User ABC is able to create Appointments in the Calendar of User XYZ (ABC and XYZ represent user's ID), even though they do not have Access Restrictions to perform such action.
SAP Cloud for Customer
Reproducing the Issue
1. Login as User ABC;
2. Open the Calendar view;
3. Press the Value Box;
4. Select User XYZ;
5. You are able to write Appointment to XYZ's Calendar without any restriction.
This is expected system behavior.
When user ABC is logged on and displays user XYZ's calendar, they can create a new Appointment as they would create from the Quick Create but in addition, it defaults the time slot selected in the Calendar.
What matters is who are the Parties Involved in the newly created Appointment. If the owner/ organizer is user ABC, the Appointment will show up in user ABC's calendar only.
If Organizer is user ABC and the Owner is set as user XYZ, then the Appointment shows in both Calendars of users ABC and XYZ. If you create the Appointment from the Quick Create or Activities work center or Calendar the effect will be the same depending who do you set as Owner or Organizer.
You are able to start the creation in a user's you can see Calendar, but what matters is the Parties you maintain in the Appointment.
This Appointment creation in the Calendar is not applied to the user's Calendar selected if they are not maintained as a Party to it.
The Calendar is used mostly to read a user's Activities. Writing on it would only add a time slot to the Appointment.
KBA , LOD-CRM-EMP , Employee , LOD-CRM-CAL , Calendar Control , How To