Skip to Content
Author's profile photo Bernd Fleddermann

Access Control Management: Global versus local admin

Welcome to the blog series on access control management in SAP Hybris Cloud for Customer (C4C). The series discusses various access control topics in C4C. The goal of this blog series is to provide a complete overview on the access control concept and capabilities in C4C and to let you know on how it works in detail.

Here are the blogs of that series:

  1. Basics of access control and business roles
  2. Access Control Management: Access restrictions explained  – Access Context
  3. Access Control Management: Access restrictions explained  – Restriction Rules
  4. Access Control Management Example: Global versus local admin (this blog)
  5. Access Control Management Example: Access forwarding
  6. How to analyze access control issues
  7. How to analyze access control issues – Check User’s Authorization
  8. Special Access Control Topics

A use case of a local administration

I am supporting some global acting customers which are rolling out SAP Cloud for Customers in a phased approach into their different regions all over the globe. Typically the roll out activities including the related key user activities are managed by a team of central key users located in the company headquarters. An important part of the regional roll out is also to train the local key users who are responsible to act as an immediate contact for the local users as well as maintaining local employees and users.

With the concept of the local administrator it is possible to centrally define roles which can be assigned by local administrators to the users they are responsible for. In addition a local administrator can get access rights to create and maintain only employees and users he is responsible for.

Example – Set up a local Administrator

Adam Lokal is a local Administrator in the northern Region of the BFT Company. His task is to maintain employees and users in his regional area.


In order to fulfill these tasks Adam has a role assigned which only covers the Employee and Business User Work Center Views of the Administrator work center. In addition to this I have also added the Flexibility Change Log Work Center View to his role. This is to enable Adam to switch to the Silverlight UI as the Administrator work center is currently only available there. In contrast to a global administrator he has not the general settings of the administration work center assigned.


To make sure that Adam can only access and maintain employees and users of his regional branch his user role is set up with a restriction rule which restrict access only to the users of the functional units (organizational units) to which he is assigned to. By using this restriction rule it is possible to use the same role also for local administrator of other regional branches.


With this setup Adam has only access to employee and users which are assigned to his organization unit and those underneath.

Please note that in the OWL of his employees and users also “Mike Summers” is showing up (2nd last entry in the screenshot) although Mike has no assignment to Adam’s organizational unit. The reason is that Mike Summers has no organizational assignment at all, hence the system has no handle to determine an access restriction for that employee. In this case the system shows that employee w/o any restriction.


Set up Roles for Local Administrators

In the example above we have seen on what needs to be done to set up local administrator by assigning him the relevant work center with the appropriate access restrictions. This step now covers the set up of the roles a local administrator can use when activating a local user.

When a global administrator creates a role, he can flag this role as a local role. This role can then be used by a local admin to assign to his users.


In addition a global administrator can also assign the local admin as a responsible user for a global role. This will then make this role also available for the local admin.


In the screen shot below you see how the roles enabled for the local admins are being presented in the role assignment for a user. The local admins will only be able to assign those dedicated roles. Typically the local roles include access restriction which are based on restriction rules.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ginger Gatling
      Ginger Gatling

      Super- thanks! I'll try this out soon!!

      Author's profile photo Chandan Bankar
      Chandan Bankar

      waiting for your next write ups 🙂

      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      will come up soon!

      Author's profile photo Gowrinadh Challagundla
      Gowrinadh Challagundla

      Great blog series.

      Author's profile photo Former Member
      Former Member

      Hi, What is the recommendation for:

      1.  migration of business roles from Test to production

      2. migration of delta changes to all/any business roles

      3. Migration of a new business role(s) created in Test & Migrate to production.



      Author's profile photo Former Member
      Former Member

      Hello Raul,

      Please refer to this thread. Hope this helps..



      Author's profile photo Former Member
      Former Member

      Hi Prasad,

      My question was a scenario when the tenants are already active (both tests & a prod).

      This doesn't comes under a change project as we're not changing the business configuarion.

      With Regards,


      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      Hi Rahul,

      actually the roles need to be migrated in a manual step. Important is that the business role ID matached with the target system.

      Kind regards


      Author's profile photo Saurabh Saxena
      Saurabh Saxena

      Hi Bernd,

      Thanks for all this knowledge sharing, learning a lot here 🙂 .

      A small clarification, how does the system determine who is a local admin and who is a global admin? The system allows to define whether a role is global or local but who all can see this role is governed through which mechanism? Can it be assumed that if a user has access to "Business Roles" work center view then he has access to all kinds of roles irrespective of their nature whether global or local.



      Author's profile photo Bernd Fleddermann
      Bernd Fleddermann
      Blog Post Author

      Hi Saurabh,

      very good question! Actually this is controled through the assignment of the "Global Settings" Work Center View (part of the Administrator Work Center).

      An administrator with the assignment of the general settings can assign all roles to a business user.



      Author's profile photo Arjun T.H
      Arjun T.H

      Hello Bernd,

      thank you! This is awesome!



      Author's profile photo Ketan Patil
      Ketan Patil

      Hello Bernd,

      Very informative and easy explanations...excellent blog. Thanks.