Skip to Content
Technical Articles
Author's profile photo Siraj Saibudeen

C4C Access Control Management – Deep Dive into the restriction rule “Territories, Employees (for Managers)”

Introduction

I recently worked in a project assignment where in the visibility requirements were little complex and had cross-units visibility requirements. It was decided that we use Territories to drive the access restriction strategy for all business processes. While exploring more into the different restriction rules, we finalized the rule “Territories, Employees (for Managers)” works best for our complex visibility requirements.

The advantage of using this restriction rule “Territories, Employees (for Managers)” is that it gives access to cross-unit transactions. But also, it has its own complexities in understanding how some transactions are visible for employees and managers in the org unit hierarchy.

The sections below will provide you with clear understanding how this restriction rule works for each business transactions.

Opportunities Visibility

Restriction Rule  : “1-Recommended: Territories, Employees (for Managers)”

Rule Description : Access based on the employee, territory assignment, and involvement of employees reporting to user in org unit (including sub-units)

Search Filter Views

Opportunity Visibility Examples

Let us assume that there are two territories, which are different business units in a country. The employees used in the below screenshots are all part of the “VSM” territory, but they are also assigned to opportunities belonging to the “IS” territory. Because the business requirement is such that employees do support transactions belonging to other business units and they need visibility to those transactions.

Ricky Groover is the manager of an org unit and the below employees are reporting to him. All 3 are part of the “VSM” territory.

  • Gus Martinez
  • Jeff Kea

 

Sales Manager Visibility

Ricky Groover visibility is explained below

All – He will see 12 opportunities in total. 7 belonging to his own “VSM” territory and the other 5 belonging to “IS” territory. He will see this additional 5 opportunities because he and his reportees are part of the sales team of those opportunities. Sales Manger gets additional access to opportunities where their reportees are working even though that opportunity belongs to another territory.

My Opportunities – He will see only one opportunity, as he is assigned as part of the sales team in the opportunity ID 2005.

My Team’s Opportunities – He will see in total 10 opportunities. 5 opportunities belonging to “VSM” territory and another 5 belonging to “IS” territory. The “IS” territory opportunities are visible because he or his reportees are assigned in the sales team of those opportunities.

Sales Representative Visibility

Gus Martinez visibility is explained below

All – He will see in total 8 opportunities. 7 belonging to this own “VSM” territory and the opportunity ID 2001 where he is assigned in the sales team. Even though this opportunity belongs to another territory, he will still have access because of his assignment in the sales team.

My Opportunities – He will see 4 opportunities. 3 belonging to “VSM” territory and the opportunity with ID 2001.

My Team’s Opportunities – He will see 6 opportunities. 5 belonging to “VSM” territory and the opportunity with ID 2001.

Note: There is a difference in how this restriction rule works for employees and managers for the search view “My Teams”. Managers will see all the opportunities where his reportees are assigned, even though those opportunities belong to another territory. But employees will see only the opportunities where he is assigned in the sales team of opportunity belonging to another territory.

Appointments Visibility

Restriction Rule  : “2-Recommended: Territories, Employees (for Managers)”

Rule Description : Access based on the employee, territory assignment, and involvement of employees reporting to user in org unit (including sub-units)

Search Filter Views

Appointment Visibility Examples

Let us assume that there are two territories, which are different business units in a country. The employees used in the below screenshots are all part of the “VSM” territory, but they are also assigned to appointments belonging to the “IS” territory. Because the business requirement is such that employees do support transactions belonging to other business units and they need visibility to those transactions.

Ricky Groover is the manager of an org unit and the below employees are reporting to him. All 3 are part of the “VSM” territory.

  • Gus Martinez
  • Jeff Kea

Sales Manager Visibility

Ricky Groover visibility is explained below

All – He will see 12 appointments in total. 7 belonging to his own “VSM” territory and the other 5 belonging to “IS” territory. He will see this additional 5 appointments because he and his reportees are assigned as either the “Owner” or “Attendee” in those appointments. Sales Manger gets additional access to appointments where their reportees are involved even though that appointments belong to another territory.

My Appointments  – He will see only one opportunity, as he is assigned as Owner in the appointment ID 205.

My Team’s Appointments – He will see in total 10 opportunities. 5 appointments belonging to “VSM” territory and another 5 belonging to “IS” territory. The “IS” territory appointments are visible because he or his reportees are assigned as either “Owner” or “Attendee” in those appointments.

Sales Representative Visibility

Gus Martinez visibility is explained below

All – He will see in total 8 appointments. 7 belonging to this own “VSM” territory and the appointment ID 201 where he is assigned as either “owner” or “Attendee”. Even though this appointment belongs to another territory, he will still have access because of his assignment in the appointment.

My Appointments – He will see 4 appointments. 3 belonging to “VSM” territory and the appointment with ID 201.

My Team’s Appointments – He will see 6 appointments. 5 belonging to “VSM” territory and the appointment with ID 201.

