Skip to Content

Access Control Management: Access Forwarding

Welcome to the blog series on access control management in SAP Hybris Cloud for Customer (C4C). The series discusses various access control topics in C4C. The goal of this blog series is to provide a complete overview on the access control concept and capabilities in C4C and to let you know on how it works in detail.

Here are the blogs of that series:

  1. Basics of access control and business roles
  2. Access Control Management: Access restrictions explained  – Access Context
  3. Access Control Management: Access restrictions explained  – Restriction Rules
  4. Access Control Management Example: Global versus local admin
  5. Access Control Management Example: Access forwarding (this blog)
  6. How to analyze access control issues
  7. How to analyze access control issues – Check User’s Authorization
  8. Special Access Control Topics
Access Forwarding use case


Assume you are a sales representative and you are assigned as an account team member in the account team of an account. Due to this assignment you basically should have access to that account. Let us assume that as an account team member you are also allowed to make changes to that account (read & write access).

You have now opened that account and for whatever reasons you have deleted the account team assignment of yourself (see the example in the screen shot for the account team member Mini Gross) and you have saved that change. Hence you are no longer account team member of that account.



What do you now expect will happen with your access to this account? Also think about what if you have removed yourself inadvertently from the account team member list.

This situation actually is handled by the access forwarding – in our example you still have access to that customer.



How Access Forwarding works

Actually access forwarding is an exceptional access control behavior. It is implemented for the following business objects:


  • Business Partners (Account, Contact, etc.)
  • Sales Quote
  • Sales Order
  • Activities
  • Opportunity
  • Lead
  • Service Request


For these business objects the last change user is added to the access control list. The access control list is a structure attached to the business object by which the actual access is being determined. As the last change user is added to the access control list that user still has access to the object instance at least until another user is doing a change. This allows the user to revert back changes he might have done accidently and which could lead to the loss of the access right to that specific instance.

For the Business Partners there is one additional exception. Here the entry of the last change user into the access control list has a time dependency. It is only valid until the end of the day (by UTC system time). Thus a user who did a change on an account has only access until the end of the day even if no other user has changed that account on that day.



Try it out!

You must be Logged on to comment or reply to a post.
    • Hi Prety,

      thanks for your feedback. Actually I had planned to finalize the blog towards year end 2015. With 1602 however, some changes in the representation of the users access control settings are being introduced, hence I decided to wait until 1602 is out.

      Kind regards


  • Hello Bernd

    Are they any access forwarding logic on items that are created by yourself?

    For example, if you create a ticket, assign it to another team where access restriction should in theory remove your means to view the ticket, will you continue to have access whatever?



    • Hi Andrew,

      the access forwarding logic might not be implemented for all business objects. I have not tested your scenario through but I assume in that case the user as access to the ticket until another user has made a follow up change. But again - better test it through to be sure.

      kind regards



  • Hi Manson,

    actually there is no option to deactivate the access forwarding for Business Objects where this feature is implemented.

    Kind regards