Using Permission Groups to Manage User Permissions

Objectives

After completing this lesson, you will be able to:
  • Describe the concept of Permission Groups in SAP CPQ
  • Explain how Permission Groups work
  • Use Advanced Mode for creating a permission group formula
  • Explain when the system (re-)evaluates Permission Group formulas

The Concept of Permission Groups

Permission Groups define visibility permissions and sharing rules over various SAP CPQ objects. By default, CPQ creates a permission group for each User Group, Company, and Market. However, administrators can create additional Permission Groups or modify existing ones under Setup > Users > Permission Groups.

Permission Groups allow administrators to assign access rights to multiple users with a single select. Users included in the same permission group share access rights to SAP CPQ objects, such as Pricebooks, Quote Tables, and more.

Permission groups can be searched and filtered by one of the following search queries:

  • Permission Group Name
  • Description
  • Members

Group members can be filtered by their username.

When creating a new Permission Group, administrators can add users by performing a simple and/or advanced search or by browsing for specific Users.

To do a simple search, select:

  • User Types
  • Companies
  • Markets
  • Brands
  • Users

Permission Groups

An additional permission group can be defined with simple criteria: as a combination of values from types, companies, markets, brands, and specific users. Multiple values of the same kind, such as multiple user types, are evaluated with OR logic. But values of different kinds are evaluated with AND logic.

For example, if you define an additional permission group X as user types Sales and Sales Management and the company SAP Sales Cloud, then users will belong to permission group X only if both of the following criteria are true:

  • Their user type is either Sales or Sales Management.
  • Their company is SAP Sales Cloud.

The Advanced Mode

Advanced Mode can be used to filter users by custom fields and by fields not available in the simple search options. To perform a search, you can create a formula using SAP CPQ tags. 

Use formulas to inspect the field values for the logged User.

For example, to determine if a user was an administrator the next formula can be used: <*CTX(Visitor.IsAdmin)*>.

Combining Simple and Advanced Criteria

When combining simple and advanced search criteria AND logic is applied. Using the examples above a user would belong to permission group X only if:

  • Their user type was either Sales OR Partner.
  • AND their company was Acme Inc.
  • AND they were an administrator (as defined by the CTX tag).

Re-evaluation of Permission Group Formulas

Once a Permission Group formula is created, the system re-evaluates it on the following occasions to include/exclude Users:

  • When users log in.
  • After saving personal details on the User page.
  • When the quote is loaded.
  • When the quote market is changed.

If you create a formula that inspects a Quote field, the system will not re-evaluate it every time a change is made on the respective Quote but only when the Quote is initially loaded. The re-evaluation of formulas is not triggered by changes to Quotes. Consequently, the formula filters the same Users as before the change was made. Reloading the Quote re-evaluates the formula and corresponding Users are then included in the Permission Group.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn