Welcome to the blog series on access control management. The series discusses access control and business roles. It provides typical examples of roles and access management. The following are the blogs in this series:
- Basics of access control and business roles
- Access Control Management: Access restrictions explained – Access Context
- Access Control Management: Access restrictions explained – Restriction Rules
- Access Control Management Example: Global versus local admin
- Access Control Management Example: Access forwarding (this blog)
- How to analyse access control issues
- Special Access Control Topics
Access Forwarding use case
Assume you are a sales representative and you are assigned as an account team member in the account team of an account. Due to this assignment you basically should have access to that account. Let us assume that as an account team member you are also allowed to make changes to that account (read & write access).
You have now opened that account and for whatever reasons you have deleted the account team assignment of yourself (see the example in the screen shot for the account team member Mini Gross) and you have saved that change. Hence you are no longer account team member of that account.
What do you now expect will happen with your access to this account? Also think about what if you have removed yourself inadvertently from the account team member list.
This situation actually is handled by the access forwarding – in our example you still have access to that customer.
How Access Forwarding works
Actually access forwarding is an exceptional access control behavior. It is implemented for the following business objects:
- Business Partners (Account, Contact, etc.)
- Sales Quote
- Sales Order
- Service Request
For these business objects the last change user is added to the access control list. The access control list is a structure attached to the business object by which the actual access is being determined. As the last change user is added to the access control list that user still has access to the object instance at least until another user is doing a change. This allows the user to revert back changes he might have done accidently and which could lead to the loss of the access right to that specific instance.
For the Business Partners there is one additional exception. Here the entry of the last change user into the access control list has a time dependency. It is only valid until the end of the day (by UTC system time). Thus a user who did a change on an account has only access until the end of the day even if no other user has changed that account on that day.
Try it out!