Welcome to the blog series on access control management.  The series discusses access control and business roles.  It provides typical examples of roles and access management.  The following are the blogs in this series:

  1. Basics of access control and business roles – this blog
  2. Access Control Management: Access restrictions explained  – Access Context
  3. Access Control Management: Access restrictions explained  – Restriction Rules
  4. Access Control Management Example: Global versus local admin
  5. Access Control Management Example: Access forwarding
  6. How to analyse access control issues
  7. Special Access Control Topics

Basics of access control and business roles

User management, business roles and access rights are maintained in the Administrator work center.  Authorization access can be maintained individually per business user or with the use of business roles. Access rights can be granted by global and/or local administrators.  Business users can only be created for employees or service agents.    It is highly recommended to use business roles for all access controls.  Assigning access controls directly to employees is a higher risk and much more complex to maintain and it does not provide all functionality which is available for roles.

Access controls within SAP Cloud for Customer has two levels:

  1. Assignment of work center and work center views
  2. Instance access restriction based on access context

This entire blog series focused on point 2 – access restriction based on access context. It is very important to understand that access context is by business object.  It is not changeable or extensible.  
For example, if the access context for a particular object is employee, then you cannot enhance the access context by adding additional criteria such as sales organization. Access context is explained in more detail in the following blog.

Business roles can be created for different access restrictions such as sales employees, administrator, manager etc.  Access restrictions can also be maintained for business roles.   An example would be a business role for sales manager, with an access restriction to their territory.

The business role is assigned to business user.  Multiple business roles can be assigned to one business user.  The business role must be in status active. In this case the business user will inherit the access control of both roles (Example: Role1: read; Role2: read&write –> Business User has read&write access)

Changes of the business role trigger an update for all assigned users.  Within a single role you can have various access capabilities.

Business roles are a central part of your security strategy, they can be key for all access.  Many capabilities can be linked to business roles.

Roles.JPG

The preceding graphic shows the most common linkages to the business roles (additional capabilities will follow).  By linking reports, code list restrictions, page layouts, work center assignments, and access and field restrictions to the business role, the business role becomes the key driver to all access permissions for your business users.

The next blog descriptions access restrictions in more detail.

To report this post you need to login first.

13 Comments

You must be Logged on to comment or reply to a post.

  1. Wendy Cushley

    Excellent Blog, thank you.

    I am looking for the ‘Recommended Roles’ normally found in the C4C Application ‘Help Centre’, can you help please?

    As I understand, the C4C Help Centre content (normally found in the application) has been removed, pending work on CMS which will be launched later this year?  Have I missed communication on this?

    Where is the content?

    There was a useful information on there, including ‘Recommended Roles’, where can I find this now.

    SAP Support refer me back to “SAP Cloud for Customer User Guide”  :-/

    Regards Wendy

    (0) 
    1. Bernd Fleddermann Post author

      Hi Wendy,

      the recommended roles are documented in the C4C admin guide you can reach in any case in the help portal (help.sap.com –> SAP Cloud For Customer –> Administrator Guide). I expect this information to be included in the help center search with the next with 1602

      Kind regards

      Bernd

      (0) 
      1. Wendy Cushley

        Thank you, look forward to the new Help Centre Search 😉

        I can export business roles, however cannot find if it is possible to download/export restrictions for Business Roles (similar to attached)…can you help with this?

        Regards Wendy

        Role Restrictions.png

        (0) 
        1. Bernd Fleddermann Post author

          Hi Wendy,

          there is a report available “Authorizations assigned in Business Roles”. Running this report in XLS will at least provide you the  basis to copy paste the details into the migration template for the roles.

          (0) 
    2. Sailaja Naga Rachiraju

      Hello Wendy,

      You can also use the search feature in the ‘Help Center’ within the application.  Please search for ‘Recommended Business Roles and Work Centers’.

      Best regards,

      Sailaja

      (0) 
      1. Wendy Cushley

        Thank you Sailaja, does this work for you? 

        As I understand, the Application Help Center has been deactivated before the upgrade (in preparation for improvements).   I also understand it should be back with 1602.

        Testing 1602, in test tenant, it does not appear to be back yet.

        Regards Wendy

        (0) 
    1. Bernd Fleddermann Post author

      The access context is fixed and is coming with its structures from standard development. The customer individual adaptation of the access context is not possible.
      Kind regards
      Bernd

      (0) 

Leave a Reply