he has access to all the accounts assigned to its sub-territories.

Nils’ access is a combination of the following:

  • The employee part of his access context (In other words, the Accounts where he is directly assigned as an account team member.) 
  • The territory part of his access context (In other words, the Accounts which are assigned to a territory (and sub-territory) he is a member of.)

The restriction rule on the role which is assigned to Nils’ user has dynamically generated access rights. Dynamically means, that a change of his territory assignment, will lead to a change of his territory related access rights.

Please note, that there are some situations where the access for users of a role must explicitly be updated. For example, when the sales area of the employee has changed. 

In those cases, it is sufficient to enter the relevant role (click on assigned Users and then Update Users). This action will trigger a background job which will set the access rights of the assigned users according to their current territory or sales area assignment.

Your users can also manually trigger the above action in case the access control does not provide the expected access results.

Sales Representative - Manager

In our next example, consider the following scenario where Bodo Mann is your sales manager.

Bodo is the manager of the BFT Company Inc. organization with the following characteristics:

  • He is assigned to the same role of “BFT DE SALES ASSISTANT” as his employee, Nils.
  • He is not assigned to any territory.

As a manager, he has access to all accounts where employees from his own organizational unit and sub-units are assigned to the account team.

Note: The organizational unit must be flagged as a sales unit (functional unit sales) to be effective in the access restrictions.

In this case, does he also have access to an account where his employees have access because he is a member of the territory team of the account but not a member of the account team?

The answer is no.

The employee part of the access context only considers the organizational assignment of the employees of the manager.


When setting up a role, it is recommended to use access restriction rules rather than defining specific rules.

This might not always be possible for all use cases. However, using restriction rules can reduce the number of different business roles. This is because the same role can be used for users from different organizations and territories. Therefore, maintenance and administration efforts on handling the roles can be reduced.

The restriction rule can be maintained in the “Access Restriction” in the individual work center view. It is dependent on the access context of the work center view/Business Object.
In the image above, you can see the available restriction rules for the access context 1015 – Employee or Territory or Sales Data. Other work center views/Business Objects, which are assigned to different access contexts, will provide a different set of restriction rules.

The restriction rules that can be selected are delimited by the application and cannot be changed or extended for a specific customer.

For additional information on the restriction rules setup, please go to Restriction Rules.

Legend for the linked document:

  • User: User only is added, even for managers.
  • Empl.: Similar to the user rule. The only difference is that if the employee selected is a manager, then the organizational units of the manager need to be considered. This means that the user acquires access for all employees in his/her units. For both managers and employees, the individual user is also added.
  • Workforce: Access based on the employees supervised by the user in the relationship hierarchy.
  • Org: Organizational units of the user are added. The function of the units is derived from the access context.
  • Territory: Territories of the user.
  • Partner: Only meaningful for users that are partner contacts. The partner of the partner contact.
  • SalesArea: The sales areas maintained in the employee’s master data.
  • Sorg+Dist: The sales organization combined with all distribution channels in the system.


This article introduced you to the restriction rules functionality. 

Now, you know how to enforce access restriction in your system without creating many user roles.