Maintaining Business Role Restrictions

David: "Now that we have maintained General Role Details and assigned business catalogs, we can move on to configure the access permissions for the business role…"

Sarah: "Restrictions allow us to control specific access for the business users assigned to the business role. Let's look at how to maintain restrictions for the business role."

As you learned in the previous lesson, defining a business role from scratch using the Maintain Business Roles app typically involves four steps:

1. Maintain General Role Details
2. Assign Business Catalogs
3. Maintain Restrictions
4. Assign Launchpad Spaces and Pages

In this lesson, you will focus on step 3. Maintain Restrictions

In the previous lesson, you defined the business role general details and assigned certain business catalogs. The business catalogs control which applications the business user is authorized to execute, but you still need to define how customer data can be accessed. Now it is time to define access restrictions.

Restrictions allow you to segregate duties and responsibilities and ensure that each business user only has the access that they need. You do this by adding authorization values to the restriction fields. Each business catalog defines which access categories are available for maintenance and which field restrictions can be maintained. The business role aggregates the authorizations of the assigned catalogs.

The following access categories are available:

• Write, Read, Value Help (write access)

• Read, Value Help (read access)

• Value Help (value help access)

When a business role is created, the default value for access category Write, Read, Value Help (write access) is set to No Access. This means this business role has no Write authorizations (display only). When setting an access category to Restricted, you can define the data access for each restriction type and field according to your process requirements.

Restriction types (authorization objects) are mapped to specific restriction fields. Restriction fields represent the authorization-relevant attributes of the business objects used in a business role.

You must maintain restriction field values to grant or deny access to specific objects and data based on the business requirements defined for the business users. An example might include restricting access to a specific company code or asset class.

You configure Restrictions on the Read, Write, Value Help access level:

No Access is the default value access category when a business role is created. This means the business role has no Write authorizations (display only). You can add specific authorizations (Restricted) or, in cases where you want to grant full access for all restriction types and restriction fields, you can choose Unrestricted ('*').

As noted above, switching the write access to Restricted allows you to define which data can be edited by the users assigned to this business role. You can define the authorization values for the desired restriction fields in the Values area. If you don't want to grant access to a restriction field on purpose, you can choose the status Not maintained.

The default status of the access category Read is Unrestricted. Again, switching the read access to Restricted allows you to define which data can be seen by the users assigned to this business role. In the Values section, you can define the instance-based restrictions for the desired restriction fields used for Value Help.

You can define authorizations for value helps used in a business role. These Value Help authorizations will not influence the defined restrictions for read access. In the context of a business role, you can authorize the value help access, for example, to business partners that belong to certain authorization groups.

Additionally, you can find restriction types that contain general organizational restriction fields in the General section. These restriction types have only one restriction field. The settings that you make for these single restriction types sum up to the authorization granted to the business role and the assigned business users.

Leading Restrictions

You can change the status of the restriction fields in this section to Leading Restriction. You can do this by selecting the Leading Restriction checkbox. This status is visible through the Leading Restriction symbol in the Restrictions Overview. That means that the value in this field is automatically inherited by other restriction types that also use that field.

For example, you want to define that the values for the country templates for Austria and Switzerland are applied in all restriction types for the field Company Code. By selecting the values AU01 (for Austria) and CH01(for Switzerland) and selecting the Leading Restriction checkbox, the Leading Restriction is now active, and these values are automatically inherited to all occurrences of the Company Code field in the role.

In the exercise below you will configure business role access restrictions.

You now know how to configure access restrictions for SAP business roles, including describing the use of Restriction Types and Fields.