Welcome to the blog series on access control management. The series discusses access control and business roles. It provides typical examples of roles and access management. The following are the blogs in this series:
- Basics of access control and business roles – this blog
- Access Control Management: Access restrictions explained – Access Context
- Access Control Management: Access restrictions explained – Restriction Rules
- Access Control Management Example: Global versus local admin
- Access Control Management Example: Access forwarding
- How to analyse access control issues
- Special Access Control Topics
Basics of access control and business roles
User management, business roles and access rights are maintained in the Administrator work center. Authorization access can be maintained individually per business user or with the use of business roles. Access rights can be granted by global and/or local administrators. Business users can only be created for employees or service agents. It is highly recommended to use business roles for all access controls. Assigning access controls directly to employees is a higher risk and much more complex to maintain and it does not provide all functionality which is available for roles.
Access controls within SAP Cloud for Customer has two levels:
- Assignment of work center and work center views
- Instance access restriction based on access context
This entire blog series focused on point 2 – access restriction based on access context. It is very important to understand that access context is by business object. It is not changeable or extensible.
For example, if the access context for a particular object is employee, then you cannot enhance the access context by adding additional criteria such as sales organization. Access context is explained in more detail in the following blog.
Business roles can be created for different access restrictions such as sales employees, administrator, manager etc. Access restrictions can also be maintained for business roles. An example would be a business role for sales manager, with an access restriction to their territory.
The business role is assigned to business user. Multiple business roles can be assigned to one business user. The business role must be in status active. In this case the business user will inherit the access control of both roles (Example: Role1: read; Role2: read&write –> Business User has read&write access)
Changes of the business role trigger an update for all assigned users. Within a single role you can have various access capabilities.
Business roles are a central part of your security strategy, they can be key for all access. Many capabilities can be linked to business roles.
The preceding graphic shows the most common linkages to the business roles (additional capabilities will follow). By linking reports, code list restrictions, page layouts, work center assignments, and access and field restrictions to the business role, the business role becomes the key driver to all access permissions for your business users.
The next blog descriptions access restrictions in more detail.