Skip to Content
Author's profile photo Bernd Fleddermann

Access Control Management: Basics of access control and business roles

Welcome to the blog series on access control management in SAP Hybris Cloud for Customer (C4C). The series discusses various access control topics in C4C. The goal of this blog series is to provide a complete overview on the access control concept and capabilities in C4C and to let you know on how it works in detail.

Here are the blogs of that series:

  1. Basics of access control and business roles (this blog)
  2. Access Control Management: Access restrictions explained  – Access Context
  3. Access Control Management: Access restrictions explained  – Restriction Rules
  4. Access Control Management Example: Global versus local admin
  5. Access Control Management Example: Access forwarding
  6. How to analyze access control issues
  7. How to analyze access control issues – Check User’s Authorization
  8. Special Access Control Topics

Basics of access control and business roles

User management, business roles and access rights are maintained in the Administrator work center.  Authorization access can be maintained individually per business user or with the use of business roles. Access rights can be granted by global and/or local administrators.  Business users can only be created for employees or service agents.    It is highly recommended to use business roles for all access controls.  Assigning access controls directly to employees is a higher risk and much more complex to maintain and it does not provide all functionality which is available for roles.



Access controls within SAP Cloud for Customer has two levels:


  1. Assignment of work center and work center views
  2. Instance access restriction based on access context


This entire blog series focused on point 2 – access restriction based on access context. It is very important to understand that access context is by business object.  It is not changeable or extensible.
For example, if the access context for a particular object is employee, then you cannot enhance the access context by adding additional criteria such as sales organization. Access context is explained in more detail in the following blog.



Business roles can be created for different access restrictions such as sales employees, administrator, manager etc.  Access restrictions can also be maintained for business roles.   An example would be a business role for sales manager, with an access restriction to their territory.

The business role is assigned to business user.  Multiple business roles can be assigned to one business user.  The business role must be in status active. In this case the business user will inherit the access control of both roles (Example: Role1: read; Role2: read&write –> Business User has read&write access)

Changes of the business role trigger an update for all assigned users.  Within a single role you can have various access capabilities.

Business roles are a central part of your security strategy, they can be key for all access.  Many capabilities can be linked to business roles.





The preceding graphic shows the most common linkages to the business roles (additional capabilities will follow).  By linking reports, code list restrictions, page layouts, work center assignments, and access and field restrictions to the business role, the business role becomes the key driver to all access permissions for your business users.


The next blog descriptions access restrictions in more detail.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ginger Gatling
      Ginger Gatling

      Great blog - thanks!!

      Author's profile photo Matthew Parmenter
      Matthew Parmenter

      Good one Bernd

      Author's profile photo Chandan Bankar
      Chandan Bankar

      Thanks for the great knowledge shared in these series 🙂

      Author's profile photo Krishnendu Laha
      Krishnendu Laha

      Hello Bernd,

      Nice and interesting blog! is it the similar technique of ACE (Access Control Engine) which we have in SAP CRM? Please let me know.



      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      Hi Laha,

      no, the access control approach for Cloud for Customer is specific to the cloud platform C4C is build on.


      Author's profile photo Former Member
      Former Member

      Excellent Blog, thank you.

      I am looking for the 'Recommended Roles' normally found in the C4C Application 'Help Centre', can you help please?

      As I understand, the C4C Help Centre content (normally found in the application) has been removed, pending work on CMS which will be launched later this year?  Have I missed communication on this?

      Where is the content?

      There was a useful information on there, including 'Recommended Roles', where can I find this now.

      SAP Support refer me back to "SAP Cloud for Customer User Guide"  :-/

      Regards Wendy

      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      Hi Wendy,

      the recommended roles are documented in the C4C admin guide you can reach in any case in the help portal ( --> SAP Cloud For Customer --> Administrator Guide). I expect this information to be included in the help center search with the next with 1602

      Kind regards


      Author's profile photo Former Member
      Former Member

      Thank you, look forward to the new Help Centre Search 😉

      I can export business roles, however cannot find if it is possible to download/export restrictions for Business Roles (similar to attached)...can you help with this?

      Regards Wendy

      Role Restrictions.png

      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      Hi Wendy,

      there is a report available "Authorizations assigned in Business Roles". Running this report in XLS will at least provide you the  basis to copy paste the details into the migration template for the roles.

      Author's profile photo Sailaja Naga Rachiraju
      Sailaja Naga Rachiraju

      Hello Wendy,

      You can also use the search feature in the 'Help Center' within the application.  Please search for 'Recommended Business Roles and Work Centers'.

      Best regards,


      Author's profile photo Former Member
      Former Member

      Thank you Sailaja, does this work for you? 

      As I understand, the Application Help Center has been deactivated before the upgrade (in preparation for improvements).   I also understand it should be back with 1602.

      Testing 1602, in test tenant, it does not appear to be back yet.

      Regards Wendy

      Author's profile photo Aruna Thakar
      Aruna Thakar

      Can we change access context or make it Countrywise??? or is org unit access context is possible?

      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      The access context is fixed and is coming with its structures from standard development. The customer individual adaptation of the access context is not possible.
      Kind regards

      Author's profile photo Vincent M
      Vincent M

      Hi Bernd,
      I am stuck in one access restriction requirement where customer wants accounts, Leads and Opportunities must have read access by sales org and write access is owner only? e.g. Account owner can only edit the account his account only. Is it possible in c4c?

      Author's profile photo Guenter Wilmer
      Guenter Wilmer

      See also a reference to public videos on data access in SAP Sales Cloud / Service Cloud