SAP Knowledge Base Article - Public

2527629 - How to Restrict Homeless Objects from Being Visible

Symptom

You want to control data access only based on the criteria defined by the restriction rules of a business role and you don't want homeless objects not to be visible.

or

You have restricted access to Sales Org and you are able to see Accounts under these Sales Org, and you can also see those Accounts which are not under any Sales Org.

Environment

SAP Cloud for Customer

Cause

The object is a so called homeless/ orphan object, meaning that the object does not contain any access restriction relevant content. For example: an account which has no Owner and no Account Team.

Resolution

  1. Go to Business Configuration workcenter.
  2. Open the Implementation Project.
  3. Click Edit Project Scope.
  4. Click Next until you get to 4 Questions.
  5. Select Built-In Services and Support.
  6. Select System Management.
  7. Select User and Access Management.
  8. Enable the scoping question: Remove the authorization for unassigned data records - 'Do you want in general restrict access to data records that do not contain any access restriction relevant content?'

This business option allows you to control data access only based on the criteria defined by the restriction rules of a business role. Data records without any assignment applicable for the corresponding access context will not be visible to a business user that has restricted access to a business object, once this option is selected.

If you enable this scoping question and the "Compatibility mode for Access Context 1015" scoping question, then accounts that do have only sales data (and no account team or territory assignment) can still be accessed by a business user that has restricted account access. This is also valid for transactions that contain sales data without a territory or employee assigned. (refer to KBA 2808551)

However, for this "Remove the authorization for unassigned data records" scoping question, if Account BO is restricted based on Restriction Rule: 9 - Sales Organization of Employee, enable this scoping question will make it not possible in to maintain sales data in Account quick creation page, and also not possible to create "homeless" accounts. (error occurs when you save the account, mentionning that you're not authorized to create account)

Hence, if your enable this scoping question, you have to choose a restriction rule for the Account BO restricting by Employee or Territory, but not Sales data. Because this data you can maintain in the quick creation page.

See Also

 2808551 - Whether an Account is Considered as Homeless or Not.

Keywords

account, homeless, orphan, access restriction, can see, visible, scoping , KBA , LOD-CRM-ACC , Account , How To

Product

SAP Cloud for Customer add-ins all versions