***Examples/Data/Images this Blog is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.***

Hello SAP S/4HANA Cloud Community,

Introduction:
I work on the LO-MD-BP component for SAP S/4HANA Cloud and I have had several customers raise incidents about how Roles and Authorizations work in the area of Customer and Supplier Business Partner Master Data in S/4HANA Cloud so I thought it would be good to write a blog on the topic to share my knowledge and experiences. In the previous blog we discussed how to create a Business Role and how to maintain restrictions with a given example. 

While this blog will be aimed specifically at LO-MD-BP the majority of its content will be true on a Cross Topic level.

The main issue I have seen customers face and the main reason for creating these blogs would have to be around Business Role and Catalog conflicts. In this blog we will see how conflicts can arise as we assign more Business Roles to a Business User or when we assign additional catalogs to a Business Role. 


How Authorizations Work:

As most customers would have the scenario where they would have business users who need to perform multiple tasks it would be quite common to business users assigned several  custom and standard business roles to allow the business user to perform multiple tasks with multiple restrictions in place. This can at times though lead to issues in regards to conflicts between the business roles and catalogs assigned to a business user. These business roles can overwrite each other. The authorization objects assigned to business roles and catalogs are cumulative and the least restrictive assignment always takes precedent. That is to say if for example we have a business user and we assign several business roles to this user which all have display only restrictions on a parameter such as company code or business partner role and only for Supplier Master records only for example and then we assign to our business user one role which allows the business user to have write authorization for suppliers then this least restive business role would take precedent and the business user will no longer be restricted to only view suppliers based on the restriction we have set on a parameter such as company code or business partner role. 

If a Business user is assigned several business roles then it is important to test to see if the business requirement. It is best to create multiple Business Roles each with its own specific task and to then assign multiple Business Roles to Business Users to meet the particular requirement for that user. 

Example 1: Unrestricted "Write, Read, Value Help" settings Overwrite "Read, Value Help" Settings.

In this example we will look at a conflict which could arise when a Business Role is created which is intended to allow a Business User to create Purchase Orders while only displaying Supplier Business Partner Master data of a certain Authorization Group or Account Group.

If this role has the "Write, Read, Value Help" set to Unrestricted then the system will accept this and supersede any restriction which has been set in the Restricted "Read, Value Help"  based on account group or authorization group for example.

Example 2: Lesser restrictions set in one Business Role will overwrite more restrictive settings in multiple Business Roles.

If a Business User has been assigned several Business Roles which contain Catalogs which for example relate to maintenance of Business Partner Master Data and all but one of these Business Roles has been restricted to display only access but the business user has one business role which allows Write authorization for Business Partner Master Data then the system will accept that the Business User has authorization to Create/Edit Business Partner Master data regardless of any other Business Roles which are assigned to the user with Read only restrictions. 

Example 2: Restrictions set at Business Role level will overwrite any restrictions set at Catalog level.

The system will accept authorization restrictions on a role level first, that is to say if a Business Role has been created which allows the Business User to create data i.e. Unrestricted  "Write, Read, Value Help" and then a Catalog within this Business Role has been set to  "Write, Read, Value Help" No Access for a particular criteria then the system will accept that the Business User with this Business Role has Unrestricted  "Write, Read, Value Help" for all Catalogs contained in that business role access as it is the least restrictive. 

Recommendation:

Based on my experiences it is best to create several different business roles each with its own specific function e.g. one business role designed to allow business users to view only Customer Master Data of a certain Authotization group and one business role with restrictions in place based on account group or even on business role which allows the business user to work on customer master data without restrictions and then these Business Roles can be assigned to your business users cumulatively based on what rights and restrictions each user group should have. 

Information on Additional Related Blogs:

For information on how to create Business Roles, Maintain Restrictions and how to assign Business Roles to Business Users see this blog: 
How to Manage Authorizations by via Business Roles for Customer and Supplier Business Partner Master Data in S/4HANA Cloud

For information on Customer / Supplier Business Partner Master Data: Authorization Groups see this blog: 
Customer / Supplier Business Partner Master Data: Authorization Groups 


The examples in this blog are intended for explanation purposes.


Kind Regards,
Stephen Ward
SAP Product Support