Authorizations for Substitution Function
It is possible to set other Business Partners as your substitute and also set yourself as the substitute for any other Business Partner in ITSM. To be able the following authorizing objects have to be assigned properly. Read which of them are doing what.
The Incident Management CRM WebClient UI (as of ST710 SP09) contain UIs for users to maintain substitution relationships.
1. Users must have B_BUPR_BZT 01 (add) and 06 (delete) authorization to add and remove substitutes
(for both “Who Substitute for Me” and “Whom I Substitute”).
2. Users must additionally have B_BUPA_RLT 02 (change) authorization maintain the “for Whom I Substitute”
The system performs the additional B_BUPA_RLT 02 check because the “for Whom I Substitute” relationship may allow users to access messages to which they are not assigned. (In other words, it is fine to allow a user to actively choose a substitute, because that user is explicitly granting the substitute access to the user’s messages. However customers may wish to restrict users from actively choosing to substitute for other users, because the users being substituted are not actively asked if they wish to share their messages with the prospective substitute.)
We should also note that the substitution function does not bypass any of the standard CRM authorization checks: even if a user is entered as a substitute for a second user, the system will allow the first user to only access messages for which the first user is directly authorized. The system will not allow the first user to access messages for which only the second user is authorized. As such, there is no transfer of authorization through the substitution function.
The system also restricts the selection of business partners which users may choose to substitute/be substituted by. Key users* ( with authorization object : SM_SDK_ACT= ‘ empty’) may only choose other business partners of their organization. This is particularly necessary in VAR scenarios where users are not allowed to see any other users or data outside their own organization.
This can be overridden with AGS_WORK_CUSTOM entry IM_BP_SEARCH_RESTRICT_DISABLE = X.
* It is possible to distinguish between Key Users and Processors with an activated (default) BADI AI_SDK_KEY_USER_CHECK. Find a detailed documentation
in SPRO – SAP Solution Manager – Capabilities – ITSM – General Settings – Distinguish Work Center for End user and Processor