Skip to Content
Author's profile photo Former Member

Authorizations for Substitution Function

Use Case:

It is possible to set other Business Partners as your substitute  and also set yourself as the substitute for any other Business Partner in ITSM. To be able the following authorizing objects have to be assigned properly. Read which of them are doing what.

The Incident Management CRM WebClient UI (as of ST710 SP09) contain UIs for users to maintain substitution relationships.



    1. Users must have B_BUPR_BZT 01 (add) and 06 (delete) authorization to add and remove substitutes

    (for both “Who Substitute for Me” and “Whom I Substitute”).

    2. Users must additionally have B_BUPA_RLT 02 (change) authorization maintain the “for Whom I Substitute”


The system performs the additional B_BUPA_RLT 02 check because the “for Whom I Substitute” relationship may allow users to access messages to which they are not assigned. (In other words, it is fine to allow a user to actively choose a substitute, because that user is explicitly granting the substitute access to the user’s messages. However customers may wish to restrict users from actively choosing to substitute for other users, because the users being substituted are not actively asked if they wish to share their messages with the prospective substitute.)

We should also note that the substitution function does not bypass any of the standard CRM authorization checks: even if a user is entered as a substitute for a second user, the system will allow the first user to only access messages for which the first user is directly authorized. The system will not allow the first user to access messages for which only the second user is authorized. As such, there is no transfer of authorization through the substitution function.

Organizational restrictions:

The system also restricts the selection of business partners which users may choose to substitute/be substituted by. Key users* ( with authorization object : SM_SDK_ACT=  ‘ empty’) may only choose other business partners of their organization. This is particularly necessary in VAR scenarios where users are not allowed to see any other users or data outside their own organization.

This can be overridden with AGS_WORK_CUSTOM entry IM_BP_SEARCH_RESTRICT_DISABLE = X.

* It is possible to distinguish between Key Users and Processors with an activated (default) BADI AI_SDK_KEY_USER_CHECK. Find a detailed documentation

in SPRO – SAP Solution Manager – Capabilities – ITSM – General Settings – Distinguish Work Center for End user and Processor

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Artem Zhegalin
      Artem Zhegalin

      Nice info, David.

      Thank you for sharing it.

      I have one general question: is it possible to restrict substitution separately for each transaction type?

      Use case: Let's imagine that we have a Change Manager who can also create incidents. He wants to have 2 substitutors: one for incidents (reply, confirm) and the other for change request approval (validation). If he will just enter 2 BPs in substitution block - both of them will have access to all transaction types where Change Manager is mentioned as a party involved.



      Author's profile photo David Birkenbach
      David Birkenbach


      Mariana just uploaded the documents in SCN.

      The answer is : That is currently not part of standard customization.

      Regards David

      Author's profile photo Artem Zhegalin
      Artem Zhegalin

      Sorry, David.

      Thank you for your reply.