- SAP Managed Tags:
In this blog, you will know how to control the authorization for Manage Prices - Sales App per different using perspective.
For IAM authorization principle, please see help document: https://help.sap.com/viewer/55a7cb346519450cb9e6d21c1ecd6ec1/latest/en-US/f25f9108740442c3804370f2d8...
In pricing specialist authorization control part, the best practice is create new customize business role based on standard role: SAP_BR_PRICING_SPECIALIST.
The default access category is "Unrestricted" for new created business role which based on standard business role.
Use Maintain Business Roles App, create new customize business role. Such as below, create customize business role based on standard role "SAP_BR_PRICING_SPECIALIST".
Click the new role line, on Maintain Business Roles page, the default authorization showed:
You can click Display Restrictions button for more details.
For user with Read Only authorization, you need set "No Access" in business role for Write access category.
On Maintain Business Roles page, click Edit button. Then click Maintain Restrictions button, under Write, Read, Value Help tab, set the access category as "No Access".
Save the changes for business role and assign this role to a business user.
In Manage Price - Sales App, if you logon as above business user, the Create, Edit and Delete button will not disabled. It means, you still can create/edit/delete draft line, but you could not save the changes as active condition record.
Same error message will be showed if you try to import condition record by excel file.
For many cases, different user will focus on different condition type and sales organization. In this case you can restrict the condition type and sales organization as below.
For Sales Area part, you also need to restrict Distribution Channel and Division, if no restriction needed, please set as "* (Unrestricted)".
Such as, set Condition Type "PPR0" and "PSP0", set Sales Organization as "1010":
In Manage Price - Sales App, only condition type "PPR0" and "PSP0" showed in Condition Type filter. Select all condition types and set Sales Organization as "1010", you will get all condition records with specified sales organization.
If you set another sales organization, such as set Sales Organization as "1710", you will get blank lines for condition records.
If you try to do edit/copy/delete operation, you will be blocked with warning message.
If you give write access to user, the read only restriction will be re-write by write authorization. Based on Scenario 2, change the write access to "Unrestricted", you will get below message:
Save the changes for business role.
In Manage Prices - Sales App, you can do all operations(create, edit, etc) for all condition types and sales organization. Even for restricted condition type under Read Restriction, such as for condition type "PPR0" with sales organization "1710".
You also can display or create condition record for other condition type, such as "SOV2".
If do not set restriction for write access, the user can access all condition types. But in normal case, you need specific condition type and sales area for different user. Such as apply same restriction as Scenario 2.
In this case, you can access condition type "PPR0" and "PSP0" with sales organization "1010", including write and read permission.
In Manage Prices - Sales App, condition records with sales organization "1010" will be showed, blank lines will be showed for other sales organization. You only can do operations for condition records which belongs to sales organization "1010".
1.Why can I still see the condition records for condition type "PPR0" in the Manage Prices - Sales app, even though my pricing specialist business role does not have the read access to this condition type?
IAM Authorization Principle
For IAM authorization principle, please see help document: https://help.sap.com/viewer/55a7cb346519450cb9e6d21c1ecd6ec1/latest/en-US/f25f9108740442c3804370f2d8...
In pricing specialist authorization control part, the best practice is create new customize business role based on standard role: SAP_BR_PRICING_SPECIALIST.
Un-restricted Authorization
The default access category is "Unrestricted" for new created business role which based on standard business role.
Use Maintain Business Roles App, create new customize business role. Such as below, create customize business role based on standard role "SAP_BR_PRICING_SPECIALIST".
Click the new role line, on Maintain Business Roles page, the default authorization showed:
You can click Display Restrictions button for more details.
Scenario 1: Read Only Restriction
For user with Read Only authorization, you need set "No Access" in business role for Write access category.
On Maintain Business Roles page, click Edit button. Then click Maintain Restrictions button, under Write, Read, Value Help tab, set the access category as "No Access".
Save the changes for business role and assign this role to a business user.
In Manage Price - Sales App, if you logon as above business user, the Create, Edit and Delete button will not disabled. It means, you still can create/edit/delete draft line, but you could not save the changes as active condition record.
Same error message will be showed if you try to import condition record by excel file.
Scenario 2: Read Only Restriction for specific Condition Type and Sales Area
For many cases, different user will focus on different condition type and sales organization. In this case you can restrict the condition type and sales organization as below.
For Sales Area part, you also need to restrict Distribution Channel and Division, if no restriction needed, please set as "* (Unrestricted)".
Such as, set Condition Type "PPR0" and "PSP0", set Sales Organization as "1010":
In Manage Price - Sales App, only condition type "PPR0" and "PSP0" showed in Condition Type filter. Select all condition types and set Sales Organization as "1010", you will get all condition records with specified sales organization.
If you set another sales organization, such as set Sales Organization as "1710", you will get blank lines for condition records.
If you try to do edit/copy/delete operation, you will be blocked with warning message.
Scenario 3: Write Access without Restriction
If you give write access to user, the read only restriction will be re-write by write authorization. Based on Scenario 2, change the write access to "Unrestricted", you will get below message:
Save the changes for business role.
In Manage Prices - Sales App, you can do all operations(create, edit, etc) for all condition types and sales organization. Even for restricted condition type under Read Restriction, such as for condition type "PPR0" with sales organization "1710".
You also can display or create condition record for other condition type, such as "SOV2".
Scenario 4: Write Access Restriction for specific Condition Type and Sales Area
If do not set restriction for write access, the user can access all condition types. But in normal case, you need specific condition type and sales area for different user. Such as apply same restriction as Scenario 2.
In this case, you can access condition type "PPR0" and "PSP0" with sales organization "1010", including write and read permission.
In Manage Prices - Sales App, condition records with sales organization "1010" will be showed, blank lines will be showed for other sales organization. You only can do operations for condition records which belongs to sales organization "1010".
Q&A
1.Why can I still see the condition records for condition type "PPR0" in the Manage Prices - Sales app, even though my pricing specialist business role does not have the read access to this condition type?
Answer: your business user may contain other business roles that have the authorization to access this condition type. Check your business user configuration.
4 Comments
