Skip to Content
Author's profile photo Babu Lal Limba

Implementing Access Control on Custom Business Objects

How to provide access control on custom Business Object

Background to Access Control and Context.

Business objects developed by SAP, in Business ByDesign, can have controlled access based on the Access Control List (ACL) node data associated with. ACL is a dependent object (DO) that can be associated with business object to provide controlled access. You can restrict the access to instances of business objects, be it read or write, based on certain predefined contexts like Employee, Company, Site etc. A user is assigned access on these access contexts which controls the operations that user can perform on business object instances.

For example business object ‘PurchaseOrder’ has an access context of Company. By default the access rights are ‘Unrestricted’ and user has rights for read and write purchase orders for all companies. To control the access user can be assigned access (in Application and User Management->Business Users->Edit Access Rights->Access Restrictions) to read and/or write on purchase orders belonging to certain set of companies. This brings in restricted access to business object.


The access context in above screen shot is 1007-Company and the Access Context UUID is the company UUID. This means that this instance of purchase order belongs to company 00145EF588E602DBB8B3AC44715E0CC1 and a user who has been given access rights of ‘Read’ for this company can only read the purchase order. If the write access is also given for this company, then user can write on this purchase order also.

Access control for partner developed business objects

The same function of providing controlled access can be achieved for Partner created business objects. There are two ways of doing so in Cloud Application Studio (CAS).

  1. Link the custom BO to a BO in standard which has the access context supported required for custom BO. This can be done using the following association in custom BO definition. This association helps to use the access context of Purchase Order for the custom BO without having to integrate the custom BO with ACL.                               [RelevantForAccessControl] association For_Access_Control to PurchaseOrder
  2. Second approach is to integrate the ACL dependent object with custom BO and use the concept just like standard business objects. But this approach only supports the access context ‘1010-Employee’ as of today.

How to integrate ACL with custom business object

In this write-up I will detail on second approach, mentioned above, to achieve controlled access to custom business object. The following example will be implemented as a part of this explanation.

Scenario: Partner has created a business object ‘PurchaseOrder’ and wants to control the access to it based on employee who created the instance. User PGREENE is allowed to only Read the records created by TWEBBER but can Read and Write records created by himself.

1. Create a solution in SDK.

2. Add a Business Object ‘PurchaseOrder’ to your solution and activate it. Define the BO as follows: The first three elements represents the employee ID, Name and Address of employee who created the PurchaseOrder instance. The element marked with annotation [AccessControlContext(Employee)] creates an association from ROOT node to ACL Dependent object. This ACL will have access context 1010-Employee and access context UUID  is copied from attribute ‘OwnEmployeeUUID’./wp-content/uploads/2015/12/pic2_841928.png

3. Add a script file (Event-AfterModify) to fill the attribute ‘OwnEmployeeUUID’ with the current employee’s UUID and then it gets passed to ACL node for controlled access./wp-content/uploads/2015/12/pic3_841929.png

4. Create screens on the business object.                                                                 

5. Open .uiwocview file in UI Designer /wp-content/uploads/2015/12/pic4_841934.pngby double clicking on it. Under properties tab, section RBAMData set the access context on WoC View to 1010-Employee. Select the QAF and OIF screens against Assigned objects. Save and Activate./wp-content/uploads/2015/12/pic5_841935.png

6. Open the OWL file in UI Designer. Under properties tab, section RBAMData select AccessControlledBusinessObject and remove the flag ‘UnrestrictedAccess’ which is set by default. This allows OWL to load only relevant data based on access rights./wp-content/uploads/2015/12/pic6_841936.png

7. On OWL screen SELECT_ALL query is set by default for loading the data, but this query does not have ACL attributes. Use the FSI query ‘QueryByElements’ as default query which is created implicitly with ROOT node to load the data. You can see that this query has already included the ACL node attributes to fetch relevant data. /wp-content/uploads/2015/12/pic7_841937.png

8. Set the RBAMData for QAF screen similar to OWL./wp-content/uploads/2015/12/pic8_841938.png

9. Assign the new WoC View to users and set the access rights as follows: For user PGREENE

    1. a. READ and WRITE access for PGREENE records
    2. b. Only READ access for TWEBBER records./wp-content/uploads/2015/12/pic9_841939.png/wp-content/uploads/2015/12/pic10_841943.pngPic11.png/wp-content/uploads/2015/12/pic12_841945.png


10.     Create some instances of custom BO with user PGREENE and with Tony Webber. Test on UI by loading the OWL and QAF. In OWL PGREENE should be able to see records created by PGREENE and TWEBBER only  PGREENE tries to edit the record created by Tony Webber and gets the error: “Not Authorized” . /wp-content/uploads/2015/12/pic13_841947.png


Hope this blog was helpful for implementing the access control on custom Business Objects.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Horst Schaude
      Horst Schaude

      Hello Babu,

      Hope this help clarify questions in advance. 😉



      Author's profile photo Babu Lal Limba
      Babu Lal Limba

      should be, Horst 🙂

      Author's profile photo Christine Toblier
      Christine Toblier

      Hello Babu and Fred,


      thank you for this post. I was able to create a restricted OWL with these detailed instructions, but I have some issues to assign the Access context also to a custom OVS. (Post:

      Do you know if there are any particular settings to set theAccess context on the Object value selector?

      Kind regards,



      Author's profile photo Sunil Kumar Maurya
      Sunil Kumar Maurya

      Hi Babu,

      I cant see Details Restriction, In my case there is no Assign Group ID,

      How to bring data in Details Restriction

      I want a user to restricting to read a data or see it on OWL.



      Author's profile photo Fred K
      Fred K

      Hi Babu,

      Is it possible to change the error message in QA because it is difficult for the end user to understand?

      Best Regards,


      Author's profile photo Sumit Mittal
      Sumit Mittal

      is it possible to implement the same based on user's sales area data?

      for e.g. show only records from custom bo, which matches the sales area data based on user assignment in org. model?