Skip to Content
Technical Articles
Author's profile photo Ijlal Nasir

How to implement User Access Restriction on a SAP Custom Business Object

Background Context

Business objects developed by SAP in Business ByDesign can have controlled access based on the associated Access Control List (ACL) node data. ACL is a dependent object (DO) that can be related to the business object to provide controlled access.


We have a Custom Business Object, and it has a field of Plant in it. The client’s requirement is to restrict users’ access based on Plant.

  • Considering our scenario now, since we don’t want a user to see the records of a Plant he is not a part of, it’s pretty clear that the restriction is on Plant.
  • The next step would be selecting the appropriate Access Context, now in the case of Plant, its DataType is OrganisationalCenterID/LocationID. So we will use the Access Context 1008-Site.
  • We have to search in RepositoryExplorer which BO supports this access context. In my example, I searched and found that LogisticsTaskFolder meets my needs.


Supported Access Contexts

1. SDK Solution Changes

Here is an example of a Custom Business Object with AccessControl to LogisticsTaskFolder

import AP.Common.GDT as apCommonGDT;

import AP.LogisticsExecution.Global;


[DeploymentUnit(ProductionAndSiteLogisticsExecution)] businessobject PlantAccessControl {

  element       Plant       : OrganisationalCenterID;

  element       Consistent  : ConsistencyStatusCode;

  [RelevantForAccessControl] association For_Access_Control to LogisticsTaskFolder;



  • It is important to remember that we will have to change the DeploymentUnit of the BO to implement the For_Access_Control association.

  • [RelevantForAccessControl] is the annotation that is to be used to link association with standard objects to inherit the Access Context for your custom Business Object.

We need to create a BO Query for our custom object as there is something called ACL (Access Control List) data which will be carried only by the Fast Search Index (FSI) BO query.


BO Query

Next, we will a code for filling our association. Create a BeforeSave script for your custom BO and fill in something to retrieve the Instance of that BO. This code is just a reference:

if (!this.For_Access_Control.IsSet())


var LogisticsTaskInst = LogisticTaskFolder.Retrieve(this.SiteID);

this.For_Access_Control = LogisticsTaskInst;


//This part is only for testing


       this.Consistent = “3”; // Consistent



       this.Consistent = “2”; // Inconsistent



2. UI Designer Changes

Open the OWL screen of custom BO now, and in the case of SADL Query, you just need to select one selection checkbox of the For_Access_Control ID.

In the case of a standard Query, you need to perform some extra steps.

  • The Query section under the Controller tab should look like this


Query in Controller

  • Binding under the DataModel tab should look like this


DataModel Binding

2.1 OWL/QA/OIF Changes

Open these screens one by one and select Floorplan, change Properties as shown below under RBAMData


Access Controlled Objects

  • Change the Access Check Mode to “PrivilegedExceptAccessControlBusinesssObjects”
  • Set Authorization Classification Code to “Application”
  • Select Access Controlled Business Object and make sure you see your object having Unrestricted Access unchecked.
  • Save and Activate

2.2 WCView Changes

Open the custom WC view and change the AccessContextCode under RBAMData to the one we need, for example in this case which is “1008 – Site” as shown below:


Access Context Code

3. Assign Access Rights (SAP UI)

  • Activate the WorkCenter for the Business User and then go to the Access Restrictions tab.
  • Find the Work Center you created and in front of the Access Context change its Read and Write Access from Unrestricted to Restricted as shown below


Access Restrictions

  • Finally, assign which Site Access you want the user to have by selecting the Read and Write Access below like this, a user can have access to more than one Plants in this case:


Read and Write Access

You can test the work centers after this yourself and you’re done.


Here also some further resources that may help you:

SAP Business ByDesign environment Topic page (, post and answer questions (, and read other posts on the topic (


In case of any queries or further detailed guidelines feel free to ask, and if you want to see similar content in the future make sure you follow me.

It would also mean a lot to me if you could share your thoughts regarding the blog in the comments or by messaging me. I will be happily consider your suggestions and take steps to make the blog even better in the future, thanks!

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Muhammad Naveed Noor
      Muhammad Naveed Noor

      Very informative and useful information Ijlal Nasir.

      Author's profile photo Asif Ali
      Asif Ali

      Good Work

      Author's profile photo Faisal Aslam
      Faisal Aslam

      Excellent Work


      Author's profile photo Patrick Scheiel
      Patrick Scheiel

      Hi Ijlal Nasir.,

      Thank you for the instruction. It works well for my custom BO.

      I also have to restrict the access to a Mass Data Run OWL for this custom BO.

      Do you know how to proceed here as i cannot define [RelevantForAccessControl] as there is no BO-definition for the mass data run.

      Would be great to get a solution!

      Best regards,