Symptom
The system administrator has created a custom role where users are restricted to one or more Purchase Organisation.
When users with this business role run the Manage Purchase Orders APP they can also see Purchase Orders which belong to other Purchase Organisations, which is not expected.
Environment
SAP S/4Hana Cloud Public Edition
Reproducing the Issue
- Assign role restricted to Purchase Organisation '1111' to a business user.
- Business user runs the Manage Purchase Orders APP.
- A list of Purchase Orders is displayed which includes PO's not belonging to POrg '1111' exclusively.
Cause
Consider that authorisation access is cumulative.
There may be a restriction on example Purchase Org '1111' in one role but other roles assigned to the user may provide display access to purchase orders where no Purchase Org restriction exists. If any display authorisation is provided any role assigned to the user it will be taken overriding restrictions in any other role. Consider also that there are other applications which may also provide display access to purchase orders. Anywhere you find the possibility to navigate to a purchase order you will find display access which is therefore required.
Resolution
- Create a single custom role with a catalog providing access to manage purchase orders (SAP_MM_BC_PO_MANAGE_PC)
- Unrestrict all fields of the role as described in KBA 2598733
- Then restrict the Purchase Org field in the custom role for read, write access restricting it to your Purchase Org.
- Assign this single role to a test user having no other roles.
- User then runs the APP Manage Purchase Orders.
Keywords
maintain business role, SAP_MM_BC_PO_MANAGE_PC, manage purchase orders, restrictions, M_BEST_EKG, M_BEST_EKO , KBA , MM-FIO-PUR-PO , Fiori UI for Purchase Orders , How To