Introduction

A Quick Review of Restrictions

Authorization Hierarchy and Restrictions

Access Restrictions with Three Apps

Maintain User Roles App

IAM Information System App

Display Restriction Types App

Maintain Restrictions

An Example of Using Restrictions

Business Scenario

Understand Restrictions in a Business User Role

Display Restriction Types App

Mass Change Restriction Values

Conclusion

In my previous blog about Spaces and Pages, I discussed how to use business catalogs and business user roles to control the Fiori app access in the SAP S/4HANA Cloud, public edition. In the real world, this is not enough.  For the data security purpose, we want to control data access.  For example, an accountant in a large global organization is limited to only see one country’s data but no other countries, although accountants in country A and B both hold the job title “Accountant”.  I am going to discuss using restrictions to enhance user authorizations in this blog.

Authorization Hierarchy and Restrictions

When an end user accessing an enterprise resource planning (ERP) system, he/she passes two check points: authentication and authorizations. Authentication checks the user’s existence in the system and let him/her get onto the system or gaining an access to the system after verifying the password.  This check is done through Identity Authentication Service (IAS) as I discussed in details in my blog about User Management.

Authorization does a different job.  It checks which Fiori applications (apps) the user can see and/or use based on his/her business user roles. Authentication and authorization work in tandem in any real-world systems.

Within SAP S/4HANA Cloud, public edition, a user authorization is achieved through a 5-layer control:

• Users – are assigned with business roles.
  • Business Roles – are composed of business catalogs and restrictions. They are associated with Spaces.
    • Business Catalogs – control Fiori App access. They are associated with Pages.
    • Restriction Types – control customer data access within the Fiori Apps and bundle multiple restriction fields together.
      • Restriction Fields – are filled with authorization values.
        • Authorization Values

According to SAP Help document: “Depending on the business catalogs contained in a business role, certain restriction types are available. A restriction type is an authorization entity that bundles the available restriction fields into a logical definition, for example, company code. These restriction fields can be used to restrict the access to a specific business object, such as an organizational area. This means, the business catalogs contained in a business role define what a business user has access to. This access can be refined even more by restricting the access category for the fields and objects a user has access to. An access category defines what kind of access is granted to a user assigned to a business role, for example, read, write, or value help access. These access restrictions can be adapted in the business role in the Maintain Business Roles app.”

Let’s digest above paragraph in layman’s terms.

All business users are assigned 1 to many business user roles, such as SAP_BR_CASH_MANAGER, SAP_BR_CASH_SPECIALIST, etc. Spaces within Fiori Launch Pad is based on the business user roles.

You can view a business user role as an umbrella, and it is composed of 1 to many business catalogs. A business catalog grants a user to do certain things in the system.  For example, we have one business catalog Master Data – Business Partner Display (Business Catalog ID: SAP_CMD_BC_BP_DISP_PC), it enables users to view business partner master data.

A user’s access to Fiori Apps is based on the business catalogs.  Pages are organized by business catalogs.

As I said before, even with the same job title (aka business role), two different business users might have the same Spaces, Pages, and Fiori Apps on their Fiori Launch Pad, they access different data depending on certain criteria, e.g., countries.  This is implemented by Restrictions.

With the right restrictions, we can create similar business roles but dedicated to relevant causes.  For example, we make two business roles for cash managers, one for Germany called YU_CASH_MANAGER_DE, and another one for US called YU_CASH_MANAGER_DE.  The only difference is the country each covers. We will explain it further soon in our example section.

When we talk about restrictions, there are three concepts: Restriction Types, Restriction Fields and Authorization Values.  Authorization Values are assigned to the Restriction Fields.  Restriction Fields are organized into Restriction Types.  In the below figure, we have a restriction type Bank Account Management FCLM_BAM, with four restriction fields: Bank Account Type ID, Company Code, Profit Center and Segment for Segmental Reporting. We can use the pencil icon to add/edit Authorization Values to these Restriction Fields.

Restrictions and Values of Restriction Type: Bank Account Management

One important thing to understand is that Restriction Type and Business Catalog work together, below the Business User Role layer. One Restriction Type can play the access control role in multiple Business Catalogs, thus the Business User Roles.  Simultaneously, one business catalogs can be associated with multiple Restriction Types.

