3371644 - User who actually has no authorization to the document is able to see it

User A who has no authorization to document B is able to see the document B.

SAP Cloud for Customer

1. Log on as Administrator.
2. Go to Administrator work center.
3. Navigate to General Settings view.
4. Click on Business Users.
5. Check for the Access Rights for user A.
6. Go back to General Settings view.
7. Click on Business Roles.
8. Edit the Business Role of user A to check for the Access Restriction.
9. Result: user A should has no access to Opportunity B.
10. Now log on as user A.
11. Go to Opportunities work center.
12. Opportunity B could be seen there.

For Opportunity B, under the Change tab, user A could be seen there. He is the last change user of the Opportunity.

For business objects:

• Business Partners (Account, Contact, etc.)
• Sales Quote
• Sales Order
• Activities
• Opportunity
• Lead
• Service Request

The last change user is added to the access control list. The access control list is a structure attached to the business object by which the actual access is being determined. As the last change user is added to the access control list, that user still has access to the object instance at least until another user is doing a change. This allows the user to revert back changes he might have done accidently and which could lead to the loss of the access right to that specific instance.

Access Control Management: Access Forwarding

authorization; access right; access control list; Business Partners; Account; Contact; Sales Quote; Sales Order; Activities; Opportunity; Lead; Service Request , KBA , LOD-CRM-OPP , Opportunity Management , LOD-CRM-SRP , Service Request Processing , LOD-CRM-ACC , Account , LOD-LE-CQP-CO , Lean Sales Orders , LOD-LE-CQP , Customer Quote Processing , LOD-CRM-ACT , Activities , LOD-CRM-CON , Contact , LOD-CRM-LM , Lead Management , Problem

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions