How access restrictions work in a Project in SAP Cloud ALM
In this blog post, I would like to explain
What is this newly introduced option called Access Level
What happens to existing Projects with this change
How can you use it
so let’s get started.
you may also want to watch the video
Before you proceed please ensure you are familiar with the difference between Project roles and authorization roles. If not please read this Blog Post
or watch this video
What is the access level?
Access level in a Project is a newly introduced option that is offered during Project creation with three values
This option should be used if a Project lead wants the editing rights of artifacts in the Project to be open to all tenant users as long as they have a Project Member or higher authorization. This means the Project lead does not need to explicitly assign people to the Project and give them a Project role. As long as someone has the proper authorization role, he or she can freely edit things in a Project even if this person is not assigned to any Team or any Project role within the Project
In case the Project lead wants to control the editing of artifacts of a Project but make them easily available to all the different tenant users, this option should be used. This means only the persons explicitly assigned to a Project and having a Project role can edit the artifacts of the Project but all other tenant users can view the artifacts in the Project as long as they have a Project viewer authorization role or higher
|Note: You can end up losing editing rights if you remove yourself from the Project and set access level to Restricted . So Please ensure you remain as Project Lead or Project member in that specific Project before you perform this change.|
This option should be used in case the Project deals with sensitive information and even the name of the Project is confidential. The display and edit access of the Project will be limited to only the users which are explicitly assigned to at least one Team in a Project in a Project role
|Note: You can end up losing viewing and editing rights if you remove yourself from the Project and set it to Private. You can infact lock yourself out. So Please ensure you remain as Project Lead or at least a Project member in that specific Project before you perform this change.|
What happens to existing Projects
Existing projects will be set to access level Public. Please ensure this is correct or change the access level as per your needs
What happens to newly created Projects
Newly created Projects get the access level Restricted by default. This can be easily changed anytime.
How to use Access Level
A Project lead needs to decide what kind of information is in a Project. As an example, you can use the below hints
- If the Project needs wide collaboration with an organization – Set to Public
- If the Project needs to be controlled edit but transparency for reading information – Set to Restricted
- If the Project information is sensitive or valid only for a controlled group – Set to Private
Is there any fine Print
You need to understand that if a Project is set to Private, it will not appear in search results for nonproject members. In case you have a Deployment Plan which is assigned to a Private Project,
For a person who has access to Project, the Deployment Plan will look like
But if the logged-in person is not assigned to the Private Project the name of the Project will not appear in the assigned Projects section and will appear anonymized
Also, you need to be careful when making a Project Restricted or Private as you may lose editing rights
You also need to be aware that a Project Administrator can still access information for a Private Project
Is there more detailed information
This is the most detailed matrix to understand
How to read this matrix
First of all, you need to understand that when you assign anyone as Project Lead in a Project ie give him the Project role “Project Lead”, he also gets the authorization role “Project Lead”. When you give a Project role such as Business Expert or Analytics Expert, he gets a “Project Member” authorization role. So it’s important to know this mapping
So let’s assume Business Expert Betty working in Project A ( Project role: Business Process Expert, Authorisation role: Project member in Project A ) looking a Project B where is she is not assigned. In this case Project B is set to Restricted. Since Betty is having a Project member authorization
the relevant record is
so Betty will be able to Display Project B and its artifacts and not edit them
As we publish more and more blog posts, it’s easy to get lost. Please visit the Master Blog post and bookmark it.
To understand an end-to-end picture, please visit
Expert Portal for Implementation and staying connected. You can also Follow me to ensure you do not miss any updates.