Skip to Content
SAP Cloud for Customer add-ins

Special Access Control Topics - Delegates


Special Access Control Topics

In the previous sections I have explained the basic concept of access control. This section will now provide details on special topics in the context of the access control.

7.1 Restriction Rule Workforce

7.2 Delegates - this blog

7.3 Access Control for Reports
7.4 Access Control for custom developed Business Objects

Special Access Control Topics - Delegates

When users are out of office, their substitutes need to be able to continue their work. This also may require for the substitutes to get the same access rights for the period they are substituting their colleagues.

The functionality to delegate access rights from one user to another is covered in the work center “Delegates”

The work center can be access through the ADMINISTRATOR or PEOPLE work center. The work center view is assigned to Access Context “2008 – Org.Unit”. Hence it is possible to restrict access for example to employees of the own organizational unit.

Here is an example how it works:

Norbert Toll is the Manager of the Sales Unit BFT Nord. The following employees are working for Norbert: Paul Altona, Norbert Toll, Knut Hansen and Frank Coast. Due to this assignment, Norbert has access to all their customers:


The reason for Norbert to also access the accounts of Mini Gross will be described later.

Frank Coast is a sales representative working in Norbert Toll’s sales unit. He has access only to the customer where he is assigned as an account team member.

In addition to the account work center he has also the People work center assigned which provides him access to the employee work center view. Please note he only has access rights to read the employees.

As the Manager Norbert Toll is planning to leave for vacation he creates a delegates entry for Frank Coast to substitute him during his absence. With the sales manager role assigned, Norbert can also access the delegates work center view as part of the people work center and he has write access to the employees.

Please note: the delegates work center view in the people work center only allows to create entries for himself. The administrator is also able to create delegates for other employees.

With this delegates entry Frank Coast has now inherited the following access rights from Norbert Toll as long as the delegate’s entry is valid:

  • Access to the customers Norbert Toll has access to (the customers of Norbert’s team owned by Paul Altona, Norbert Toll, Knut Hansen)
    As you can see Frank has no access to the customer owned by Mini Gross. The reason is, that Norbert is currently substituting Mini, hence he has inherited her access rights. But the inherited access rights from delegates are not inherited to further delegates.

  • Write access to the employees.

  • Access to the delegates work center view. With this he can also create delegates entries.

With his inherited access to the delegates work center view, Frank has also created a delegates entry for Knut Hansen valid through the same period as he is substituting his boss Norbert. With this assignment, Knut has access to the customers of Frank but not to those Frank has inherited from Norbert. Also Knut has no write access to the employees and delegates. This also underlines the fact, that the delegated access rights are not further inherited.

In case of access right issues, please always check if there is any delegate entries active for the users!