Sales Orders or other business objects which are out of the Sales Org assigned to your user can be seen.
SAP Cloud for Customer
Reproducing the Issue
Prerequisite: User ABC has Sales Org XYZ mapped (ABC and XYZ represent the user and sales org name respectively).
Our example looks at Sales Orders, but the same is true for other views, such as Individual Customers, Accounts, Opportunities, etc.
- Go to the Sales work center.
- Go to the Sales Orders view.
- You will see Sales Orders belonging to different Sales Orgs are than your user.
- Go to the Access Restrictions of ABC, you will see that Access Restrictions for Sales Order (or the relevant view in question) has Access Context - 1"015 - Employee, Territory, Account, Sales".
- Go to Administrator Work Center.
- Go to Check Users Authorization.
- Fill ABC as Business User.
- Use any of the Sales Oders which has different Sales Org than that of the User ABC to fill - Business Object ID which is visible for user ABC.
- Choose Object - Sales Order.
- You see the Access Group id :- “55555555555555555555555555555555”.
If you want to restrict the access to homeless objects, this only works if the compatibility mode was deactivated beforehand.
The Silent Data Migration XPRA will be only executed again to correct the data, if the scoping for the “homeless” question is changed again.
If you enable this scoping question and the "Compatibility mode for Access Context 1015" scoping question (that is also located with in the "User and Access Management" section) is also in scope, then accounts that have only sales data (and no account team or territory assignment) can still be accessed by a business user that has restricted account access.
This is also valid for transactions that contain sales data without a territory or employee assigned.
Please follow the path:
- Work centre: Business configuration.
- Open your relevant implementation project.
- Navigate to step 4, questions.
Expand: Built-in Services and Support > System Management > User and Access Management.
Relevant questions for your scenario:
"Do you want the Access Context 1015 - sales area restriction to be effective only for objects with employee or territory assignments?" (please descope this)
"Do you want in general restrict access to data records that do not contain any access restriction relevant content? (please de-scope this, then after save and deploy, scope it again)
- Deselect - Scoping Question:Compatibility mode for Access Context 1015 (Employee, Territory, Sales Data).
- Deselect - Scoping Question: Remove the authorization for unassigned data records (the homeless question).
- Save/Deploy changes.
- Select - Scoping Question: Remove the authorization for unassigned data records (the homeless question).
- Save/Deploy changes.
access restrictions, accounts, Do you want in general restrict access to data records that do not contain any access restriction relevant content? , KBA , LOD-CRM-EMP , Employee , LOD-CRM-ACC , Account , LOD-CRM-OPP , Opportunity Management , How To