Symptom
User A who has no authorization to document B is able to see the document B.
Environment
SAP Cloud for Customer
Reproducing the Issue
- Log on as Administrator.
- Go to Administrator work center.
- Navigate to General Settings view.
- Click on Business Users.
- Check for the Access Rights for user A.
- Go back to General Settings view.
- Click on Business Roles.
- Edit the Business Role of user A to check for the Access Restriction.
- Result: user A should has no access to Opportunity B.
- Now log on as user A.
- Go to Opportunities work center.
- Opportunity B could be seen there.
Cause
For Opportunity B, under the Change tab, user A could be seen there. He is the last change user of the Opportunity.
Resolution
For business objects:
- Business Partners (Account, Contact, etc.)
- Sales Quote
- Sales Order
- Activities
- Opportunity
- Lead
- Service Request
The last change user is added to the access control list. The access control list is a structure attached to the business object by which the actual access is being determined. As the last change user is added to the access control list, that user still has access to the object instance at least until another user is doing a change. This allows the user to revert back changes he might have done accidently and which could lead to the loss of the access right to that specific instance.
See Also
Keywords
authorization; access right; access control list; Business Partners; Account; Contact; Sales Quote; Sales Order; Activities; Opportunity; Lead; Service Request , KBA , LOD-CRM-OPP , Opportunity Management , LOD-CRM-SRP , Service Request Processing , LOD-CRM-ACC , Account , LOD-LE-CQP-CO , Lean Sales Orders , LOD-LE-CQP , Customer Quote Processing , LOD-CRM-ACT , Activities , LOD-CRM-CON , Contact , LOD-CRM-LM , Lead Management , Problem