David: "Now that we have maintained General Role Details and assigned business catalogs, we can move on to configure the access permissions for the business role…"
Sarah: "Restrictions allow us to control specific access for the business users assigned to the business role. Let's look at how to maintain restrictions for the business role."
As you learned in the previous lesson, defining a business role from scratch using the Maintain Business Roles app typically involves four steps:
- Maintain General Role Details
- Assign Business Catalogs
- Maintain Restrictions
- Assign Launchpad Spaces and Pages
In this lesson, you will focus on step 3. Maintain Restrictions
Step 3: Maintain Restrictions
In the previous lesson, you defined the business role general details and assigned certain business catalogs. The business catalogs control which applications the business user is authorized to execute, but you still need to define how customer data can be accessed. Now it is time to define access restrictions.
Restrictions allow you to segregate duties and responsibilities and ensure that each business user only has the access that they need. You do this by adding authorization values to the restriction fields. Each business catalog defines which access categories are available for maintenance and which field restrictions can be maintained. The business role aggregates the authorizations of the assigned catalogs.
The following access categories are available:
Write, Read, Value Help (write access)
Read, Value Help (read access)
Value Help (value help access)
When a business role is created, the default value for access category Write, Read, Value Help (write access) is set to No Access. This means this business role has no Write authorizations (display only). When setting an access category to Restricted, you can define the data access for each restriction type and field according to your process requirements.
Restriction Types and Restriction Fields
Restriction types (authorization objects) are mapped to specific restriction fields. Restriction fields represent the authorization-relevant attributes of the business objects used in a business role.
You must maintain restriction field values to grant or deny access to specific objects and data based on the business requirements defined for the business users. An example might include restricting access to a specific company code or asset class.