Wednesday, March 11, 2015

Authorisations in Cloud for Customer

When implementing business systems, authorizations should be considered an important topic. You don't want to enable everyone to adjust your sales pipeline, change customer data or approve quotations.

In previous blogs my colleagues have already written a few things on dynamic page lay-outs and code-list restrictions, which can all be part of your authorization configuration. I thought it could be helpful to give you a complete overview of the authorization possibilities in SAP Cloud for Customer.

Business Roles

The first thing to do when configuring your authorizations is with creating business roles.
With defining the business role, you’ll define the following:

Add Access to Workcenters and Views.

This determines both the workcenters displayed horizontal at the top of the screen as well as the quick create buttons displayed vertically on the left side of the screen (for creating for example customers, tasks, etc.).

Restrict access on views

Restricting access on a certain view (for example customers) can be done by assigning a restriction rule. You can restrict access (no access, restricted, unrestricted) for example based on territories or the organisational model. You can do this per view.

Restrict access on fields

Access restrictions on fields (hidden, read only, unrestricted) and business actions (disable or unrestricted).

Important to keep in mind when creating the business roles is that business roles are used to:
  • Allow and Restrict access to workcenters as described above.
  • Allow and Restrict access to reports.
  • Maintain different HOME screens. The landing page of a sales rep should look different than the landing page of the sales manager.
  • Maintain different page-layouts for different business roles: my customer for example wants to show different fields on the account for different sales departments. For that we create different page-layouts, assigned to different business roles.
  • Code list restrictions. I will explain this a bit later.
So before you start creating business roles, you should consider the above to determine what kind of business roles you need. In our case we have defined for example three different business roles for a sales rep, mostly because we would like to assign different page-layouts per sales department.


With the access restrictions defined in the business role, you are not able to restrict access on all individual fields and actions. So in a second step you will need to refine your access restrictions. For example, it is not possible to restrict the creation of a contact or a relationship in the business role directly. This can however be done in the page-layout. For example by making the New or Add button invisible.

As you can see in the above screen prints, you can use page layouts not only to make fields invisible, but also to make certain fields read-only.

Code list-restrictions

Finally you might want to restrict the list of options in dropdowns for certain users. For example, some users might not be allowed to assign a certain status to an object. You can restrict this with the Code List Restrictions in the Administrator tab.

Let’s say you want to restrict a group of users to set status Won to an opportunity.

For this you go to the Code List Restrictions and choose business object Opportunity and Status for the Code to restrict. Also you choose the business role for which you wish to create this restriction:

After choosing Save and Open you can assign the values allowed and un-assign the values not allowed (in our case Won):

Now our business role ‘Verkoopbinnendienst’ is only able to set status Open, In Process and Lost to an opportunity.

Hope this gave you a clear overview of the authorization possibilities in C4C.

Happy authorizing!