3066085 - Substitute Does Not Inherit Authorization of UI Switch

You have the UI Switch ABC within Business Role DEF, which is assigned to business user 001.
This business user 001 is unavailable and then you set the user 002 as it's Substitute.

When trying to perform the same actions of user 001 with the Substitute user 002 you notice that you cannot perform any action bound to this UI Switch as it seems the Substitute have not inherited the UI Switch Access Rights from business user 001.

• SAP Business ByDesign 

This happens mainly because of the following:

1. The business role DEF  is not assigned to the user 002 because, employee substitution directly copies the authorization of 001 to the substitute 002 at IDENTITY level. It will copy the effective authorizations already determined for the user 001 from the business role, but not copy the business role assignment itself.

(If employee substitution worked by simply assigning the roles to the substitute by checking which roles are assigned to the substituted user, this will fail when they have difference in their Org. assignment, since authorization depends on which orgs the user belongs to and their functions.)

2. The UI switch is not assigned to the user 002  because, UI switch is not part of IDENTITY, it is only a part of business roles. Authorization evaluation of UI switch is done by UI runtime by looking up the UI switches available for a user via the assigned business roles. Therefore since the role is not directly assigned to the user 002, UI runtime will not find the UI switch to be assigned to the user 002.

In short, UI switch cannot be part of employee substitution.

 This is the current architectural design of the product.

UI Switch, PDI, Substitute , KBA , substitute , ui switch , business bydesign , SRD-CC-IAM , Identity & Access Management , Problem