SAP Knowledge Base Article - Public

2627923 - Employee Having Access To Business Objects That Are Restricted by the Restriction Rule 99

Symptom

There is an employee that is assigned in a Business Role which has the Restriction Rule 99 (Define Specific Restrictions) to a Business Objects (e.g Opportunities) and the access context is defined by Employee, Territory, Account and Sales Data. Currently, this user is having access to Business Objects that he is not allowed by the restriction rule.

Environment

SAP Cloud for Customer

Reproducing the Issue

  1. Login as the user XYZ (XYZ represents the user ID that has restriction rule 99 maintained).
  2. Go to the Sales work center.
  3. Go to the Opportunities view.
  4. Open the opportunity ABC (ABC represents the opportunity ID).
  5. You will be able to access this opportunity, but this opportunity does not fit in the Access Context maintained.

Cause

Even if the employee is not an Involved Party in the Business Object, he will have granted access to all Business Objects for all employees of the Organizational Units where the Business Role grants access to him. This include all the managers of the Organizational Units.

Resolution

This is the expected system behavior.

If you need restrict access to users for business objects, where an employee of the user's organizational unit is part of the Access Control List, you may contact your implementation manager to help with such request or approach directly  the SAP Cloud Service Center.

You can find more details about the services offered by the Cloud Service Center on https://www.sap.com/services/application-development.html .

You can contact the Cloud Service Center as follows:

  1. If you are a partner: please use cloudsolutionpartner@sap.com or the Partnerfinder.
  2. If you are a customer: please use the little blue box “Contact Us” shown on the very right-hand side of https://www.sap.com/services/application-development.html, choose “Contact Us”, choose “Services”, choose “SAP Custom Development” and complete the page.

Note: The services of the SAP Cloud Service Center will be charged as packaged services based on fixed prices.

An alternative option may be to check the SAP Hybris Cloud for Customer Ideas Forum to submit an idea: https://influence.sap.com/SAPCloudforCustomer

Keywords

Access Restriction, Employee, Organizational Unit, Involved Party, Business Role , KBA , SRD-CC-IAM , Identity & Access Management , How To

Product

SAP Cloud for Customer all versions