Note: There is a difference in how this restriction rule works for employees and managers for the search view “My Teams”. Managers will see all the Appointments where his reportees are assigned, even though those Appointments belong to another territory. But employees will see only the Appointments where he is assigned as either the “Owner” or “Attendee” in appointments belonging to another territory.

Tickets Visibility

Restriction Rule  : “3: Territories”

Rule Description : Access based on the employee’s territory assignment only (incl. sub-territories)

Even though the restriction rule says that the visibility is only based on territories, the system behaves differently. The visibility is based on both “Territories” and employeess assignment to Tickets belonging to another territory.

Search Filter Views

Tickets Visibility Examples

Let us assume that there are two territories, which are different business units in a country. The employees used in the below screenshots are all part of the “VSM” territory, but they are also assigned to appointments belonging to the “IS” territory. Because the business requirement is such that employees do support transactions belonging to other business units and they need visibility to those transactions.

Ricky Groover is the manager of an org unit and the below employees are reporting to him. All 3 are part of the “VSM” territory.

  • Gus Martinez
  • Jeff Kea

 

Sales Manager Visibility

Ricky Groover visibility is explained below

All – He will see 7 tickets in total. 7 belonging to his own “VSM” territory.

My Tickets – He will see nothing, because he is not assigned as “Processor” in any of the tickets.

My Team’s Tickets – He will see in total 5 tickets. 5 tickets belonging to his own territory, because only these 5 tickets has his own team populated in the team field.

Sales Representative Visibility

Gus Martinez visibility is explained below

All – He will see in total 8 tickets. 7 belonging to this own “VSM” territory and the ticket ID 601 where he is assigned as the “Processor”. Even though this ticket belongs to another territory, he will still have access because he is the processor of this ticket.

My Tickets – He will see 4 tickets. 3 belonging to “VSM” territory and the ticket with ID 601.

My Team’s Tickets – He will see 4 tickets. 3 belonging to “VSM” territory and the ticket with ID 601.

Note: Though the restriction rule for Tickets is maintained as “3:Territories”, business users will have access to tickets belonging to another territory if the logged-in user is assigned as the “Processor” of that ticket.

Conclusion

Though the restriction rules are pretty standard the system behavior is different for each individual transactions in C4C. Since the restriction rule “Territories,Employees” combines two different objects to derive the visibility, it has its own complexity and it is hard to understand clearly how the visibility works. Also the visibility is not uniform across all transactions, as each transaction has its own functionality and behavior. Especially when it comes to the employees involvement in these transactions.

To get a the general overview of the Access Contro Management, please go through this fantastic article in CX Works portal.

https://www.sap.com/cxworks/article/437090014/Access_Control_Management

 

Assigned tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Philippe Sinnaeve
      Philippe Sinnaeve

      Dear  Siraj ,

      if i have for example 3 Sales Units

      Sales unit Global

      Manager :Manager Global

      employees :

      Manager Local1

      Manager Local2

      and 2 sub units

      Sales Unit 1

      Manager :Manager Local1

      employees :

      userA

      userB

      Sales Unit 2

      Manager :Manager Local2

      employees :

      userC

      userD

      The Manager Global will see what in example for opportunities?

      In All -> Any oppt where userA, userB , userC , UserD and Manager Local1 and Manager Local1is part of Involved Party

      In My Team Oppt -> only where Manger local1 and local2 are part of Involved Party??

      In My Opportunity -> Oppt where he is part of Involved Party

      Thanks

      Author's profile photo Siraj Saibudeen
      Siraj Saibudeen
      Blog Post Author

      Dear Philippe,

      All Opportunities - He should see all opportunites where the users Manager Local1 & 2,A,B,C,D and the manager himself is part of the sales team of the opportunity.

      My Teams Opportunities - It should exactly be the same as in All Opportunities above, because he is in the top of org unit hierarchy.

      My Opportunities - He should see all opportunities where he is part of the Sales Team.

      I hope this helps.

      Regards,

      Siraj

      Author's profile photo Philippe Sinnaeve
      Philippe Sinnaeve

      thanks for your response

      another question , if at the same level of Sales unit Global i have another Sales unit Global1 where the manager is the  Manager Local1(same  as Sales Unit1 ) and some users .

      The Manager Global as the Manager Local1 is reported to him will also see the data of Sales unit Global1 ?

      Author's profile photo Siraj Saibudeen
      Siraj Saibudeen
      Blog Post Author

      This seems to be tricky logic, but I will try to explain as much as I know.

      In general, the manager visibility is inherited through the Org Reporting Line hierarchy. The root unit Manager can see the data of the subsequence sub-units in the reporting line hierarchy.

      But in this case, since the Global1 unit is at the same level of Global - the above hierarchy inheritance would not work. But what will work is the Global units manager will still see the opportunities belonging to Manager Local 1, because he is reporting to him.

      But if there are other employees assigned in Global1 reporting unit (eg:xyz,abc,edf) - the Global Manager will not see the opportunities belonging to these new employees under his "My Teams" view.

      Author's profile photo Philippe Sinnaeve
      Philippe Sinnaeve

      perfect thanks for your response