This authorization hierarchy concept can also be illustrated in the below figure.

• A user can have multiple business user roles.
  • Biz Role 1 and Biz Role 2
• Within a business role, business catalogs and restriction types work in tandem.
  • Biz Catalog 1, Restriction Type A, Restriction Type B and Biz Catalog 2 within Biz Role 1.
• How many available restriction types are determined by business catalogs but used in the business roles.
  • Restriction Types A and B in Biz Role 1, and B and C in Biz Role 2.
• Even with the same restriction type, different restriction fields can be used/filled in different business roles.
  • Biz Role 1 uses Restriction Fields B1 and B2, while Biz Role 2 uses Restriction Field B2

Authorization Hierarchy Concept with SAP S/4HANA Cloud, public edition

Access Restrictions with Three Apps

There are mainly three apps accessing restrictions, Maintain User Roles app, IAM Information System app, and Display Restriction Types app.

Maintain User Roles App

Here are the steps to access restrictions using Maintain User Roles App:

• Launch Fiori App Maintain User Roles
• Select one of the business roles you are interested and open it (arrow toward right)
• The Restrictions related menus are at the top of the screen (below figure).
  • When the role is in Display mode, you have the following menus within the Red Rectangle:
    • Edit – enters into Editing mode
    • Display Changes After Upgrade
    • Display Restrictions
    • Display Restrictions (Deprecated) – will be removed at next major upgrade.
    • Display Changes – a change log
  • After you hit the Edit button, you have the following menus within the Green Rectangle:
    • Manage Changes After Upgrade
    • Maintain Restrictions – this is our primary tool!
    • Maintain Restrictions (Deprecated) – will be removed at next major upgrade.

Maintain Business Roles App

In this blog, we use the Edit mode in most discussions unless indicated.

When we maintain a business role, there is a section called Access Categories under General Role Details tab (see above figure).  Let me explain it here as they are important to our restriction discussion.

There are three Access Categories

• Write, Read, Value Help
• Read, Value Help
• Value Help

If I align these categories on the right instead of left on a paper, you immediately see the relationship among them:

Write, Read, Value Help

Read, Value Help

Value Help

• Write, Read, Value Help supersedes all others. You basically have Write, Read and Value Help controls on all Restriction Fields.
• Read, Value Help can only have Read and Value Help controls on all Restriction Fields, but not Write.
• Value Help only have the Value Help controls on all Restriction Fields.

Value Help is a list of pre-defined values for you to select from. It is similar as a dropdown list in Excel application.

For each category, you have three possible access controls:

• Unrestricted
• Restricted
• No Access

In the Restriction discussion, we most times select Restricted to assign relevant authorization value(s) to Restriction Fields.

IAM Information System App

The IAM Information System App is a central repository providing a complete overview of how applications, business catalogs, restrictions, business roles and business users are assigned to each other.

For example, when selecting Restriction in Main Entity, and enter Bank Country/Region Key as Restriction Field, we can see all the business roles used this restriction, and their Access Category.

Take business role YU_CASH_MANAGER_DE as an example (see below figure), we can learn the following:

• No Leading Restriction is turned on (in comparison, Business Role YU_CASH_MANAGER_US) has Leading Restriction turned on)
• Value Help is Unrestricted
• Restriction Type General has Write and Read with restriction value of “DE”
• Restriction Type Internal Banks for Cash Management has no value for Read, but value of “HK” (Hong Kong) for Write.

Explore Restrictions in IAM Information System App

Display Restriction Types App

I will discuss this access method in a real-world example shortly.

After you select a business role, hit Edit button, you can further hit Maintain Restrictions button (see below figure).  Let’s use Cash Manager YU_BR_CASH_MANAGER as an example.

Maintain Restrictions window is divided into two panels, left and right. At the top left corner, it has a summary of Access Categories. If you want to make changes to Access Categories, you need to expand the middle section Access Categories.  All the Restrictions can be accessed by expanding the Assigned Restriction Types.

