As noted, SAP_ALL supersede all authorization restrictions so as long as your manager has it there is no point trying to limit what he can see and approve.
You can create a security role for him in transaction PFCG and restrict his access via the Purchasing set of authorization objects (MM_E). Plant is one of the objects you can restrict his access to (M_BANF_WRK).
Considering he currently has SAP_ALL, if he does other things in SAP, you may have to build out other roles to maintain his access when you take away SAP_ALL.