Defining Restrictions for Business Roles

Objective

After completing this lesson, you will be able to define restrictions for business roles

Define Restrictions for a Business Role

Identifying Effective Restriction Values

Use the Business Catalogs app to review the applications and data access granted by a specific catalog. The Restriction Types tab lists the available restrictions you can apply to limit access to specific data or functions.

Alternatively, if a business catalog is already assigned to a role, you can access this information directly through the Maintain Business Roles app by clicking on the catalog name.

Screenshot of the Business Catalogs app.

Assigning Restrictions to Individual Fields

On the Maintain Restrictions page, locate the Write, Read, Value Help drop-down menu and select Restricted.

This action allows you to define specific values for each access level (Read, Value Help, and Write). While defining restrictions for every field can be time-consuming, it is essential for ensuring that users follow the principle of least privilege, accessing only the data necessary for their tasks.

Caution

Avoid using the "Unrestricted" setting unless absolutely necessary, as it may grant excessive access and create security risks.
Screenshot of assigning restrictions in the Maintain Business Roles app.

A Leading Restriction ensures that the values entered in a field are automatically inherited by all other restriction types that use the same field.

For example, if you set the Company Code field to include Austria (AU01) and Switzerland (CH01) and select the Leading Restriction checkbox, these values will propagate to every instance of the Company Code field within that role.

  1. Select the pencil icon to edit a restriction.
  2. In the Field Settings section, choose Restricted.
  3. In the Values section, select the checkboxes for the required values available in your SAP S/4HANA Cloud system. The system saves these selections automatically.
  4. Select the Leading Restriction checkbox if you want these values to apply to all other relevant restriction types using this field.
  5. Repeat these steps for all necessary restrictions.
  6. The system saves changes automatically. Use the back button to return to the Maintain Business Roles overview.
  7. Always assign the updated role to a test user to verify that the restrictions correctly hide or show the intended data.

Managing Business Roles After a Release Upgrade

System upgrades often require business role maintenance. The Maintain Business Role Changes After Upgrade app identifies changes to catalogs and restriction types, such as new additions, deprecations, or removals.

To manage these changes effectively, first use the Release Assessment and Scope Dependency Tool in the What's New area of the SAP Help Portal for a high-level overview of process impacts. Then, use the Maintain Business Role Changes After Upgrade app to address specific changes to user permissions.

Screenshot of the Manage Business Roles Changes After Upgrade app.

Note

Refer to the Learning Journey: Managing User Identity and Access in SAP S/4HANA Cloud Public Edition for even more information on Identity Access Management.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn