Appendix: Maintaining Job Users and their Authorizations

After exploring the subjects of template creation, job management, and monitoring jobs, Adam’s interest extends to the fundamental principles of the authorization concept, particularly within the Application Jobs apps.

Carl therefore explains that in SAP S/4HANA Cloud Public Edition, user access to objects and data is managed via a multi-layered process. Let us walk through this to understand how they work together to control user access.

If we look at the big picture, at the beginning there are the Business Users. They are assigned specific Business Roles, which include Business Catalogs and Restriction Types. While Business Catalogs control access to apps, Restriction Types manage access to customer data within apps and group multiple restriction fields. At the end are Restriction Fields, populated with permission values.

The Business Catalogs within a Business Role dictate the available restriction types. A restriction type is a unit that groups available restriction fields into a logical definition, such as a company code. These restriction fields can be employed to limit access to a specific business object, like an organizational area. Thus, the Business Catalogs within a Business Role outline what a Business User can access. This access can be further refined by limiting the access category for the fields and objects a user can access. An access category specifies the type of access granted to a user assigned to a Business Role, such as read, write, or value help access. These access restrictions can be modified in the Business Role using the Maintain Business Roles app.

Understanding the interplay between Restriction Types and Business Catalogs under the users Business Role layer is vital. A single Restriction Type can govern access across various Business Catalogs, thereby influencing the users Business Roles. At the same time, a single Business Catalog can be associated with numerous Restriction Types.

When managing a business role, the Access Categories section plays an important role in determining access restrictions.

This section comprises three categories:

Write, Read, Value Help: Supersedes all others, providing Write, Read and Value Help controls on all Restriction Fields.

Read, Value Help: Only has Read and Value Help controls on all Restriction Fields but lacks Write control.

Value Help: Only provides the Value Help controls on all Restriction Field and is essentially a list of pre-defined values for selection.

Each category offers three possible access options:

• Unrestricted
• Restricted
• No Access

In most restrictions considerations, the Restricted option is typically chosen to assign the appropriate permission values to the restriction fields.

The Maintain Restrictions window is split into two sections, left and right. The top left corner provides a summary of Access Categories. If you wish to modify Access Categories, you'll need to expand the Access Categories section in the middle. All the Restrictions can be accessed by expanding the Assigned Restriction Types.

The panel on the right displays all the details of each Restriction Type:

Values: Assign authorization values to the Restriction Fields.

Description: Provides an explanation of the Restriction Type, including its purpose, and sometimes, the explanations of these restriction fields.

Business Catalogs: Lists business catalogs this Restriction Type is relevant to.

Restriction Types that contain general organizational Restriction Fields are grouped together into a section called General. As a result, there are many more Restriction Fields than individual Restriction Types.

It is important to be aware of the potential to override restrictions. Consider a scenario where we have two business roles, AdminRole_1 and AdminRole_2. A user may often be assigned multiple business roles. If a certain restriction "A", is present in both roles, but it is applied differently in each - for instance, it’s enforced in AdminRole_1 but not in AdminRole_2 - then the restriction "A" from AdminRole_1 will be overridden for that user. This results in the restriction being lifted entirely.

If the desire is for this restriction to be applied to all business catalogs that this user possesses, the Leading Restriction flag in the Maintain Business Roles app can be selected.

One of the major aspects of administrative work is to provide the correct authorization to business users. This is a crucial point to consider in order to enable business users to access the general Application Jobs app. As a consultant, you should be able to provide detailed instructions on how to execute this task.

Creating a new Business Role is a process that involves choosing the appropriate Business Catalogs. These roles are crucial in managing access to your applications. When you create a Business Role, you are essentially integrating one or more Business Catalogs. These ready-made catalogs contain the permissions that allow users to use apps and, if needed, set up instance-specific restrictions. Each business catalog brings together authorizations for a specific business area. Once a Business Role is created, it can be assigned to multiple Business Users who perform similar business activities.

As administrative personnel, it is essential to catalog all requisite actions to provide an overarching view. This enhances the transparency of the entire process for non-administrative business users.

To use the Application Job Templates app, create a business role and assign the SAP_CORE_BC_APJ_TPL catalog to it. This allows access to templates with Write, Read, or No Access permissions. While your own and SAP-provided templates are accessible at all times, other users' private templates do not appear in the Application Jobs app, but can be viewed in the Application Job Templates app.

To change access to the Application Jobs app, create a business role with the SAP_CORE_BC_APJ_JCE catalog. This allows you to modify restriction types and provide necessary permissions, for example, for actions on other users' jobs.

You can also create a display-only role using this restriction type. Define your business role with the Application Job Catalog Entry and Application Job Part fields. If the job owner and the user require different users, the owner must have the Create application jobs for other users permission.

There is a specific restriction type known as Create Application Jobs for Other Users This restriction type is used to grant a business user the ability to schedule an application job on behalf of another user. In this scenario:

• One user (the initiating user) is responsible for setting up and starting the job.
• While the job is running, the authorizations of the other user (the target user) apply.
• The initiating user must have the necessary permissions to start the job. This approach removes the need to grant the start authorization to the target user.

Additionally, an administrative user can utilize this restriction type to specify which jobs a business user is permitted to schedule on behalf of other users.

In simpler terms, this restriction type allows a user to schedule and start a job for another user, while the job runs with the second user's permissions. The initiating user needs appropriate rights to start the job, and administrators can control which jobs can be scheduled in this manner.

Actions on other users' jobs could involve deleting a future job, aborting a running job, restarting a job, or viewing a job log, result list, or details. These authorizations are provided through restriction types in suitable business roles.

This type of restriction allows to populate the Application Job Catalog Entry and Application Job Part fields when the Restricted mode is activated. The Application Job Catalog Entry field holds the title of a specific application job catalog entry. The Application Job Part field, on the other hand, contains a segment of an application job. This could be the entire job (JOB), the result list of an application job (SPOOL), or the log of an application job (APPLOG).

This restriction type allows an administrative user to assign permissions to users, enabling them to perform specific actions on other users' application jobs that are derived from a particular job catalog entry.

For this he mentions four examples:

To permit a user to view jobs of other users, including job details, select Restricted in the Read section. Then, choose the appropriate Application Job Catalog Entry and then JOB as the value for the Application Job Part.

To allow a user to view the result lists of other users' jobs, select Restricted in the Read section. Then, choose the appropriate Application Job Catalog Entry and both JOB and SPOOL as the Application Job Part.

To authorize a user to delete or cancel other users' jobs, in the Write section, select Restricted. Then, choose the appropriate Application Job Catalog Entry and JOB as the Application Job Part.

To provide a user with full display authorization for all application jobs without any change authorization, in the Write section, select No access. In the Read section, select Unrestricted.

Note that the application jobs a user can view depend on the configuration and permissions set within the job scheduling tile. The SAP_CORE_BC_APJ_JCE business catalog contains the general Application Jobs tile, showing all catalogs. However, many business applications have their own restricted job scheduling tile, which is limited to one or a few job catalog entries. If a user operates with such a tile, its restrictions apply in all cases - in addition to any restrictions from examples provided.