Access Control Management: How to analyse access control issues
Welcome to the blog series on access control management. The series discusses access control and business roles. It provides typical examples of roles and access management. The following are the blogs in this series:
- Basics of access control and business roles
- Access Control Management: Access restrictions explained - Access Context
- Access Control Management: Access restrictions explained - Restriction Rules
- Access Control Management Example: Global versus local admin
- Access Control Management Example: Access forwarding
- How to analyse access control issues - this blog
- Special Access Control Topics
How to Analyze Access Control Issues easily
Access control is not working! This is an issue often reported to SAP, yet in most cases it turns out that the system is working correctly but the access control was not setup properly. Before you create an incident, read and familiarize yourself with the following topics in order to successfully set-up access control on your system.
These are the most frequently used check scenarios to go through in case of any access control issues. If you have additional guidelines, which you believe are important to add to the list, please add a comment to this blog with your findings.
- Check the system's business role setup
The restriction rules of the business role might consider the current organizational assignments, territory assignments, or other types of structural data.
In order to make sure that the business role is reflecting the current assignment status, access the business role from the Administrator work center -> chose the function Assigned Users -> Update Users. This function triggers a background job, updating each user’s access rights according to the current setup and restriction rules.
Note: If you re-assign an employee to a different organization, the background job is triggered automatically.
It is recommended anyway to run the job in case you have larger structural changes such as, moving a sales unit with several employees from one sales organization to another. Please also check the validity of the organizational unit and the employee assignment as is often reveals access control issues.
The background job is processed on a daily basis (midnight). Hence, starting the job manually is rather an exceptional action in case the access control does not behave as you expect.
- Check for user access restriction error messages
The restriction rules are implemented into individual user’s access rights. For example, depending on the territory or organizational assignment, the user receives access to an opportunity or an account assigned to the same territory. In this instance, the user of that role must be assigned to a territory. If this is not the case, the system is not able to identify a restriction for that user and indicates this with an error message. As a result, the work center view is not even available to the affected user although it is assigned in the business role.
Note: The messages can be reviewed in the business role (assigned business user) or from the business user view details.
Check the current access rights for users
The restriction rules in a business role are generic access rights. The restriction rule is transformed to an individual business user’s access rights. The business user’s access rights then control the access to a business object instance.Checking the actual access settings in the business user often clarifies an unclear access behavior. This check is an important exercise in the system encountering access control issues. Here are the steps on how to proceed:
--> Check the business object details, for example, which data such as employees, territories, organizational units does the transaction or master data require to become accessible.
--> Compare the business object details with the user access rights by navigating to Administrator -> Business Users -> select the relevant user
-> Edit -> Access Rights -> Access Restrictions -> select the relevant work center view.
Now you will see that the system displays the actual access rights by access group (for example, Employee, Territory, Sales Organization) which are relevant for that particular business user.
- Managing “Homeless” Objects
In some cases, administrators (key users) wonder why, for example, an account can be accessed by all users even though access restrictions have been maintained for them. This access might be caused by the fact that the account does not have one or more of the following:
- account team member
- assigned sales data
This means no access determination relevant data has been maintained in the business object instance (master data or business document). Therefore, the system is not able to identify any access restrictions. In this case, the system does not restrict access to the object instance at all and it is accessible by all users. In order to achieve access restriction to this object instance at least some access relevant data must be maintained, for example, an account team member or a territory assignment.
- Related Views with different access rights
The Opportunity work center view and the Opportunity Pipeline Simulation are two different work center views. However, both grant access to the same business document – Opportunities
If you have access in one of the work center views to an opportunity, you can access the document also in the other work center view. In case, the Opportunity Pipeline Simulation has unrestricted access; this access setting will also be relevant for the Opportunity work center view even if a different setting is maintained. In this case, the users receive the “correlation” of authorizations granted from both work center views.
Note: Confirm that both work center views are maintained with the same access restrictions.
Access Forwarding sometimes also is a reason for an unexpected access behavior. Find more information, please read the blog post written on this topic here
In case a user has access to more work center/work center views and data than assigned in its role, check if that user is a delegate. Delegates are maintained by the Administrator. Navigate to Administrator -> Select “Delegates” from the pop up menu.
Delegates get all access rights from the employee they are the substitute for. Delegates are maintained with a validity period.