In this lesson, we’ll examine how administrators can restrict users’ access to Service Objects in SAP Service Cloud Version 2.
By the end of this lesson, you will know how to set access restrictions for users based on their organizational unit.
The prerequisite before starting to apply access restrictions is to have the following items configured in the system:
- Organizational structure for Service Divisions
- Employees, Business Users and Business Roles
- Service Objects
Access restrictions can be structured according to the Company Organization Hierarchy.
As shown in Unit 2, Lesson 1, Creating Roles and Assigning Access Restrictions, the Administrator can grant and restrict access to most business services. Typically, this is done at the business role level, allowing you to set permissions once and then apply them to multiple users.
The following is a list of access types.
- Read access: Unrestricted, Restricted with Restriction Rules
- Write Access: Unrestricted, Restricted with Restriction Rules
- No Access: (only available as a restriction for write access) The user lacks write permission.
- Unrestricted: The user can access all business data related to the view.
- Restriction Rule: Context-specific authorization. For example, an employee can access a customer only when they are assigned as the employee responsible for that company’s account team.
An example of a business service for service objects is the service called "sap.crm.service.registeredProductService," which allows you to grant access to Registered Products. Assigning this specific business service to a Business Role will give users full access to Registered Products in the system. When necessary, access restrictions can be applied using the following options:
- Restrict access to My Service Organization
- Restrict access to My Sales Organization (if relevant)
- Restrict access to My Organizational Unit
- Restrict access to Specific Organizational Units
Depending on business requirements, users can be granted restricted access to service objects such as registered products, installed base, warranty (unrestricted or no access), or even customer data (Accounts, Individual Customers).
It is crucial during the design phase of Business Roles to always consider access restrictions and how they relate to the Company’s Organizational Structure. A Business Role is typically assigned to a group of users within the same department, thus sharing similar requirements regarding the capabilities they are permitted to use in SAP Service Cloud Version 2. However, these users might be assigned to different service organization units.
Let’s take an example: as part of the service department at Company Best Run Bike, you have established a Business Role for the Service Agents, allowing them to use Case management, service objects, and master data. Within the Service Agents group, there are two distinctions: one group from Service Unit BRM L1 Service and another from Service Unit BRM L2 Service.
Using access restrictions on service objects based on the attribute "My Service Organization," administrators can limit end-user access depending on their location within the organizational structure. As a result, users assigned to the unit BRM L1 Service will have access to service objects maintained specifically for this unit. An example of a Case assigned to the Service Team BRM L1 Service is shown in the next image.
The same principle is applicable for the other available options in access restrictions: My Org Units and Specific Org Units.