MENU

CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

SAP CX Expert Recommendations
Service solutions
Access Control Management
Special Access Control Topics
Special Access Control Topics – Inherit Account Access to Transactional Business Documents
+
 Go to my bookmarks
Navigation
Article Tags
Security Service solutions Sales solutions Expert Recommendations
Last Updated: Apr 30, 2021
Copy Article URL

Special Access Control Topics – Inherit Account Access to Transactional Business Documents

4 min read

Inherit Account Access to Transactional Business Documents

In this article, you will learn some additional restriction rules that address the case where a user needs access to business documents, related to a customer, without necessarily being assigned to the involved parties.

Table of Contents

Overview

Some additional features, for access restriction and access control,  were introduced with the 1702 and 1704 releases.

In this article, you will learn some additional restriction rules addressing the following use case:

  • A user needs access to business documents (opportunities, quotes, and more) and/or activities which are related to a customer. The user is assigned to either a territory team or an account team. To access the transaction related to the account, the user must not be assigned to the involved party to the business document.

New Restriction Rules

To support this use case, new restriction rules were added for transactions, such as leads, opportunities, or quotes (access context 1015).  Activities, such as appointments or tasks (access context 1016), were added as well.

  • New Restriction Rules for Access Context 1015:
    • 11 – Employee, Accounts (Account Team)
    • 12 – Employee, Accounts (Account and Territory Team)



  • New Restriction Rules for Access Context 1016:
    •   9 – Employee, Accounts (Account Team)
    • 10 – Employee, Accounts (Account and Territory Team)


These restriction rules grant access to an activity or a sales quote just because the business document is assigned to the same customer as the user.

There are different ways to assign an employee (which is related to a user) to an account. This can be done either through territory assignment, account team assignment or both.

The different access contexts consider the following assignment:

  • New Restriction Rules for Access Context 1015:
    • 11 – Employee, Accounts (Account Team) grants access to a business document for access context 1015 if the user is assigned as an account team member. 
    • 12 – Employee, Accounts (Account and Territory Team) grants access to a business document for access context 1015 if the user is assigned as a team member or a territory team member.
  • New Restriction Rules for Access Context 1016:
    •   9 – Employee, Accounts (Account Team) grants access to a business document for access context 1016 if the user is assigned as an account team member.
    • 10 – Employee, Accounts (Account and Territory Team) grants access to a business document for access context 1016 if the user is assigned as a team member or a territory team member.

Please note, the access context 1015 is also relevant for accounts or contacts. Therefore, it is theoretically possible to assign the restriction rules 11 or 12 to the Customer or Contact work center views. However, doing so does not make sense. This is because the main purpose of the restriction rules 11 and 12 is to control the access to a business transaction based on the access to the account. Therefore, use the restriction rules 11 and 12 for the transactional documents for the access context 1015 only.

The access determination based on the customer assignment, as defined in restriction rule 11 and 12, is carried out during runtime.

Therefore, to not jeopardize the response time, especially for a large set of accounts related to a user, the calculation of the access rights for these restriction rules has been restricted to a maximum of 1000 accounts per user. In total, it can be 2000 accounts if you use the account team and territory team assignments in parallel. If the user exceeds the assignment through a territory team or an account team of 1000 customers, you will need to find a different approach to grant access for business documents. If the number of account assignments per user is exceeded, the system will not grant any access to that user.


Conclusion

This article introduced you to the feature that helps users to access business documents related to a customer without necessarily being assigned to the involved parties.

Now, it is your turn to extend your user access.

To access all our community or out of the box product documentation, please check out our List of Online Resources.
Authentication required

Links to pages requiring login with SAP ID

Indicated by icon

You're going to be redirected to a page that requires login with SAP ID, do you want to proceed?

You are now leaving CX Works

Links to information published on other SAP sites

Indicated by icon

You are leaving CX Works and entering another SAP-hosted site.

Links to information published on non-SAP sites

Indicated by icon

You are entering a site that is not hosted by SAP. By using such links, you agree to the following:

  • The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
  • SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
Overlay