SAP Knowledge Base Article - Public

2594061 - Access Restriction Not Working For Enterprise Search

Symptom

A Business User has been restricted to access certain objects, for example for Accounts.  However, the Business User can access restricted Accounts via the Enterprise Search. The restrictions are working fine on work center view level.

Environment

SAP Business ByDesign

Reproducing the Issue

Configure the scenario

  1. Login to System in Silverlight Version.
  2. Go to the Application and User Management work center.
  3. Go to the Business User view.
  4. Select Business User ABC that you wish to restrict.
  5. Press edit and select Access Rights.
  6. Go to the Access Restrictions tab.
  7. Search and select from the work center View ID: BPM_ACCOUNTS.
  8. Change the Read Access and/or Write Access to Restricted.
  9. Below, in the Detailed Restriction section you have to specify the Access Group and select the respective Read Access and/or Write Access you wish to grant access. 
  10. Save the change.

 

Test the scenario:

  1. Ask the affected Business User to login to the system.
  2. Go to the Account Management work center.
  3. Go to the Account view.
  4. Search for an account which the Business User should have no access. 
  5. The Business user will not see the restricted account in the Overview Worklist(OWL).
  6. Click on the Enterprise Search and search for the same restricted account again. 
  7. The restricted account will be shown as a result 
  8. Business user is now able to click on the link to open the account to which he should has no access.


 

Cause

The Enterprise Search Enterprise Core Objects(ECO), "CUSTOMER_ES_ECO" is part of several work center views available to the user. Most of them are granted to the user in unrestricted read/write mode.

The Enterprise Search Object is not maintained with the Association to Access Code List(ACL), which is required to find the user's necessary restrictions.

If the restrictions derive from all views granted to an user are maintained at same level, this means there is no need to evaluate the ACL and it is always considered as unrestricted access to the ECO.

Resolution

In the current system version and until further notice it is not possible to restrict access via Enterprise search for accounts.  It is planned to extend the Restrict Access functionality also for the Enterprise search in future releases.

Keywords

access restriction, enterprise search  , KBA , access restriction , enterprise search , SRD-MD-BP , Business Partner , Product Enhancement

Product

SAP Business ByDesign all versions