Maintain Restrictions Window

The right panel contains all the details of each Restriction Type.  For example, if you select the Restriction Type Company Code/ Memory Record Type F_CLM_MR, three tabs show up:

• Values – assign authorization value(s) to the Restriction Field(s).
• Description – gives an explanation to the Restriction Type, including its purpose, and sometimes, the explanations of these restriction fields.
• Business Catalogs – lists business catalog(s) this Restriction Type is relevant to.

Restriction Fields in Restriction Type Company Code/ Memory Record Type F_CLM_MR

Restriction Types that contain general organizational Restriction Fields are grouped together into a section called General (see below).  For that reason, there are many Restriction Fields here in comparison with individual Restriction Type(s).

The General Section of Restrictions

To assign or change the values of Restriction Fields, just hit the pencil icon, and you can select relevant values there.  In this example (see below figure), we can select Account Type value (A, D or K) to fill in the restriction field.

Select Value(s) for Restriction Field Account Type

Business Scenario

Now let’s put this restriction into use. In an international enterprise, we have operations in three countries, US, Germany, and Singapore. Each country subsidiary has a Cash Manager.  The Headquarters has a Cash Manager as well.  One of the responsibilities of Cash Managers is to setup local bank information in the system. To do that, all of them are given access to Fiori App Manage Banks – Cash Management. However, except the HQ Cash Manager, each country Cash Manager can only access (read and write) local banks in their relevant country.

Below figure is a list of all banks accessible by the HQ Cash Manager, including banks in four countries: Germany, Hong Kong, Singapore, and USA.

Full List of Banks in Four Countries

Understand Restrictions in a Business User Role

To access Fiori App Manage Banks – Cash Management, SAP Fiori Apps Reference Library tells us we need either SAP_BR_CASH_MANAGER or SAP_BR_CASH_SPECLIAST Business Roles.  Only one Business Catalog is responsible for it:

• SAP_FIN_BC_CM_BNK_PC, Cash Management – Banks Management

As an exploration, I create a new business role YU_BR_CASH_MANAGER_ALL for the HQ Cash Manager, copying from an SAP Standard Business Role Template SAP_BR_CASH_MANAGER, including predefined Spaces.

Create a Business Role YU_BR_CASH_MANAGER_ALL

Inside this business role, I make Access Category of Write to Unrestricted.

While browsing all available 14 Business Catalogs, there is only one SAP_FIN_BC_CM_BNK_PC controls Manage Banks – Cash Management App according to SAP Fiori Apps Reference Library.  For the simplicity of discussion, I remove all other business catalogs except SAP_FIN_BC_CM_BNK_PC.

All 14 Business Catalogs from SAP Template SAP_BR_CASH_MANAGER

After assigning this business role to a user, the user Fiori Launch Pad (FLP) looks like the below figure (for simplicity purpose, I only assign only one business role to this user).

Fiori Launch Pad (FLP) for A Single Role (Cash Manager) User

If we want to further simplify this user role in displaying only needed Fiori Apps, we can remove the Fiori App Display House Banks as well. This is explained in details in my Spaces and Pages blog.

After this exploration, we got familiar with the SAP business role SAP_BR_CASH_MANAGER.  Now we can create three new Cash Manager business roles, each with a restriction to its home country. I only explain in details the one to US based Cash Manager, YU_BR_CASH_MANAGER_US. Others are all similar.

When I get to Maintain Restrictions, I change the Write, Read, Value Help Access Category to Restricted.

1. Highlight the General in the section Assigned Restriction Types.
2. Two Restriction Fields are shown in the section Restrictions and Values: Bank Country/Region Key and Company Code.
3. By clicking on the pencil icon in the Bank Country/Region Key, a restriction edit window shows up on the right in the section Restrictions for Bank Country/Region Key.

Edit Values in a Restriction Field

Select Value of “US” and Save.

If there are multiple restriction values and you want Add/Remove them, click on Ranges tab. For example, I have both HK and DE added for the business role YU_CASH_MANAGER_DE.

Add/Remove Multiple Restriction Values

After this business role is assigned to a user, he can only see US based banks.

