C4C Access Control Management – Deep Dive into the restriction rule “Territories, Employees (for Managers)”

Introduction

I recently worked in a project assignment where in the visibility requirements were little complex and had cross-units visibility requirements. It was decided that we use Territories to drive the access restriction strategy for all business processes. While exploring more into the different restriction rules, we finalized the rule “Territories, Employees (for Managers)” works best for our complex visibility requirements.

The advantage of using this restriction rule “Territories, Employees (for Managers)” is that it gives access to cross-unit transactions. But also, it has its own complexities in understanding how some transactions are visible for employees and managers in the org unit hierarchy.

The sections below will provide you with clear understanding how this restriction rule works for each business transactions.

Opportunities Visibility

Restriction Rule  : “1-Recommended: Territories, Employees (for Managers)”

Rule Description : Access based on the employee, territory assignment, and involvement of employees reporting to user in org unit (including sub-units)

Search Filter Views

Opportunity Visibility Examples

Let us assume that there are two territories, which are different business units in a country. The employees used in the below screenshots are all part of the “VSM” territory, but they are also assigned to opportunities belonging to the “IS” territory. Because the business requirement is such that employees do support transactions belonging to other business units and they need visibility to those transactions.

Ricky Groover is the manager of an org unit and the below employees are reporting to him. All 3 are part of the “VSM” territory.

• Gus Martinez
• Jeff Kea

 

Sales Manager Visibility

Ricky Groover visibility is explained below

All – He will see 12 opportunities in total. 7 belonging to his own “VSM” territory and the other 5 belonging to “IS” territory. He will see this additional 5 opportunities because he and his reportees are part of the sales team of those opportunities. Sales Manger gets additional access to opportunities where their reportees are working even though that opportunity belongs to another territory.

My Opportunities – He will see only one opportunity, as he is assigned as part of the sales team in the opportunity ID 2005.

My Team’s Opportunities – He will see in total 10 opportunities. 5 opportunities belonging to “VSM” territory and another 5 belonging to “IS” territory. The “IS” territory opportunities are visible because he or his reportees are assigned in the sales team of those opportunities.

Sales Representative Visibility

Gus Martinez visibility is explained below

All – He will see in total 8 opportunities. 7 belonging to this own “VSM” territory and the opportunity ID 2001 where he is assigned in the sales team. Even though this opportunity belongs to another territory, he will still have access because of his assignment in the sales team.

My Opportunities – He will see 4 opportunities. 3 belonging to “VSM” territory and the opportunity with ID 2001.

My Team’s Opportunities – He will see 6 opportunities. 5 belonging to “VSM” territory and the opportunity with ID 2001.

Note: There is a difference in how this restriction rule works for employees and managers for the search view “My Teams”. Managers will see all the opportunities where his reportees are assigned, even though those opportunities belong to another territory. But employees will see only the opportunities where he is assigned in the sales team of opportunity belonging to another territory.

Appointments Visibility

Restriction Rule  : “2-Recommended: Territories, Employees (for Managers)”

Rule Description : Access based on the employee, territory assignment, and involvement of employees reporting to user in org unit (including sub-units)

Search Filter Views

Appointment Visibility Examples

Let us assume that there are two territories, which are different business units in a country. The employees used in the below screenshots are all part of the “VSM” territory, but they are also assigned to appointments belonging to the “IS” territory. Because the business requirement is such that employees do support transactions belonging to other business units and they need visibility to those transactions.

Ricky Groover is the manager of an org unit and the below employees are reporting to him. All 3 are part of the “VSM” territory.

• Gus Martinez
• Jeff Kea

Sales Manager Visibility

Ricky Groover visibility is explained below

All – He will see 12 appointments in total. 7 belonging to his own “VSM” territory and the other 5 belonging to “IS” territory. He will see this additional 5 appointments because he and his reportees are assigned as either the “Owner” or “Attendee” in those appointments. Sales Manger gets additional access to appointments where their reportees are involved even though that appointments belong to another territory.

My Appointments  – He will see only one opportunity, as he is assigned as Owner in the appointment ID 205.

My Team’s Appointments – He will see in total 10 opportunities. 5 appointments belonging to “VSM” territory and another 5 belonging to “IS” territory. The “IS” territory appointments are visible because he or his reportees are assigned as either “Owner” or “Attendee” in those appointments.

Sales Representative Visibility

Gus Martinez visibility is explained below

All – He will see in total 8 appointments. 7 belonging to this own “VSM” territory and the appointment ID 201 where he is assigned as either “owner” or “Attendee”. Even though this appointment belongs to another territory, he will still have access because of his assignment in the appointment.

My Appointments – He will see 4 appointments. 3 belonging to “VSM” territory and the appointment with ID 201.

My Team’s Appointments – He will see 6 appointments. 5 belonging to “VSM” territory and the appointment with ID 201.

Note: There is a difference in how this restriction rule works for employees and managers for the search view “My Teams”. Managers will see all the Appointments where his reportees are assigned, even though those Appointments belong to another territory. But employees will see only the Appointments where he is assigned as either the “Owner” or “Attendee” in appointments belonging to another territory.

Tickets Visibility

Restriction Rule  : “3: Territories”

Rule Description : Access based on the employee’s territory assignment only (incl. sub-territories)

Even though the restriction rule says that the visibility is only based on territories, the system behaves differently. The visibility is based on both “Territories” and employeess assignment to Tickets belonging to another territory.

Search Filter Views

Tickets Visibility Examples

Let us assume that there are two territories, which are different business units in a country. The employees used in the below screenshots are all part of the “VSM” territory, but they are also assigned to appointments belonging to the “IS” territory. Because the business requirement is such that employees do support transactions belonging to other business units and they need visibility to those transactions.

Ricky Groover is the manager of an org unit and the below employees are reporting to him. All 3 are part of the “VSM” territory.

• Gus Martinez
• Jeff Kea

 

Sales Manager Visibility

Ricky Groover visibility is explained below

All – He will see 7 tickets in total. 7 belonging to his own “VSM” territory.

My Tickets – He will see nothing, because he is not assigned as “Processor” in any of the tickets.

My Team’s Tickets – He will see in total 5 tickets. 5 tickets belonging to his own territory, because only these 5 tickets has his own team populated in the team field.

Sales Representative Visibility

Gus Martinez visibility is explained below

All – He will see in total 8 tickets. 7 belonging to this own “VSM” territory and the ticket ID 601 where he is assigned as the “Processor”. Even though this ticket belongs to another territory, he will still have access because he is the processor of this ticket.

My Tickets – He will see 4 tickets. 3 belonging to “VSM” territory and the ticket with ID 601.

My Team’s Tickets – He will see 4 tickets. 3 belonging to “VSM” territory and the ticket with ID 601.

Note: Though the restriction rule for Tickets is maintained as “3:Territories”, business users will have access to tickets belonging to another territory if the logged-in user is assigned as the “Processor” of that ticket.

Conclusion

Though the restriction rules are pretty standard the system behavior is different for each individual transactions in C4C. Since the restriction rule “Territories,Employees” combines two different objects to derive the visibility, it has its own complexity and it is hard to understand clearly how the visibility works. Also the visibility is not uniform across all transactions, as each transaction has its own functionality and behavior. Especially when it comes to the employees involvement in these transactions.

To get a the general overview of the Access Contro Management, please go through this fantastic article in CX Works portal.

https://www.sap.com/cxworks/article/437090014/Access_Control_Management