Showing results for 
Search instead for 
Did you mean: 

Is it possible to restrict which Business Role is assignable to a Business User?


Hello Dear SAP,


With the administrator role I can assign business roles to the business users. For all business users to all business roles.

I would like to create a subadmin business role. For example a Purchaser Administrator. The Purchaser administrator can only assign the business roles that are related to purchasing. Is that even possible? How would I handle this?

I decided to restrict a copied version of the administrator role to achiev this. I restricted the businessroles with a assigned bussines group. Therefore in the value help it should only display the purchase business roles(according to the bussines group). But the restriction simply doesnt work! it doesnt has any effect of restriction. This seems like a software bug to me.


Kind regards.

Learn more about the SAP Support user and program here.
View Entire Topic

Dear customer,

the feature you're asking for is available. Sub-admins can be created. Mostly for that, the concept of Role Groups and User Groups has been introduced. 3 restriction types have been introduced together with the two grouping possibilities:
Business Role (S_BRL)
Business User (CLASS)
Business Role User Assignment (S_BRL_ASG)

How to:
1) Make up your mind on how you want to group business users and/or business roles. Hint: as one role/user can only be assigned to one group, the groups should be rather small.
Examples: create rather "Controlling France" than only "France" or only "Controlling"  and then also "Sales France" and "Controlling Spain" etc.
On the restriction side you can assign multiple groups to sub admins. Looking at the previous example you could define an admin responsible for all Controlling related groups or one responsible for France etc.
You can group either roles or users or both.
2) Create Role Groups and assign all Business Roles belonging to the group to them.
3) Create User Groups and assign all Business Users belonging to the group to them.
4) Create sub admin Business Roles as needed by combining the IAM related business catalogs that are in scope.
5) Maintain the three restriction types as needed:
Business Role (S_BRL) => add all business role groups that shall be accessible/maintainable
Business User (CLASS) => add all business user groups that shall be accessible/maintainable
Business Role User Assignment (S_BRL_ASG) => with that you can restrict role assignments to allow a sub admin to only assign business roles from the mentioned group to users from the other mentioned group.

I hope this helps.

Best regards,

Christian Hochwarth