Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 
Use Case:

There are requirements, where a differentiation between

a “Main” Key User / IT Administrator (who should has access to all SAP Business ByDesign areas and Work Center’s)


a “group-responsible” Key User (who should has only a limited system access option),

e. g. a user who is responsible for all CRM-related settings and its related UI Adaptations, but not for other areas like e. g. Finance.

Requirements of this Key User restriction are

  • Being able to do Key User Adaptations for (but only!) dedicated Work Center’s and View’s, but being not able to change WoC Assignments for Business Users and Business Roles in any other cases (for itself but also not for other users)

  • Being able to edit and maintain reports and data sources in Business Analytics, but being not able to see any real data information within accessed reports and data sources



  1. Key User UI Settings

    e. g. screen adaptation and creation of Key User extension fields

    In addition to Workcenter’s which are required for the daily life of a (group-responsible Key-) user, only this dedicated Workcenter View (out of Workcenter “Application and User Management”) will be necessary, which is the Workcenter View “Flexibility Change Log”:

Please go to:


Result: The group-responsible Key User can do Key User Adaptation tasks, but only on assigned Work Center’s. As this user does not have a chance to add and enhance more Work Center /-views to its business user, there is no way to access areas which should be protected in the mentioned matter.

  1. Business Analytics

On top to 1., the (group-responsible Key-) user can have access to Work Center “Business Analytics” and with help of this restriction:

the user could edit and create reports and join data sources in WoC “Business Analytics”, but without any real data. Those real data would be only available for objects where the access rights are maintained and assigned accordingly.

Achieving to see business data in the new and adjusted analytical objects, the group-related Key User needs to switch to the relevant and assigned Work Center’s and their report section (after report and data source modelling). And for sure, a publishing to other users is possible as well.


Result: With help of this approach, a differentiation between Key User access rights can be achieved fulfilling area responsiblities and avoiding miss-usage and not allowed data access.