A User Can Only See US Based Banks with a Business Role YU_CASH_MANAGER_US

One thing we need to pay attention to is the overwriting of the restriction.  A user is commonly assigned multiple business user roles. If the restriction Bank Country/Region Key appears in other business role(s), and it is Unrestricted, then the restriction Bank Country/Region Key in the business role YU_BR_CASH_MANAGER_US is overwritten.  It becomes no restriction at all.  For example, if a user is assigned both business roles YU_BR_CASH_MANAGER_US and YU_BR_CASH_MANAGER_ALL (all Access Categories are Unrestricted), then no restriction is in effect at all.

If you want to apply this country restriction to all business catalogs this user has, you can tick the Leading Restriction in the Maintain Business Roles App.

Apply Restriction to All Business Catalogs by Switching on Leading Restriction

After a Leading Restriction is turned on, you can see the value in this field is automatically inherited to other restriction types the field is used in as well.  This can be checked in Restriction Overview (clicking Display Restriction Overview in Maintain Business Roles App). An organization hierarchy icon signals the Restriction Type is a Leading Restriction.  This affects the restriction type in Internal Banks for Cash Management F_CLM_IBNK.

The Effect of Leading Restriction Switch to Other Restriction Types

Display Restriction Types App

To thoroughly investigate if the Restriction Type Bank Country/Region Key has been assigned elsewhere, we use the Fiori App Display Restriction Types. By searching the Restriction Type Bank Country/Region Key, with corresponding Restriction Type ID BBANKS, we can find out all 52 Business Catalogs using this Restriction Type.

Business Catalogs Use the Restriction Type Bank Country/Region Key

When we open the Business Catalog SAP_CA_BC_BNK_PC Bank – Maintenance, we can see the Restriction Type Bank Country/Region Key is used there.

Restriction Field Bank Country/Region Key is used in the Business Catalog SAP_CA_BC_BNK_PC Bank – Maintenance

Mass Change Restriction Values

From Release 2302, we have a new function called Mass Change within the Maintain Business Roles Fiori App. After selecting 1 or more Business Roles, the Mass Change button is highlighted.

Mass Change within the Maintain Business Roles Fiori App

We can use the Mass Change Wizard to maintain Restriction Types of multiple business roles. For example, after selecting two business roles: YU_CASH_MANAGER_US and YU_CASH_MANAGER_DE, then hit the Mass Change, we can select Restrictions as an Attribute.

Use Mass Change to Define Restrictions

Then we can select Access Category and Restriction Change.

Restriction Changes in Mass Change Wizard

Restriction Change can be divided into three groups:

• General Restriction Values
  • Change – add new values to existing (if any) General Restriction Field(s)
  • Replace – replace existing value(s) with a new value(s) in the General Restriction Field(s)
  • Remove – remove existing value(s) in General Restriction Field(s)
• Restrictions
  • Add – add a restriction listed with the business role but is not being used.
  • Remove – remove a restriction being used
• Restriction Values
  • Change – add new values to existing (if any) individual Restriction Field(s)
  • Replace – replace existing value(s) with a new value(s) in the individual Restriction Field(s)
  • Remove – remove existing value(s) in individual Restriction Field(s)

Let’s take an example here. We want to “Change General Restriction Values” in Restriction Field Bank Country/Region Key. We select “Change General Restriction Values” in Step 1. Select Attributes.

Step 1. Select Attributes in Mass Change Wizard

After hitting Next Step button, Step 1. Select Attributes in Mass Change Wizard, we select Bank Country/Region Key in General Restriction Values and enter AG using the pencil icon.

Step 2. Change Attributes in Mass Change Wizard

After hitting Review button, we enter Step 3. Confirm Changes in Mass Change Wizard. Hit the Submit button if everything looks fine.  This change will affect two business roles YU_CASH_MANAGER_DE and YU_CASH_MANAGER_US.

Step 3. Confirm Changes in Mass Change Wizard

Now let’s check the impact of above Mass Change. After opening the Display Restrictions menu of business role YU_CASH_MANAGER_DE, we can see AG is part of Restriction Values on top of existing AI, DE and HK.

Change (Add) Restriction Values via Mass Change Wizard

As part of authorizations within SAP S/4HANA Cloud, public edition, we use restrictions to enhance access control within user business roles. With the proper design and implementation process, we can grant different data access based on certain criteria to those users with the same persona, like cash managers. This provides both the restrictions and flexibilities to an ERP system running in a complicated environment.