Which Restriction Values would be most effective?
There are many different business catalogs assigned to each business role. If I'm trying to restrict activities in specific applications, I need to look up the app(s) in the SAP Fiori Apps Reference Library and identify the business catalog(s) that grant access to the app(s). Then I can look at the detailed information about these business catalogs in the Maintain Business Roles app to see which restriction values would be most effective to control end user access to the app(s).
For example, if the concern for an associate-level project manager is about being able to create projects and staff employees to the project activities within their company code, look at the Overview Table section or Test Procedures of the relevant test script to see which apps are used to do these tasks. For Customer Project Management, the apps used for the majority of project tasks are Create Customer Projects (F0719) and Plan Customer Projects (F0719). It's also easier to find the app you're looking for in the Fiori Apps Reference Library when using the app ID to search. As you can see in this case, both Create Customer Projects and Plan Customer Projects have the same ID in the reference library, yet display as two different apps in the Fiori launchpad.
- In the SAP Fiori Apps Reference Library, look up the app ID and make sure the correct deployment is selected if there are different options available.
- Select the Implementation Information tab, and the Configuration section.
- Scroll down to the Business Catalog(s) section to see relevant catalogs.
- Copy the business catalog ID and navigate back to the Maintain Business Roles app in SAP S/4HANA Cloud.
- Navigate to the Assigned Business Catalogs tab of your custom business role.
- Paste the business catalog ID from the reference library in the search field and search.
- Select the business catalog and navigate to the Catalog Description tab. This is where you'll find information about which fields are most relevant to use when defining restrictions. This information differs for each business catalog.
Define Unrestricted Access for all Fields
On the Maintain Restrictions page, select the Read, Value Help drop-down menu and choose Restricted. This will provide a set of values you can define restrictions for. If you are going to define a restriction for any field, you must FIRST provide unrestricted access to ALL fields. If you define a restriction for a single field in this list and leave the others blank, the blank fields default to "no access", meaning they are not visible at all. After providing unrestricted access to all fields, you can then selectively choose which field(s) you want to restrict access for.
Define Restricted Access for specific Field(s)
In this example, we restrict the company code, in addition to several other fields (cost centers, responsible cost centers, purchasing organization) to make sure the business user assigned this role would only have the ability to create customer projects or view other existing projects in the United States area, and when staffing people to a project, select employees from within the US. Any projects created in the company code for Germany (1010) should not be visible.
- In the search field, enter company code to find the correct restriction.
- Select the "pencil" icon to edit the restriction.
- In the Field Settings section, select Restricted.
- In the Values section, you see the available company codes in the current SAP S/4HANA Cloud system. Select the checkbox to the left of the 1710 company code. This will automatically save and update on the Values screen to the left within a few seconds.
- Select the checkbox for Leading Restriction to pass the restriction value on to other relevant restriction types this field happens to be used in too.
- Repeat steps 1-5 for these restrictions: cost centers, responsible cost centers, purchasing organization.
- The business role has been automatically saving this entire time, so you can select the back button in the top left corner to navigate back to the original Maintain Business Roles page and save the role.
- Always make sure to assign the customized role to a user and test it out to verify the restrictions are accurately hiding/showing what you want them to.
When assigning a business role to the user you're currently logged-in with, refresh your browser after the assignment to see the new apps/space(s)/page(s) display on the launchpad.