After completing this lesson, you will be able to:
Access to business applications is controlled by role-based authorization management. You assign Business Roles to Business Users, and the roles provide access to business tasks. Business Users are defined as employees, contractors, or other individuals that need access to the SAP S/4HANA Cloud system.
A Business Role is assigned to a Business User to grant permission to access applications in SAP S/4HANA Cloud.
One or more Business Catalogs have been assigned to a Business Role. Business Catalogs include access to one or more applications, dashboards, or displays of data.
Administrators can control visibility to the data granted through the catalog by applying General Restrictions to Business Catalogs. By maintaining access restrictions, you can define the subset of all existing business objects a user can view (read) or edit (write) when working with a particular business role.
The Business Catalog defines which access categories are available (Value Help, Read, Write), and for which fields restriction values can be maintained. The fields vary per catalog, as they are based on the fields within the apps in the catalog. The Business Role aggregates restrictions for all Business Catalogs.
Administrators define a restriction based on a supported field (for example, company code, country, controlling area, etc.). Supported restriction fields vary per Business Catalog, as they are based on the fields within the apps in the catalog. You can restrict data access for the Value Help, Read, and Write separately. Read access always includes Value Help access, and Write access always includes Read access.
How to identify the Business Catalog(s) mapped to a Business Role and the Fiori application(s) mapped to a Business Catalog:
To apply General Restrictions, an Administrator should first make a copy of the SAP Standard Business Role, or create a new role based on the SAP Standard Business Role Template. For example, if you need to restrict access in the Accounts Payable Accountant Business Role for some users to only Company Code 1710 (United States), and for some users to only Company Code 1010 (Germany), you will create two new Business Roles based on the SAP Standard Accounts Payable Accountant role. You should name the roles accordingly (for example, Accounts Payable Accountant_1710). In the first business role, you will edit the role and maintain the restriction value(s) for the entire Business Role (that is, define the Company Code field = 1710). Then, you may edit the individual business catalogs within the role and define the access category (that is, Value Help, Read, Write) as Restricted. When you create a new Business Role, the Read access is set to Unrestricted and Write access is set to No Access by default. When an access category is Restricted, you must select a specific field value (for example, Company Code = 1710) or grant unrestricted access. If you leave fields empty within a business catalog, a user will be assigned No Access to the field in the business catalog's granted apps.