Access Control Management: Access Forwarding

Welcome to the blog series on access control management in SAP Hybris Cloud for Customer (C4C). The series discusses various access control topics in C4C. The goal of this blog series is to provide a complete overview on the access control concept and capabilities in C4C and to let you know on how it works in detail.

Here are the blogs of that series:

1. Basics of access control and business roles
2. Access Control Management: Access restrictions explained  – Access Context
3. Access Control Management: Access restrictions explained  – Restriction Rules
4. Access Control Management Example: Global versus local admin
5. Access Control Management Example: Access forwarding (this blog)
6. How to analyze access control issues
7. How to analyze access control issues – Check User’s Authorization
8. Special Access Control Topics

Access Forwarding use case

Assume you are a sales representative and you are assigned as an account team member in the account team of an account. Due to this assignment you basically should have access to that account. Let us assume that as an account team member you are also allowed to make changes to that account (read & write access).

You have now opened that account and for whatever reasons you have deleted the account team assignment of yourself (see the example in the screen shot for the account team member Mini Gross) and you have saved that change. Hence you are no longer account team member of that account.

What do you now expect will happen with your access to this account? Also think about what if you have removed yourself inadvertently from the account team member list.

This situation actually is handled by the access forwarding – in our example you still have access to that customer.

How Access Forwarding works

Actually access forwarding is an exceptional access control behavior. It is implemented for the following business objects:

• Business Partners (Account, Contact, etc.)
• Sales Quote
• Sales Order
• Activities
• Opportunity
• Lead
• Service Request

For these business objects the last change user is added to the access control list. The access control list is a structure attached to the business object by which the actual access is being determined. As the last change user is added to the access control list that user still has access to the object instance at least until another user is doing a change. This allows the user to revert back changes he might have done accidently and which could lead to the loss of the access right to that specific instance.

For the Business Partners there is one additional exception. Here the entry of the last change user into the access control list has a time dependency. It is only valid until the end of the day (by UTC system time). Thus a user who did a change on an account has only access until the end of the day even if no other user has changed that account on that day.

Try it out!