Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 
In this blog, we are going to see how to restrict the business users from reading or editing the data in Business ByDesign

There are two ways to configure access restrictions to the Business Users.

  1. Creating a Business Role and assigning it to Business Users.

  2. Assigning the Access Restrictions using Edit Access Rights option in Application and User Management.


Assigning Access Restrictions using Business Role:

1. Go to Application and User Management -> Business Roles.

2. Click New -> Business Role and Enter the Business Role id.

3. In the Next Tab Work Center and View Assignments, Select the work centers you want to assign to this Business Role.


4. In the Next screen, you need to define, how you are going to restrict the access to the Work centers ( Here we are taking the example of Accounts Work centre).


5. Select the Read Access as restricted for the work center view BPM_ACCOUNTS. Once you select the Read Access as Restricted, you can see that Restriction Rule drop down was enabled below. If there is no restriction selected, then the user will have unrestricted read and write access to the work center view.

Note : Only the view with Access Context can be restricted. In this case, only the views BPM_ACCOUNTS, BPM_HIGHVOLUMEACCOUNTS,CRM_ACTIVITIES can be restricted.

6. In the next step, you need to define how you are going to restrict the access using the Restriction Rule. For the work center view BPM_ACCOUNTS, there are two restriction rules available

  • 01 - Restrict to Employee - If you choose this restriction rule, Business Users can only see the Accounts for which he is the Employee Responsible.



  • 99 - Define Specific Restrictions - If you choose Access Restriction 99, you need to select the  Employees manually and when the Business User logins into the system, Business User can see all the Accounts where the selected Employees are Employee Responsible.

  • Note : 99 Restriction Rule is not recommended in case you have huge amount of data in the system, since it will cause performance issues.

7. Once you define the Restriction Rule, Click Save and the Business Role will get created. Now, Activate the Business Role by clicking Action -> Activate.You need to activate the Business Role to assign it to users. Follow the below steps to assign Business Role to the users:

  • Go to Application and User Management -> Business User.

  • Select the Business User and then click Edit -> Access Rights.

  • Go to the Business Role Assignment Tab -> Assign the Business Role to the user and then save.

  • Navigate to the Access Restriction tab and you can see that the Access Restriction from Business Roles are copied.

8. Whenever you do any changes in the Business Role after assigning it to the user, you need to do the update using Assigned Users -> Update Users. This will apply the changes made in the Business Roles to the business users.


Assigning Access Restrictions using Manual Assignment:

  1. Go to Application and User Management -> Business User.

  2. Select the Business User and then click Edit -> Access Rights.

  3. Go to Work Center and View assignment tab and then select the work center you want to assign to the user.

  4. Once you assign the work center, you can see those work centers in the Access Restriction Tab.

  5. In this tab, once you select the read access as Restricted for a particular work center view, system will let you to choose the Employees under Detailed Restrictions. When the Business User logins to the system, he can only see the Accounts for which these employees are Employee Responsible.


Note :

  1. If there is no Employee Responsible assigned to the Account, Business Users can see those Accounts without any restriction. These Records are called Faceless records and system could not determine any restriction since there is no Employee Responsible maintained for Accounts.

  2. The Access Restriction Rules varies based on the Acces Context defined for the work center view. (Ex) In case of Suppliers, the access context is based on Company. In that case, Users can only see the Payment Data of the Company for which the access was granted.

  3. The work center PDI_PARTNER_DEVELOPMENT gives unrestricted access for all the views assigned to the user. Hence, the access restriction won't work for that user.

1 Comment