One of the very important ask from our customers is around flexibility offered by SAP S/4HANA cloud essentials to be able to customize roles. That means, business requirement is to create custom roles with all possible restrictions. Let’s take an example of requirement like there is a need for a design of purchaser role so that users have access to purchase orders specific to purchasing groups. Purchasing group specific access is a typical ask from our customers to have clear responsibilities among them.
This blogpost is an attempt to explain possible configuration steps that are required to restrict a purchaser to access purchase orders based on purchasing group criteria . However, it is also very strongly recommended that the business roles are developed and tested in the Quality system first and then transport to the Production system.
It is also possible to create a custom role by copying standard role template “ SAP_BR_PURCHASER ” delivered in the system. For initial testing purpose, try not to assign many business catalog to user. This is very important to decide on system level authorization restrictions.
*** See also the steps from KBA 2598733 - Maintain Restrictions in Business Role for information on how to handle the other fields as the system can interpret blank fields as "No Access"
As mentioned above, you can imagine business scenario of designing a custom role of a purchaser who should have access to only specific purchasing group ( in this example purchasing group - 003 ) . In reality, system will have many purchase orders created for other purchasing groups as well but those should not be made accessible to the custom role that is going to be created. Same steps can also be used to build a custom role with other authorization restrictions( Authorization Groups for Changes to Supplier Accounts, Company Code, Purchasing Group, Purchase Requisition Release Code and Plant ) in purchaser role in SAP S/4HANA Cloud Essentials
You can follow the steps as outlined as below
- Create a custom role by copying standard template “ SAP_BR_PURCHASER ” and give a name as per business guidelines
- Adjust catalog assignments as per business requirement . Make sure “ SAP_MM_BC_PO_PROCESS_PC ” is assigned to custom role along with another dependent catalog . This is required to build restrictions for purchase order object .
- Maintain restrictions for example purchasing group “003”Please note that you have 3 sections and all of them can have status “Restricted”. so you can maintain restrictions as per the business requirement in each view
- "Write, Read, Value Help"
- " Read, Value Help"
- " Value Help"
- Assign the custom role to test user “ TESTUSER1”
- Log in as an end user “ TESTUSER1” .Check for number of purchase order documents in Fiori app “Manage purchase order ” by filtering on purchasing group (003)
- You can observe that the total number of purchase order documents are more than previous step as there are documents created for other purchasing groups as well
Hope this information is useful. Feel free to post your queries here
For more information on SAP S/4HANA Cloud, check out the following links: