Welcome to the blog series on access control management. The series discusses access control and business roles. It provides typical examples of roles and access management. The following are the blogs in this series:
- Basics of access control and business roles
- Access Control Management: Access restrictions explained – Access Context
- Access Control Management: Access restrictions explained – Restriction Rules (this blog)
- Access Control Management Example: Global versus local admin
- Access Control Management Example: Access forwarding
- How to analyze access control issues
- Special Access Control Topics
The translation of the setup of the access restrictions defined in an unspecific role to the access restrictions of a specific user is handled through the restriction rules.
You have created a role for sales representatives. This role provides access to the work center views Account, Contacts, Opportunity and Sales Quote. You want to assign this role to all of your global sales representatives in the different organizations. By choosing the restriction rule “Assigned Territories and Employees (for Managers)”. The system will automatically provide access restriction set up to the accounts where a user is assigned in the account team or in the territory team”. As the system generates the access restriction for the user automatically it is not necessary to create a role for each individual territory.
How does the system actually translate the access restrictions for the individual business users?
Sales Representative Nils Watt
Nils is a sales representative of the BFT Company Inc. Organizationally he is assigned to the corporate org unit of the company. He also is a member of the territory “Germany” which has further sub territories assigned. Nils user has the role “BFT DE SALES ASSISTANT” assigned. For the Accounts work center view the access restriction rule “Assigned Territories and Employees (for Managers)” is selected.
Nils Watt – Organizational assignment
Nils Watt – Territory assignment
- As Nils is assigned as an employee (and not as a Manager) to his organizational unit. He has access granted only for those accounts (and contacts) where he is assigned as a member of the account team (no access to accounts of other account team members!).
- As Nils is assigned to the territory Germany he has access to all accounts which are assigned to this territory but in addition also to all the accounts assigned to its sub territories.
Nils’ access is a combination of the employee part of his access context (–> Accounts where he is directly assigned as an account team member) and the territory part of his access context (-> Accounts which are assigned to a territory (and sub territory) he is a member of.
The restriction rule of the role which is assigned to Nils’ user has dynamically generated access rights. Dynamically means that a change of his territory assignment will lead to a change of his territory related access rights.
Please note that there are some situation where the access for the users of a role must explicitly be update (e.g. the sales area in the employee is changed). In those cases enter the relevant role –> assigned Users –> Update Users. This action will trigger a background job which set the access rights of the assigned users according to their current territory or sales area assignment. The user update of a role is also an action you can do in case the access control does not provide expected access results (in my blog How to analyze access control issues I will provide some more details on how to proceed in case of issues)
Sales Manager Bodo Mann
Bodo is the manager of the BFT Company Inc. Organization. Bodo’s user has the same role “BFT DE SALES ASSISTANT” assigned as for his employee Nils. Bodo is not assigned to any territory:
- As a manager Bodo has access to all accounts where employees of his own organizational unit and sub units are assigned in the account team. Please note that the organizational unit must be flagged as a sales unit (functional unit sales) to be effective in the access restrictions.
Does Bodo also has access to an account where his employee Nils Watt can access because he is member of the territory team of the account but not member of the account team?
The answer is no! The employee part of the access context only considers the organizational assignment of the employees of the manager.
When setting up a role I recommended to use access restriction rules rather than defining specific rules. This might not always be possible for all customer use cases but using restriction rules can reduce the number of different business roles as the same role can be used for users of different organizations, territories etc. By this maintenance and administration effort on handling the roles can be reduced.
The restriction rule can be maintained in the “Access Restriction” by individual work center view. It is depending on the access context of the work center view/business object. In the screen shot above you see the available restriction rules for the access context 1015 – Employee or Territory or Sales Data. Other work center views/business objects which are assigned to different access contexts will provide a different set of restriction rules.
The restriction rules are defined by the standard and cannot be changed or extended customer specifically.
I have attached an XLS with a table is intended to provide an overview on our current restriction rule setup
- Empl.: The difference between Employee and User is that if the employee is a manger, then for employees also the OrgUnits of the manager are considered (the manager gets access for all employees in his/her OrgUnits). For both managers and employees the own user is added.
- Workforce: Access based on the employees supervised by the user in the relationship hierarchy
- User: user only is added, even for managers
- Org: OrgUnits of the user are added. The function of them is derived from the access context
- Territory: Territories of the user
- Partner: only meaningful for users that are partner contacts. The partner of the partner contact
- SalesArea: the sales areas maintained in the employee’s master data
- Sorg+Dist: sales organization combined with all distribution channels in the system.