Skip to Content

Welcome to the blog series on access control management.  The series discusses access control and business roles.  It provides typical examples of roles and access management. The following are the blogs in this series:

  1. Basics of access control and business roles
  2. Access Control Management: Access restrictions explained  – Access Context
  3. Access Control Management: Access restrictions explained  – Restriction Rules
  4. Access Control Management Example: Global versus local admin (this blog)
  5. Access Control Management Example: Access forwarding
  6. How to analyse access control issues
  7. Special Access Control Topics

A use case of a local administration

I am supporting some global acting customers which are rolling out SAP Cloud for Customers in a phased approach into their different regions all over the globe. Typically the roll out activities including the related key user activities are managed by a team of central key users located in the company headquarters. An important part of the regional roll out is also to train the local key users who are responsible to act as an immediate contact for the local users as well as maintaining local employees and users.

With the concept of the local administrator it is possible to centrally define roles which can be assigned by local administrators to the users they are responsible for. In addition a local administrator can get access rights to create and maintain only employees and users he is responsible for.

Example – Set up a local Administrator

Adam Lokal is a local Administrator in the northern Region of the BFT Company. His task is to maintain employees and users in his regional area.

0401_ALOKAL.png

In order to fulfill these tasks Adam has a role assigned which only covers the Employee and Business User Work Center Views of the Administrator work center. In addition to this I have also added the Flexibility Change Log Work Center View to his role. This is to enable Adam to switch to the Silverlight UI as the Administrator work center is currently only available there. In contrast to a global administrator he has not the general settings of the administration work center assigned.

0402_ALOKAL_ADMINWORKCENTER.png

To make sure that Adam can only access and maintain employees and users of his regional branch his user role is set up with a restriction rule which restrict access only to the users of the functional units (organizational units) to which he is assigned to. By using this restriction rule it is possible to use the same role also for local administrator of other regional branches.

0403_LOCAL_ADMIN_ROLE.png

With this setup Adam has only access to employee and users which are assigned to his organization unit and those underneath.

Please note that in the OWL of his employees and users also “Mike Summers” is showing up (2nd last entry in the screenshot) although Mike has no assignment to Adam’s organizational unit. The reason is that Mike Summers has no organizational assignment at all, hence the system has no handle to determine an access restriction for that employee. In this case the system shows that employee w/o any restriction.

0404_EmployeeOWL.png

Set up Roles for Local Administrators

In the example above we have seen on what needs to be done to set up local administrator by assigning him the relevant work center with the appropriate access restrictions. This step now covers the set up of the roles a local administrator can use when activating a local user.

When a global administrator creates a role, he can flag this role as a local role. This role can then be used by a local admin to assign to his users.

0405_LocalRole.png

In addition a global administrator can also assign the local admin as a responsible user for a global role. This will then make this role also available for the local admin.

0406_GlobalRole.png

In the screen shot below you see how the roles enabled for the local admins are being presented in the role assignment for a user. The local admins will only be able to assign those dedicated roles. Typically the local roles include access restriction which are based on restriction rules.

0407_RoleAssignment.png

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Rahul Mukherjee

    Hi, What is the recommendation for:

    1.  migration of business roles from Test to production

    2. migration of delta changes to all/any business roles

    3. Migration of a new business role(s) created in Test & Migrate to production.

    Regards,

    Rahul

    (0) 
      1. Rahul Mukherjee

        Hi Prasad,

        My question was a scenario when the tenants are already active (both tests & a prod).

        This doesn’t comes under a change project as we’re not changing the business configuarion.

        With Regards,

        Rahul

        (0) 
  2. Saurabh Saxena

    Hi Bernd,

    Thanks for all this knowledge sharing, learning a lot here 🙂 .

    A small clarification, how does the system determine who is a local admin and who is a global admin? The system allows to define whether a role is global or local but who all can see this role is governed through which mechanism? Can it be assumed that if a user has access to “Business Roles” work center view then he has access to all kinds of roles irrespective of their nature whether global or local.

    Regards,

    Saurabh

    (0) 
    1. Bernd Fleddermann Post author

      Hi Saurabh,

      very good question! Actually this is controled through the assignment of the “Global Settings” Work Center View (part of the Administrator Work Center).

      An administrator with the assignment of the general settings can assign all roles to a business user.

      Regards

      Bernd

      (0) 

Leave a Reply