CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Access Control Management - Basics of Access Control and Business Roles

4 min read

Access control management and business roles.

When you work with SAP Sales Cloud and SAP Service Cloud solution you want the ability to manage access control for all your users. 

This article will help you achieve that by giving you an overview of SAP Sales Cloud and SAP Service Cloud solution access control management features, with a focus on the basics and the business role concept.

Table of Contents

Basics of Access Control

User management, business roles, and access rights are maintained in the Administrator work center. Authorization access can be maintained individually for each business user or through business roles.

Access rights can be granted by global and/or local administrators. Business users can only be created for employees or service agents.

We highly recommend you use business roles for all access controls. Assigning access controls directly to employees is risky, more complex to maintain, and does not provide all the functionalities that are available for roles.

Access controls within SAP Sales Cloud and SAP Service Cloud solution has two levels:

  • Assignment of work center and work center views
  • Instance access restriction based on access context

This article, and all other articles linked to this topic, focus on second point – access restriction based on access context. It is very important to understand that access context is by business object. It's not changeable or extensible.

For example, if the access context for a particular object is an employee, then you cannot enhance the access context by adding additional criteria such as sales organization.

Business Roles

Business roles can be created for different access restrictions such as sales employees, administrator, manager, and others. Also, they can be maintained for business roles. For example, a business role for a sales manager, with an access restriction to their territory.

The business role is assigned to a business user. Multiple business roles can be assigned to one business user. The business role must have an active status. In our example, the business user will inherit the access control of both roles (Example: Role1: read; Role2: read&write –> Business User has read&write access)

Changes made to the business role trigger an update for all assigned users. You can have various access capabilities within a single role

Business roles are a central part of your security strategy and can be the key to all access. Many capabilities can be linked to business roles.

The graphic above shows the most common links associated to business roles. Of course, additional capabilities will follow by linking reports, code list restrictions, page layouts, work center assignments, and access and field restrictions to the business role which will allow the business role to become the key driver to all access permissions for your business users.


This article introduced you to the SAP Sales Cloud and SAP Service Cloud solution access control management features with a focus on its basics and business role concept.

The article below will guide you through the access control management feature by providing you with in-depth information on access restrictions with a focus on access context:

*Access Control Management - Access Restrictions and Access Context