Welcome to the blog series on access control management.  The series discusses access control and business roles.  It provides typical examples of roles and access management. The following are the blogs in this series:

  1. Basics of access control and business roles
  2. Access Control Management: Access restrictions explained  – Access Context
  3. Access Control Management: Access restrictions explained  – Restriction Rules
  4. Access Control Management Example: Global versus local admin
  5. Access Control Management Example: Access forwarding (this blog)
  6. How to analyse access control issues
  7. Special Access Control Topics


Access Forwarding use case

Assume you are a sales representative and you are assigned as an account team member in the account team of an account. Due to this assignment you basically should have access to that account. Let us assume that as an account team member you are also allowed to make changes to that account (read & write access).

You have now opened that account and for whatever reasons you have deleted the account team assignment of yourself (see the example in the screen shot for the account team member Mini Gross) and you have saved that change. Hence you are no longer account team member of that account.

0501_AccountTeamMember.png

What do you now expect will happen with your access to this account? Also think about what if you have removed yourself inadvertently from the account team member list.

This situation actually is handled by the access forwarding – in our example you still have access to that customer.

How Access Forwarding works

Actually access forwarding is an exceptional access control behavior. It is implemented for the following business objects:

  • Business Partners (Account, Contact, etc.)
  • Sales Quote
  • Sales Order
  • Activities
  • Opportunity
  • Lead
  • Service Request

For these business objects the last change user is added to the access control list. The access control list is a structure attached to the business object by which the actual access is being determined. As the last change user is added to the access control list that user still has access to the object instance at least until another user is doing a change. This allows the user to revert back changes he might have done accidently and which could lead to the loss of the access right to that specific instance.

For the Business Partners there is one additional exception. Here the entry of the last change user into the access control list has a time dependency. It is only valid until the end of the day (by UTC system time). Thus a user who did a change on an account has only access until the end of the day even if no other user has changed that account on that day.

Try it out!

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

    1. Bernd Fleddermann Post author

      Hi Prety,

      thanks for your feedback. Actually I had planned to finalize the blog towards year end 2015. With 1602 however, some changes in the representation of the users access control settings are being introduced, hence I decided to wait until 1602 is out.

      Kind regards

      Bernd

      (0) 
  1. Andrew Smith

    Hello Bernd

    Are they any access forwarding logic on items that are created by yourself?

    For example, if you create a ticket, assign it to another team where access restriction should in theory remove your means to view the ticket, will you continue to have access whatever?

    Thanks

    Andrew

    (0) 
    1. Bernd Fleddermann Post author

      Hi Andrew,

      the access forwarding logic might not be implemented for all business objects. I have not tested your scenario through but I assume in that case the user as access to the ticket until another user has made a follow up change. But again – better test it through to be sure.

      kind regards

      Bernd

       

      (0) 

Leave a Reply