Special Access Control Topics
In the previous sections I have explained the basic concept of access control. This section will now provide details on special topics in the context of the access control.
7.1 Restriction Rule Workforce
7.2 Delegates
7.3 Access Control for Reports
7.4 Access Control for custom developed Business Objects
objects
7.5 Access determination in case of conflicting Role privileges and conflicting Page Layout privile...
7.6 Inherit Account Access to transactional business documents (this Blog)
Special Access Control Topics - Inherit Account Access to transactional business documents
Some additional features were introduced with 1702 and 1704. In this blog post I want to bring your attention to some additional restriction rules which addressing the following use case:
- A user needs to get access to business documents (opportunities, quotes, etc.) and/or activities which are related to a customer. The user is assigned either via territory team or account team. To access the transaction related to the account, the user must not necessarily be assigned as involved party to the business document.
To support this use case new restriction rules were added for transactions, such as lead, opportunities, or quote (access context 1015) and activities, such as appointment, or task (access context 1016).
New Restriction Rules for Access Context 1015
11 – Employee, Accounts (Account Team)
12 – Employee, Accounts (Account and Territory Team)
New Restriction Rules for Access Context 1016
9 – Employee, Accounts (Account Team)
10 – Employee, Accounts (Account and Territory Team)
These restriction rules grant access to an activity or a sales quote just because the business document is assigned to a customer the user is assigned to.
As you know there are different ways to assign an employee (which is related to a user) to an account. Either through territory assignment or through account team assignment (or both). The different access contexts do consider this assignment:
New Restriction Rules for Access Context 1015 11 – Employee, Accounts (Account Team) Grants access to a business document of access context 1015 if the user is assigned as an account team member. 12 – Employee, Accounts (Account and Territory Team) Grants access to a business document of access context 1015 if the user is assigned as and team member or a territory team member.
New Restriction Rules for Access Context 1016 9 – Employee, Accounts (Account Team) Grants access to a business document of access context 1016 if the user is assigned as an account team member 10 – Employee, Accounts (Account and Territory Team) Grants access to a business document of access context 1016 if the user is assigned as and team member or a territory team member.
Please note, as you know the access context 1015 is also relevant for accounts or contacts. Thus, it is theoretically possible to assign the restriction rules 11 (Employee, Accounts (Account Team)) or 12 (Employee, Accounts (Account and Territory Team) rules to Customer or Contact work center views. Actually this does not make sense. The purpose of restriction rules 11 and 12 are mainly controling the access to a business transaction based on the access to the account. So just use the restriction rules 11 and 12 for the transactional documents of the access context 1015 only.
The access determination based on the customer assignment as defined in restriction rule 11 and 12 is carried out during runtime.
IMPORTANT: To not jeopardize the response time especially for a large set of accounts related to a user, we have limited the calculation of the access rights for these restriction rules to
max
. 1000 accounts per user (in total it can be 2000 accounts if you use account team and territory team assignments in parallel).
If the number of account assignments per user is exceeded, the system will grant no access at all for that user. The work lists for the transaction will be empty. If the user exceeds the assignment via territory team or account team of 1000 customers, you need to find a different approach to grant access for business documents.
In former releases, we already provided a restriction rule which is referring to the account assignment and which still shows up. That is the access context 1 for access context 1016 - Obsolete: Territories, Accounts, Employees (For Manager). This access context is just considering the account team assignment of the user.