Wednesday, November 1, 2017

SAP Hybris Cloud for Customer; checking user authorizations

When supporting SAP Hybris SAP Hybris Cloud for Customer it’s inevitable to receive user questions like “I can’t see the customers I’m supposed to see, please help me”. These kinds of issues tend to take a lot of time to analyse because it’s not always clear how the authorization setup determines whether or not the business user has access to specific objects like customers. There are two BETA tools available in C4C to support the analysis of authorization questions.

(Beta) Log in as another user

When analysing an authorization issue many times the conclusion is that there seems to be nothing wrong with the authorization setup in het system. But the question remains; why does this user not have access to the correct customers? At this point in time it’s not that uncommon to request the user to provide his/her password or to reset the password so that the support employee can check with the end users login credentials. This is not a preferred solution, you should keep your user and password private. This is now possible because SAP C4C allows a support user to login as business user without having to share login credentials. As a result the support user has the same page layouts, data access and query results as the business user. 

Step 1: Create specific support user

You can only login as a business user with a specifically for this purpose created technical support user. The user id of this user has to start with KEYTEST*. This user is created via the normal procedure by first creating the employee and afterwards update the automatically created business user. The user does not have to be assigned with a business role so the technical user itself does not have any authorisation.

Step 2: Configure login as another user

This configuration option is available via Administrator > (Beta) Login as Another User. Just simply add the created technical user and the business user you want to impersonate.

Step 3: Login with the technical user

Last step is to login with the technical user. When you’re logged in you will notice that on the right top the technical user id is displayed as the logged in user followed by the business user id between brackets: “KEYTEST01 <Philip Herve>”. When you navigate to customers you see that the customers which would normally be displayed for the business user, are now displayed for the technical user as well. 

You could also use this feature when performing system demonstrations. It's easy just to login as another user which has the business role and authorization you want to use in your system demonstration, you don't have to create specific demo users.

(Beta) Check Users Authorization

Another option that you have as a support user is to analyse a business user’s access to a specific object. For example, the scenario that a business user expects access to a customer but it’s not displayed in the search result. This configuration option is available via Administrator > (Beta) Check Users Authorization. 

Step 1: Enter details to check

Enter the business user you want to check, the id of the object (e.g. customer id) and the object type. This function is available for limited objects; part of the check are Contract, Ticket, Business Partner, Activity, Installed base, Sales order, Sales Quote and Sales Order.

Step 2: Analyse results

In the result area there are two main parts; the first part highlights the access context for the object (in this example a customer) and the second part contains the access context applicable for the entered business user. By displaying both here in the result you can compare the access context and determine the reason why this object is not visible for the business user. 

It might be necessary to do some further checking based on the displayed results. In this case you see that the customer is assigned to an employee which is a different one then the business user we’re checking. But you also see that the customer is assigned to a territory, in the access contexts of the business user the territory to which the business user is assigned. So a next step in this case is to check to which territory the business user is assigned and if this is not Territory 200, you know why the customer is not available to the business user.