Showing results for 
Search instead for 
Did you mean: 

Is it possible to restrict which Business Role is assignable to a Business User?


Hello Dear SAP,


With the administrator role I can assign business roles to the business users. For all business users to all business roles.

I would like to create a subadmin business role. For example a Purchaser Administrator. The Purchaser administrator can only assign the business roles that are related to purchasing. Is that even possible? How would I handle this?

I decided to restrict a copied version of the administrator role to achiev this. I restricted the businessroles with a assigned bussines group. Therefore in the value help it should only display the purchase business roles(according to the bussines group). But the restriction simply doesnt work! it doesnt has any effect of restriction. This seems like a software bug to me.


Kind regards.

Learn more about the SAP Support user and program here.

Accepted Solutions (1)

Accepted Solutions (1)


Dear Customer, 


Unfortunately, it's not possible to restrict which Business Roles an user is authorized to assign to others. 

If the user has authorization to assign Business Users to Business Roles, he will be able to assign all the Business Roles available... 


However, I have tried to find any alternative to provide to you and there's a functionality that might be something similar.

This functionality is the Maintain Business User Groups and Maintain Businsess Role Groups.

With Maintain Business User Groups app you can create business user groups and assign multiple business users to them. This helps you to organize your area and easily search for all business users of a certain category (for example to assign them to business roles). Grouping also facilitates maintenance of authorizations. If you are the super administrator for all areas, you can delegate this task to administrators for the relevant areas, such as Financials. In this case, you would create a business user group for Financials.

With Maintain Business Roles Groups app you can create business role groups and assign multiple business roles to them. This helps you to organize your area and easily search for all business roles of a certain category (for example to assign business users to them). Grouping also facilitates maintenance of authorizations. If you are the super administrator for all areas, you can delegate this task to administrators for the relevant areas, such as Financials. In this case, you would create a business role group for Financials and allow to assign these business roles only to particular user groups. 


For more information, you can check the following documentations:

SAP Blog Post | How to use the Maintain Business User Groups functionality

SAP Blog Post | How to use the Maintain Business Role Groups functionality


Kind regards.

0 Kudos
Thanks a lot for this great research!

Answers (1)

Answers (1)

Dear customer,

the feature you're asking for is available. Sub-admins can be created. Mostly for that, the concept of Role Groups and User Groups has been introduced. 3 restriction types have been introduced together with the two grouping possibilities:
Business Role (S_BRL)
Business User (CLASS)
Business Role User Assignment (S_BRL_ASG)

How to:
1) Make up your mind on how you want to group business users and/or business roles. Hint: as one role/user can only be assigned to one group, the groups should be rather small.
Examples: create rather "Controlling France" than only "France" or only "Controlling"  and then also "Sales France" and "Controlling Spain" etc.
On the restriction side you can assign multiple groups to sub admins. Looking at the previous example you could define an admin responsible for all Controlling related groups or one responsible for France etc.
You can group either roles or users or both.
2) Create Role Groups and assign all Business Roles belonging to the group to them.
3) Create User Groups and assign all Business Users belonging to the group to them.
4) Create sub admin Business Roles as needed by combining the IAM related business catalogs that are in scope.
5) Maintain the three restriction types as needed:
Business Role (S_BRL) => add all business role groups that shall be accessible/maintainable
Business User (CLASS) => add all business user groups that shall be accessible/maintainable
Business Role User Assignment (S_BRL_ASG) => with that you can restrict role assignments to allow a sub admin to only assign business roles from the mentioned group to users from the other mentioned group.

I hope this helps.

Best regards,

Christian Hochwarth