Maintain Restrictions in Business Role
You want to set up restrictions for Business Role assigned to User
“Image/data in this BLOG is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.”
- Financial Accounting (FI)
- SAP S/4HANA Finance
- SAP S/4HANA
- SAP S/4HANA Cloud
- SAP Fiori
- You can use catalogs to create your own roles. It is not possible to change catalogs or create own catalogs.
- In FIORI App Library check business catalog(s) associated with app concerned.
- In app Business Catalogs (APP ID F2471) check each tab, for example Used in Business Roles to see what roles business catalog is assigned. Check Restrictions tab to see what restrictions types are available for Business catalog concerned.
- In App Maintain Business Roles (App ID F1492) for existing Business or new role created, Select Maintain Restrictions.
For example, you would like to restrict the role write access to a specified company code only however to not want to place other restrictions on role which will be assigned to user.
If this role is save as it is, other restriction types are left blank. This means that the role has no authorization for other all areas.
5.Other restriction fields need to be maintained with authorization, for example maintain all authorization for them.
a. Select Restriction Area and Values
b. Click on Unrestricted Access
c. Click on Yes to Query Full Access: Do you want to grant unresricted access to yet Unrestricted Area?
This sets other values for Unrestricted Access (Please note this is just one example, Maintain restricted access as per business requirements)
6.This means that other areas are unrestricted, there is only a restriction on company code.
7.Save and active Role. Assign to User in app Maintain Business Users.
8. Ensure you also check in app Business Catalogs for business catalog concerned, the General section to see if associated catalogs must be maintained. If this is the case the following text is referenced below which you will see the associated catalogs.
9. Maintain associated catalogs that must be assigned for user.
10. Point to note: A user which is assigned to multiple roles gets the union of authorizations. The principle of union is a generic principle e.g. a user is assigned an gl accountant role and a co overhead accountant role has the combination/union of the authorizations granted by both roles. Both roles give those authorizations on the same authorization entities (e.g. company code, account type of journal entry). Thus if for example the GL Accountant role has Write Access : No access and the CO Overhead accountant role assign assigned to user has Write Access: Unrestricted. User is able to post in app Post General Journal Entries as user has write accesses in the companies maintained in the restrictions in CO overhead accountant role
2663389 – Is it Possible to Define a Group in SAP S/4HANA Cloud
2598676 – Manage Posting Periods Authorization
2511840 – Manage Posting Period Variants and Manage Posting Periods for SAP S/4HANA Cloud 1708
SAP Knowledge Base Article: 2598733 – Maintain Restrictions in Business Role
Special thanks to @Cora Phelan