- An approval task for employee ABC fails, although the approver KLM seems to have sufficient access rights to perform the approval.
- The approver KLM is manager of reporting line unit XYZ where ABC is employed. But KLM is not be able to see employee ABC in My Teams.
(AbC represents the name of the employee, KLM represents the name of the manager, XYZ represents the org unit ID.)
SAP Business ByDesign
Reproducing the Issue
- Go to Application and User Management work center
- Go to Business Task Management view
- Find a failed approval task for approver ABC (where ABC represents the name of the approver)
- Open Application Log
- Find e.g. below messages:
- Business task is inconsistent - no valid responsible person/organization
- Searching for manager in org structure:
- Manager must be a reporting line unit manager
- Manager must be manager for the following employees:
- Manager found: KLM
- Employees without sufficient access rights for the item:
- Employee: KLM
- Info: Work Center Views that potentially grant access:
- View:My Team (MMA_MYTEAM) - Context: Management (1003)
- No employee has sufficient access rights
But all conditions seem to be met: The approver has access to My Team (MMA_MYTEAM) and the access restrictions of this view allow the approver KLM read and write access to org unit XYZ via Access Context: Management (1003). You therefore don't understand the message: 'No employee has sufficient access rights'.
In the Edit Access Rights UI, for the access context, the parent org unit OPQ is shown to enable rendering of the actual hierarchy under this company. (OPQ represents the parent org unit ID.) As part of the actual hierarchy below OPQ, XYZ is correctly marked for Read and Write Access.
The access context 1003-Management is only applicable for org units which are acting as RLU (reporting line unit), or in other words, relevant for people management. It needs the reporting line hierarchy to be present starting from the parent org unit, which is OPQ in this case.
However, OPQ is not a reporting line unit. Therefore, the authorization framework would not evaluate that XYZ (RLU) is a child of OPQ (not RLU).
There are two solutions to the observed issue:
- In the Edit Access Rights screen, instead of granting access to OPQ, grant access to individual RLUs, like XYZ, directly
- Mark the company OPQ as an RLU itself in the Organizational Structure
Please find more details regarding Organization Management and RLU in the Help Documentation:
Approval, leave, Approve Leave Request, Application and User Management, Business Task Management, Aproval fails, message: , KBA , SRD-CC-IAM , Identity & Access Management , Problem