Which restriction values would be most effective?
Navigate to the Business Catalogs app to see which applications and/or data access are granted through the catalog. The tab, Restriction Types shows the available restrictions you can use with the catalog to limit access to applications and/or data. Alternatively, if you've already assigned a business catalog to your role through the Maintain Business Roles app, you can click into the business catalog and navigate to the same information.
Go through each individual field and assign restrictions
On the Maintain Restrictions page, select the Write, Read, Value Help drop-down menu and choose Restricted. This will provide a set of values you can define restrictions for and should be repeated for the other fields (Read, Value Help and Value Help). Even though it can be a long process to define restrictions for every single field, it's the only way to ensure end users truly have the minimum level of access necessary to complete their job tasks. "Unrestricted" should only be used in rare cases, as it can create security issues with providing users too much access.
A restriction marked as a Leading Restriction means the value entered in that field is automatically inherited by other restriction types that also use that field. For example, if you want to ensure the values for the country templates for Austria (AU01) and Switzerland (CH01) are applied in all restriction types for the field Company Code, you would enter the relevant values and select the Leading Restriction checkbox. These values would then be automatically inherited to all occurrences of the Company Code field in the role.
- Select the "pencil" icon to edit a restriction.
- In the Field Settings section, select Restricted.
- In the Values section, you see the available options in the current SAP S/4HANA Cloud system. Select the checkbox to the left of a restriction value. This will automatically save and update on the Values screen to the left within a few seconds.
- Select the checkbox for Leading Restriction to pass the restriction value on to other relevant restriction types this field happens to be used in too.
- Repeat steps 1-4 for all restrictions.
- The business role has been automatically saving this entire time, so you can select the back button in the top left corner to navigate back to the original Maintain Business Roles page and save the role.
- Always make sure to assign the customized role to a user and test it out to verify the restrictions are accurately hiding/showing what you want them to.
Maintaining Business Roles After a Release Upgrade
Each time a release upgrade occurs, there will likely be some type of business role maintenance necessary. The Maintain Business Role Changes After Upgrade app displays changes to business catalogs and restriction types after an upgrade. For example if a new restriction type was added to a business catalog, or if an existing restriction type is being phased-out or has been officially removed. It's important to check the Release Assessment and Scope Dependency Tool in the What's New area of the SAP Help Portal to get a big-picture understanding of how the customer's actual business processes are affected after a release, then focus on targeted apps like the Maintain Business Role Changes After Upgrade app for detailed information about how user permissions may be affected.
Learn more about Identity Access Management here: