3650072 - User Able to Edit Supplier Master Data Despite No Write Access to Work Center BPM_SUPPLIERS

A business user without write access to the Supplier Master Data work center (BPM_SUPPLIERS) is able to modify Supplier master data fields (e.g., email address in the General tab) successfully. No error is raised, even though access restrictions are defined as "No Access" for the user. 

SAP Business ByDesign.

Making a change and saving in Supplier master data:

1. Go to the Business Partner Data or Supplier Base work center.
2. Go to the Suppliers view.
3. Find the Supplier ID and click Edit -> General.
4. Make a change to the E-Mail field.
5. Click Save.

System saved the change successfully (no error message raised).

Checking access rights for User:

1. Go to the Application and User Management work center.
2. Go to the User and Access Management -> Business Users view.
3. Find the User ID ABC (ABC is the User ID).
4. Click Edit -> Access Rights.
5. Open the Access Restrictions tab.
6. Find the Work Center View ID BPM_SUPPLIERS.

Notice that Write Access is defined as No Access, so expectation is that system wouldn't have allowed a change in Payment Terms for Supplier DEF, but raised an error message instead.

The user was not assigned to any valid Organizational Management unit. Because of this missing assignment, the system could not apply access restrictions properly. 

Ensure that the user is assigned to the correct Organizational Management unit in the system. After updating the Organizational assignment, verify access control behavior by attempting to edit Supplier master data. 

User Access, Supplier Master Data, BPM_SUPPLIERS, Write Access, No Access, Business User, Access Restrictions, Organizational Management, Access Control, Unauthorized Edit, Supplier Base. , KBA , SRD-CC-IAM , Identity & Access Management , Problem