2608632 - Frequently Asked Questions on Identity and Access Management

SAP Knowledge Base Article - Public

2608632 - Frequently Asked Questions on Identity and Access Management

Symptom

This document covers some basic and frequently asked questions regarding IAM.

Environment

  • SAP Hybris Cloud for Customer 1802 and higher.
  • SAP Business ByDesign 1802 and higher.

Resolution

Question 1: Where to find the Identity and Access Management (IAM) Views?

Answer: You can find it following this path: Application and User Management Work Center -> User And Access Management for Business ByDesign and Administrator work center -> Users for Cloud for Customer.


Question 2: How do Business Roles work?

Answer: A Business Role defines a set of work centers and its associated views including Restriction Rules. You can use this to apply multiple work centers to several users at once.


Question 3: How to manually update Access Rights of a Business User?

Answer: You need to go to Business User view, find the specific Business User and click on Edit button and then click on Access Rights. Once the new window opens, you will have the ability to manage the Access Rights manually for this specific Business User, if it is not assigned to a Business Role.


Question 4: What is Identity and Access Management (IAM)?

Answer: Identity and Access Management means a combination of Employee records, Business Users and Roles and Access Restrictions where you can customize it and control users` access to your solution.


Question 5: How to properly update the Access Rights of a Business User?

Answer: Once you made the required changes for the Business User, you will need to go to Business Users view and click on Update Access Rights button and then click again on Update All Users. This way you are making sure that the job for this Update is being triggered.


Question 6: How to restrict a specific action with a Business Role (i.e. Business Users shouldn't be able to synchronize Appointments with Outlook or disable the Inactive button)?

Answer: Through a Business Role you will be able to restrict access for some actions within a View or hide fields or buttons. For this, you will need to go to Business Roles view, find the specific Business Role, click on Edit button and then go to Field & Actions tab and add row under Business Action Restrictions. It will display which actions can be restricted or hidden in the system using this option.


Question 7: What is Access Context and how it is defined?

Answer: Access Context is maintained on a Business Object level and cannot be edited or customized, it is defined by the system. For example, if the Access Context for a particular object is Employee, you cannot enhance the Access Context by adding additional criteria such as Sales Organization. You can check further details on step Maintaining Access Context in the SAP Administrator Guide.


Question 8: What are Restriction Rules and how to define them?

Answer: Restriction Rules will appear once you selected Restricted Access to a particular view. After that, you will be able to select a predefined Restriction Rule. You can find a list of them on step Overview of Restriction Rules in the SAP Administrator Guide.


Question 9: Which access write has priority if you have defined access that are overlapping, Read or Write?

Answer: Whenever you are setting a View with Write Access, it will be overwriting any other View with the same floorplan, making it Write Access enabled too.


Question 10: Is it possible to create Technical User and change their Passwords?

Answer: The Technical User come with the system and cannot be created or edit. To change their Password, the Technical User needs to be used by some Communication Arrangement, making it possible to change the password following this path: Application and User Management Work Center -> Communication Arrangement (CA) View -> Find the specific CA and click on Edit button -> Technical Data tab -> Edit Credentials button.


Question 11: How to change the password of a Business User?

Answer: Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under User Data fields, you will be able to put a new Password.


Question 12: How to Unlock or Lock a Business User?

Answer: Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under User Data fields, you will be able to check\uncheck the User Locked option.


Question 13: How to change the Validation date of a Business User?

Answer: Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under User Data fields, you will be able to change the validation of the Business User.


Question 14: How to define the time zone of a Business User?

Answer: Once you find the specific Business User, you need to click on Edit button and then Attributes. A new window will show up and under Regional Settings section, you will be able to specify the Time Zone. This is usually defined by a specific algorithm from the system itself. You can find more details here https://blogs.sap.com/2016/10/21/defaulting-regional-settings-creating-business-users/


Question 15: How to Generate a new Password for a Business User?

Answer: To generate a New Password for a Business User, you need to click on Edit button and then Attributes. Under Actions button, there will be the option to Generate Password.


Question 16: What is the difference between Business User and Technical User?

Answer: The Business User is used for an Employee and can do actions like creation of Sales Orders, Products, Tickets, and so on. The Technical User is a non-interactive user, predefined by the system for technical operations like Background Jobs or Credentials for Communication Arrangement.


Question 17: What to do if the Password is not being received after using the Forgot Your Password tool?

Answer: Make sure that the End User put the correct e-mail to have the Password generated and that the Business User has an unique e-mail in the system, if multiple Business Users have the same e-mail address for Password recovering, the system will not send the Password.


Question 18: What is the different between Restricted View, Read or Write?

Answer: Check the table below:

Restricted The user will have access only to specific data and it will depend on the Access Context and the Restriction Rule defined for it.
Unrestricted The user will have access to all business data related to the View.
No Access This is only available for Write Access and means that the user will not be able to change or put data.


Question 19: How to find the changes done to the Access Rights of a Business User?

Answer: Once you find the specific Business User, you need to click on Edit button and then click on Access Rights. A new window will show up, then can go to Changes tab.


Question 20: What is the function of the Segregation of Duty (SoD)?

Answer: Segregation of Duty is a function to verify, in case of Business Users assigned to multiple Work Centers, if there is any conflict in their Access Rights that could cause a violation or a fraud, the SoD will appear in the window to the Administrator user, so process controls can be implemented to mitigate possible risks.

Question 21: Why is Access Restriction not working as expected for a User?

Answer: If the user is assigned to PDI_DEVELOPMENT Unrestricted Access, all the data for Workcenters will be accessed by this user. PDI_DEVELOPMENT Unrestricted access overwrites all Access Restrictions in UI.

Question 22: Why are Business Users not displayed in the Value Help while assigning the Users Responsible for the Business Role.

Answer: In the Administrator work center, you must assign the Business Users with the respective Work Center and Views which have been part of the Business Role: XYZ (where XYZ stands for a Business Role). Thereafter, you will be able to assign the Business Users Responsible for the Business Role.

Question 23: Why is Access Restriction not working for Organisation Unit as expected.

Answer: If this user is not a part of the resquired Organisation Unit, the users will not be able to access the assigned roles.

Keywords

FAQ, Business User, Business Role, Access Restriction, Password, Restriction, Write, Read, Access Context, Access Rule, Technical User, Initial User, IAM, Access Right , KBA , access rights , faq , business user , business role , access restriction , password, restriction , access context , access rule , technical user , initial user , iam , SRD-CC-IAM , Identity & Access Management , How To

Product

SAP Business ByDesign all versions ; SAP Hybris Cloud for Customer all versions