SAP Knowledge Base Article - Public

2663008 - Restriction Rule 11 - Employee, Accounts (Account Team) Does Not Work As Expected

Symptom

You are restricting a business object (such as Sales Orders) with Restriction Rule 11 - Employee, Accounts (Account Team).

You expect to see all the sales orders where a user is maintained in the Account Team facet inside the account.

However, you realize that not all sales orders are visible to the same user, despite all sales orders having the same account.

Environment

SAP Cloud for Customer

Reproducing the Issue

  1. Go to the Administration work center.
  2. Go to the General Settings view.
  3. Open Business User ABC (ABC represents the name of the user).
  4. Click Edit > Access Rights.
  5. In the Access Restrictions facet, select restricted read and write access in a business object (such us Sales Orders) and then choose the Restriction Rule 11 - Employee, Accounts (Account Team).
    (If the user has a Business Role assigned, the access restriction defined on the business role will be applied. You can follow the above steps but open the business role instead of the user and do the adjustments there).
  6. Log in with an admin user.
  7. Go to the Customers work center.
  8. Go to the Accounts view.
  9. Open an account where user ABC is maintained in the Account team facet.
  10. Go to the Sales Orders facet.
    Result: You can see X number of sales orders.

  11. Log in with ABC user.
  12. Go to the Customers work center.
  13. Go to the Accounts view.
  14. Open the same account that you opened in step 9.
  15. Go to the Sales Orders facet.
    Result: You can see Y number of sales orders (being Y lower or equal to X). The user ABC can see all the sales orders where they are maintained in the Involved Parties view inside the sales order. However, there are other sales orders for the same account which are not visible for user ABC.

Cause

In the description of the restriction rule, you can read: Access based on the account via direct employee assignment (max 1000 accounts) and employee.

If the user ABC has access to more than 1000 accounts, the restriction rule will not be applicable and only the sales orders where the user is directly maintained on the Involved Parties view will be visible. It is not about the user being in the account team of the account, but about being involved directly in the sales order.

Resolution

This is the expected system behavior.

You can select another restriction rule if desired.

See Also

Blog: Access Control Management: Basics of access control and business roles

Keywords

Restriction rule ; Access rights; Accounts; Sales orders; Sales quotes ; Employee; 11; , KBA , LOD-LE-RC-GEN-XCR , General Cross Topics , How To

Product

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions