Symptom
You have setup access restrictions for objects such as for example Invoices based on a specific Company, but the restriction is not working as expected.
Environment
SAP Business ByDesign
Reproducing the Issue
This issue can occur for other work centers and views and we will use the Customer Invoicing work center and Invoice Requests view as an example:
-
Go to the Customer Invoicing work center.
- Go to the Invoice Requests view.
- Select All Invoice Requests from the drop down list.
- The user is able to see Invoice Requests for a Company for which he is not assigned in the Access Restrictions for this work center and view.
Cause
The user is assigned to the Data Privacy work center with Unrestricted Access.
This is a work center meant to administrators, that have full access to the system. This work center assignment overwrites other restrictions.
And/Or
The user is assigned to the PARTNER DEVELOPMENT FOR MCS and PDI_PARTNER_DEVELOPMENT work centers. .
These work centers should only be assigned to a development user and not to a standard business user.
Resolution
If the restriction is needed, the Data Privacy work center has to be also restricted or unassigned.
If you are using Business Roles for your access rights assignment of the user you need to correct the Business Role as follows:
-
Go to the Application and User Management work center.
- Select the Business Roles view.
- Open the Business Role XYZ (XYZ represents the Business Role ID assigned the business user).
- Click on the Edit button.
If you would like to remove the Work Center ID DATAPRIVACY from the Access Rights of the Business Role: - Go to the Work Center and View Assignments tab.
- Uncheck the Assigned to check box for the Work Center ID DATAPRIVACY in the PERSONALDATAREMOVAL Work Center View ID and the PERSONALDATADISCLOSURE Work Center View ID.
If you would like to restrict the Work Center ID DATAPRIVACY from the Access Rights to the Employee's Company in the Business Role: - Go to the Access Restrictions tab.
- Filter for the Work Center ID DATAPRIVACY.
- Ensure that the Read and Write Access is of the PERSONALDATAREMOVAL Work Center View ID and the PERSONALDATADISCLOSURE Work Center View ID have the Restriction Rule 01 - Restrict to Employee's Company.
- In the the Work Center and View Assignments tab uncheck the Assigned to check box for the PARTNER DEVELOPMENT FOR MCS and PDI_PARTNER_DEVELOPMENT Work Center ID.
- Save your changes.
- Click on the Assigned Users button and select the Update Users option.
If you do not use Business Roles but manage the Access Rights directly in the Work Center Assignment and the Access Restrictions of the User:
-
Go to the Application and User Management work center.
- Select the Business Roles view.
- Search and select the business user ID ABC (ABC represents the ID of the business user).
- Click on the Edit button and select the Access Rights option.
If you would like to remove the Work Center ID DATAPRIVACY from the Access Rights of the Business User: - Go to the Work Center and View Assignments tab.
- Uncheck the Assigned to check box for the Work Center ID DATAPRIVACY in the PERSONALDATAREMOVAL Work Center View ID and the PERSONALDATADISCLOSURE Work Center View ID.
If you would like to restrict the Work Center ID DATAPRIVACY from the Access Rights to a specific Company in the Business User: - Go to the Access Restrictions tab.
- Filter for the Work Center ID DATAPRIVACY.
- Ensure that the Read and Write Access is of the PERSONALDATAREMOVAL Work Center View ID and the PERSONALDATADISCLOSURE Work Center View ID are restricted and have only Read and Write Access to the respective Company.
- In the the Work Center and View Assignments tab uncheck the Assigned to check box for the PARTNER DEVELOPMENT FOR MCS and PDI_PARTNER_DEVELOPMENT Work Center ID.
- Save your changes.
Keywords
Access Rights; Company; Restriction; not working; Access Restriction; User; Business User; Business Role; , KBA , SRD-CRM-INV , Customer Invoicing , Problem