Creating and Customizing Business Roles

A business user is any individual, such as an employee, contractor, or administrator, who needs access to SAP S/4HANA Cloud.

Users are assigned one or more business roles. These roles contain the business catalogs required to perform specific job tasks. Catalogs grant access to data and applications, including SAP Fiori and SAP GUI for HTML apps.

The SAP Fiori Launchpad is the primary user interface. The layout and organization of apps on the launchpad depend on:

• The Space(s) assigned to a business role.
• The Page(s) assigned to each Space.

To ensure apps display correctly, every business role must include at least one Space and one Page. You will find detailed information on Spaces and Pages in a later unit.

Typically, employees receive roles specific to their primary responsibilities plus a general Employee role. The Employee role provides access to essential self-service applications, such as:

• Manage My Timesheet for recording working hours.
• Concur Travel Expense for booking travel and submitting reports (requires an SAP Concur license).
• My Inbox, which centralizes workflow tasks from various areas.

Administrators can modify business roles by adding or removing business catalogs to adjust access levels.

Additionally, you can apply restrictions within a business role to define specific read or write permissions for a user.

Technical users are generally systems rather than people, used to perform automated tasks within SAP S/4HANA Cloud.

For example, a technical user is required to pull remote print jobs when configuring Output Management (1LQ).

SAP support personnel accessing a customer system are also classified as technical users.

You manage human users via the Maintain Business Users app, while you can view technical users in the Display Technical Users app.

In the Starter system, standard business roles are recommended for demonstrating business processes because they provide broad permissions. These roles are also useful for testing new features in Development system tenants. However, you should not use standard business roles in a customer's Production system for two primary reasons:

• Principle of Least Privilege: Standard roles often grant more access than an employee requires. Follow the "minimum level access" rule to ensure users only access the specific apps and data needed for their tasks.
• Cost Management: System access is allocated via the Per User Per Month (PUPM) model. Costs vary based on the permission levels assigned to each user. Detailed pricing information is available in the SAP S/4HANA Cloud Public Edition and GROW with SAP S/4HANA Cloud Service Use Description.

In the Maintain Business Roles and Business Catalogs apps, the Price Category column identifies the license level of a role or catalog, such as:

• Self Service
• Core
• Advanced
• Development Support
• Individual pricing per catalog (AddOn)

To optimize security and costs, you must build custom business roles for the customer's actual systems. This involves reviewing each business catalog to determine if it should be included in a custom role. Depending on the project scope, this process can take several weeks or months.

Begin this process using the Application Workplace List accelerator from the SAP Activate task Create Initial Application - Workplace List.

The customer's lead authorization expert should initiate the task, which is then refined by Line of Business (LoB) data owners, such as the CFO for Finance. Since business catalogs are designed to be free of Segregation of Duties (SoD) conflicts, you can mix and match them to create custom roles tailored to the organization's needs.

Open the Maintain Business Roles app and select New to create a new business role.

In the Business Role ID and Business Role Description fields, enter text that follows the customer's naming convention. Ensure the description clearly identifies who should be assigned the role.

After entering these details, select Create.

Select the Business Catalogs tab to choose the catalogs that you want to map to the business role.

When you create a new business role, the Access Categories default to the following settings:

• Write, Read, Value Help: No Access
  • Change this to Restricted.
  • The default No Access value means the role has no Write authorizations (it is display-only). You can add specific authorizations by selecting Restricted. Alternatively, choose Unrestricted ('*') to grant full access for all restriction types and fields.
  • Setting write access to Restricted allows you to define which data users can edit. You can define authorization values for specific restriction fields in the Values area.
  • If you intentionally want to deny access to a restriction field, choose the status Not maintained. Any authorization defined in the Write category is automatically inherited by the Read and Value Help categories.
• Read, Value Help: Unrestricted
  • Change this to Restricted.
  • Setting read access to Restricted allows you to define which data users can view. In the Values section, you can define instance-based restrictions for fields used in Value Help. Any authorization defined in the Read category is inherited by the Value Help category.
• Value Help: Unrestricted
  • Evaluate whether to change this to Restricted.
  • This refers to the "interlocking squares" icon in fields like Business Role Group. It allows users to see all selectable options in a field. You should restrict this if visibility to sensitive data (like personal or customer information) must be limited.
  • If a field is greyed out, it usually means no business catalogs are granting access to applications where that value help would be used.

After verifying the Access Categories, select Maintain Restrictions to define specific values for the Write, Read, and Value Help fields.