Welcome to the blog series on access control management. The series discusses access control and business roles. It provides typical examples of roles and access management. The following are the blogs in this series:
- Basics of access control and business roles
- Access Control Management: Access restrictions explained - Access Context
- Access Control Management: Access restrictions explained - Restriction Rules (this blog)
- Access Control Management Example: Global versus local admin (coming soon)
- Access Control Management Example: Access forwarding (coming soon)
- How to analyze access control issues (coming soon)
The translation of the setup of the access restrictions defined in an unspecific role to the access restrictions of a specific user is handled through the restriction rules.
Example:
You have created a role for sales representatives. This role provides access to the work center views Account, Contacts, Opportunity and Sales Quote. You want to assign this role to all of your global sales representatives in the different organizations. By choosing the restriction rule “Assigned Territories and Employees (for Managers)”. The system will automatically provide access restriction set up to the accounts where a user is assigned in the account team or in the territory team”. As the system generates the access restriction for the user automatically it is not necessary to create a role for each individual territory.
How does the system actually translate the access restrictions for the individual business users?
Sales Representative Nils Watt
Nils is a sales representative of the BFT Company Inc. Organizationally he is assigned to the corporate org unit of the company. He also is a member of the territory “Germany” which has further sub territories assigned. Nils user has the role “BFT DE SALES ASSISTANT” assigned. For the Accounts work center view the access restriction rule “Assigned Territories and Employees (for Managers)” is selected.
Nils Watt - Organizational assignment
Nils Watt – Territory assignment
Nils Watt User Role
The following screen shots show access rights for account work center of the user of Nils Watt. These access rights were automatically being generated:
- As Nils is assigned as an employee (and not as a Manager) to his organizational unit. He has access granted only for those accounts (and contacts) where he is assigned as a member of the account team (no access to accounts of other account team members!).
- As Nils is assigned to the territory Germany he has access to all accounts which are assigned to this territory but in addition also to all the accounts assigned to its sub territories.
Nils’ access is a combination of the employee part of his access context (--> Accounts where he is directly assigned as an account team member) and the territory part of his access context (à Accounts which are assigned to a territory (and sub territory) he is a member of.
The restriction rule of the role which is assigned to Nils’ user has dynamically generated access rights. Dynamically means that a change of his territory assignment will lead to a change of his territory related access rights.
Sales Manager Bodo Mann
Bodo is the manager of the BFT Company Inc. Organization. Bodo’s user has the same role “BFT DE SALES ASSISTANT” assigned as for his employee Nils. Bodo is not assigned to any territory:
- As a manager Bodo has access to all accounts where employees of his own organizational unit and sub units are assigned in the account team. Please note that the organizational unit must be flagged as a sales unit (functional unit sales) to be effective in the access restrictions.
Does Bodo also has access to an account where his employee Nils Watt can access because he is member of the territory team of the account but not member of the account team?
The answer is no! The employee part of the access context only considers the organizational assignment of the employees of the manager.
When setting up a role I recommended to use access restriction rules rather than defining specific rules. This might not always be possible for all customer use cases but using restriction rules can reduce the number of different business roles as the same role can be used for users of different organizations, territories etc. By this maintenance and administration effort on handling the roles can be reduced.
The restriction rule can be maintained in the “Access Restriction” by individual work center view. It is depending on the access context of the work center view/business object. In the screen shot above you see the available restriction rules for the access context 1015 – Employee or Territory or Sales Data. Other work center views/business objects which are assigned to different access contexts will provide a different set of restriction rules.
The restriction rules are defined by the standard and cannot be changed or extended customer specifically.