Creating and Maintaining Business Roles

The Business Roles app is used to create and maintain business roles that address a specific persona, business function and business processes for a company. Business roles are grouping technical roles and groups of technical application authorizations by job function, user type or organization. The purpose of a business role is to make managing access more efficient by packaging different access types into one object that can be assigned to a user. A business role is typically associated with a job function or business process. A role designer simulates and optimizes the business role content against Segregation of Duty (SoD) and Critical access violations.

Most customers already have a role design and access assignments in place. The challenge for existing running processes here is to redesign the processes, re-identify the personas to create the appropriate business role and give access to the users. This bottom-up role design starts with looking what access is already given to the users and by creating the business roles based on existing assignments that are translated into the business world. Roles can be added or removed to map the functional requirements with the system technical role assignments. Business roles reduce the need to administer each user, role and system separately. The Business Roles app is used by a person who is familiar with creating roles and knows what is needed by the company.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Business Roles.
3. Create a new entry using the + button.
4. Provide the necessary information.
   • Business Role = may contain letters, numbers, underscores and spaces; special characters are not allowed
   • Description = <Any description>
   • Business Process = <Select an available business process from the dropdown list>
   • Access = <Select the needed access>
     1. Choose the + button.
     2. Search for the specific role(s) that you want to add.
     3. Use the + button to add/assign it to the business role.
        Note

        Assign as much roles as needed.
5. Choose Save if you would like to keep the role inactive. You can then subsequently edit, activate, or delete the role.
6. Other Attributes:
   • Content Approvers

     Select the proper person, who should act as approver. For example, for an HR role the company might assign someone familiar with the HR access needed.

     Note

     You can add as much content approvers as you want. Only those persons are listed who are assigned to the specific SAP Cloud Identity Access Governance group.
     1. Choose the Content Approvers box or the value help.
     2. Search for the person you want to add and select using the checkbox.
     3. Choose Select to add the selected person.
   • Assignment Approvers

     Select the proper person, who should act as approver. This will be the person approving the assignment of this business role in access requests after the role has been activated.

     Note

     You can add as many assignment approvers as you want. Only those persons are listed who are assigned to the specific SAP Cloud Identity Access Governance group.
     1. Choose the Assignment Approvers box or the value help.
     2. Search for the person you want to add and select using the checkbox.
     3. Choose Select to add the selected person.
   • Business Sub-process = <Select an available business sub-process from the dropdown list> (optional).
   • Criticality = <Select an available criticality from the dropdown list> (optional).
   • Long Description = <Any long description> (optional).
7. Choose Save and Activate if you want to use the role immediately.
   Note

   When you activate it, you can Edit (everything but the role name), Delete or Deactivate. Choose Simulate to see if the activation would run successfully.

The Business Role app can also be used to review the business role and to make changes to a business role. After opening the app, you will see a list of Business Roles. This list includes Business Roles created in the Business Role app and the Candidate Business Roles app. Select a business role to edit, activate / deactivate, or to delete it.

You have to maintain a business role.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Business Roles.
3. Select a created Business Role to go to the next screen with detailed information (Access, Users, Other Attributes (such as Approvers) and Audit Log which displays all changes made to the Business Role.
4. Analyze what changes are needed.
5. In the top right-hand corner you find the following actions:
   • Edit: add or delete access, adjust description or the business process, sub-process, add or delete approvers.
   • Activate or Deactivate: depending on the role's current status.
   • Delete: grayed out unless this role has not been assigned to users.
6. Choose Save or Save and Activate if your business role is inactive.