This document covers some basic and frequently asked questions regarding IAM.
- SAP Hybris Cloud for Customer 1802 and higher.
- SAP Business ByDesign 1802 and higher.
1. Where to find the Identity and Access Management (IAM) Views?
You can find it following this path: Application and User Management Work Center -> User And Access Management for Business ByDesign and Administrator work center -> Users for Cloud for Customer.
2. How do Business Roles work?
A Business Role defines a set of work centers and its associated views including Restriction Rules. You can use this to apply multiple work centers to several users at once.
3. How to manually update Access Rights of a Business User?
You need to go to Business User view, find the specific Business User and click on Edit button and then click on Access Rights. Once the new window opens, you will have the ability to manage the Access Rights manually for this specific Business User, if it is not assigned to a Business Role.
4. What is Identity and Access Management (IAM)?
Identity and Access Management means a combination of Employee records, Business Users and Roles and Access Restrictions where you can customize it and control users` access to your solution.
5. How to properly update the Access Rights of a Business User?
Once you made the required changes for the Business User, you will need to go to Business Users view and click on Update Access Rights button and then click again on Update All Users. This way you are making sure that the job for this Update is being triggered.
6. How to restrict a specific action with a Business Role (i.e. Business Users shouldn't be able to synchronize Appointments with Outlook or disable the Inactive button)?
Through a Business Role you will be able to restrict access for some actions within a View or hide fields or buttons. For this, you will need to go to Business Roles view, find the specific Business Role, click on Edit button and then go to Field & Actions tab and add row under Business Action Restrictions. It will display which actions can be restricted or hidden in the system using this option.
7. What is Access Context and how it is defined?
Access Context is maintained on a Business Object level and cannot be edited or customized, it is defined by the system. For example, if the Access Context for a particular object is Employee, you cannot enhance the Access Context by adding additional criteria such as Sales Organization. You can check further details on step Maintaining Access Context in the SAP Administrator Guide.
8. What are Restriction Rules and how to define them?
Restriction Rules will appear once you selected Restricted Access to a particular view. After that, you will be able to select a predefined Restriction Rule. You can find a list of them on step Overview of Restriction Rules in the SAP Administrator Guide.
9. Which access right has priority if you have defined access that are overlapping, Read or Write?
Whenever you are setting a View with Write Access, it will be overwriting any other View with the same floorplan, making it Write Access enabled too.
10. Is it possible to create Technical User and change their Passwords?
The Technical User come with the system and cannot be created or edit. To change their Password, the Technical User needs to be used by some Communication Arrangement, making it possible to change the password following this path: Application and User Management Work Center -> Communication Arrangement (CA) View -> Find the specific CA and click on Edit button -> Technical Data tab -> Edit Credentials button.
11. How to change the password of a Business User?
Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under User Data fields, you will be able to put a new Password.
12. How to Unlock or Lock a Business User?
Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under User Data fields, you will be able to check\uncheck the User Locked option.
13. How to change the Validation date of a Business User?
Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under User Data fields, you will be able to change the validation of the Business User.
14. How to define the time zone of a Business User?
Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under Regional Settings section, you will be able to specify the Time Zone. This is usually defined by a specific algorithm from the system itself. You can find more details here https://blogs.sap.com/2016/10/21/defaulting-regional-settings-creating-business-users/
15. How to Generate a new Password for a Business User?
To generate a New Password for a Business User, you need to click on Edit button and then Attributes. Under Actions button, there will be the option to Generate Password.
16. What is the difference between Business User and Technical User?
The Business User is used for an Employee and can do actions like creation of Sales Orders, Products, Tickets, and so on. The Technical User is a non-interactive user, predefined by the system for technical operations like Background Jobs or Credentials for Communication Arrangement.
17. What to do if the Password is not being received after using the Forgot Your Password tool?
Make sure that the End User put the correct e-mail to have the Password generated and that the Business User has an unique e-mail in the system, if multiple Business Users have the same e-mail address for Password recovering, the system will not send the Password.
18. What is the different between Restricted View, Read or Write?
Check the table below:
|Restricted||The user will have access only to specific data and it will depend on the Access Context and the Restriction Rule defined for it.|
|Unrestricted||The user will have access to all business data related to the View.|
|No Access||This is only available for Write Access and means that the user will not be able to change or put data.|
19. How to find the changes done to the Access Rights of a Business User?
Once you find the specific Business User, you need to click on Edit button and then click on Access Rights. A new window will show up, then can go to Changes tab.
20. What is the function of the Segregation of Duty (SoD)?
Segregation of Duty is a function to verify, in case of Business Users assigned to multiple Work Centers, if there is any conflict in their Access Rights that could cause a violation or a fraud, the SoD will appear in the window to the Administrator user, so process controls can be implemented to mitigate possible risks.
21. Why is Access Restriction not working as expected for a User?
If the user is assigned to PDI_DEVELOPMENT Unrestricted Access, all the data for Workcenters will be accessed by this user. PDI_DEVELOPMENT Unrestricted access overwrites all Access Restrictions in UI.
22. Why are Business Users not displayed in the Value Help while assigning the Users Responsible for the Business Role?
In the Administrator work center, you must assign the Business Users with the respective Work Center and Views which have been part of the Business Role: XYZ (where XYZ stands for a Business Role). Thereafter, you will be able to assign the Business Users Responsible for the Business Role.
23. Why is Access Restriction not working for Organization Unit as expected?
If this user is not a part of the required Organization Unit, the users will not be able to access the assigned roles.
24. Is there access restrictions on attachments?
Access restrictions on attachments are not supported.
25. Is there any way to Lock/Unlock multiple users at once?
Yes. It is possible to lock/unlock users massively by selecting multiple users and clicking on Lock User/Unlock User. Besides that, it is not possible to perform this action via any other tool, such as Data Migration and Web Services.
26. Can Technical / Support Users in a system be deactivated/deleted ?
No. These users have the below responsibilities:
Technical User :A user type for non-interactive usage, either predefined by SAP for technical operations or resulting from the creation of communication arrangements.
Support User : A user type for interactive support users used by SAP Cloud Services to access the system as part of incident processing.
They cannot be deactivated in a system and it is standard behavior.
27. In Security Policy, how do you set the Maximum Password Validity to Unlimited?
If you do not maintain any value in the field Maximum Password Validity, then the maximum validity of password is set to Unlimited.
28. Is it possible to restrict report view based on employees?
Reports can only be restricted based on workcenter assigned in the report. At employee basis, report view cannot be restricted.
29. Is there a restriction which can be imposed to not reset Admin Password?
All users having authorizations to user admin activities are treated same and also treated similar to other users. Hence, this restriction is currently not possible.
30. Is it possible to track Change Log history of password change?
Changes to password happen at basis layer unlike other BO content, which happens at ESF control. So, Change Log history of password change is not possible.
FAQ, Business User, Business Role, Access Restriction, Password, Restriction, Write, Read, Access Context, Access Rule, Technical User, Initial User, IAM, Access Right , KBA , faq , business user , business role , access restriction , password, restriction , access context , access rule , technical user , initial user , iam , access rights , SRD-CC-IAM , Identity & Access Management , How To