Exploring further the Authorization Concept as used in SAP S/4HANA Cloud, Public Edition

Objective

After completing this lesson, you will be able to describe the concepts used in managing User Identity and Access in more detail

Concepts used in IAM

Business User

A Business User is defined as a natural person represented in the application by a business partner and linked to the SAP system by a Worker ID.

A Worker ID is assigned to Business Users and Business Partners

Business Catalogs and Apps

An application is assigned to a Business Catalog

A business catalog is a set of applications that usually belong together semantically. SAP delivers predefined business catalogs that can be used as they are or can be extended by adding custom apps.

Business catalogs

All available business catalogs and the contained apps are visible in the Business Catalogs app. In this app, you can also see whether business catalogs are deprecated. You can do this in the Custom Catalog Extension app if custom applications need to be added to business catalogs.

Business Catalogs and Access Restrictions

A business catalog also contains access restrictions for the apps' value help and read and write access. An overview of all restrictions and their use in business catalogs can be displayed in the Display Restrictions app.

Process

To support this identity model, SAP S/4HANA Cloud, public edition, has a simple creation process for defining the Business User and the Worker ID.

This process provides tools to manage the user's lifecycle and enhanced functionalities, such as the ability to create a worker without assigning a company code and cost center or the possibility of creating multiple work agreements. The aim is to ensure a faster and more unified SAP S/4HANA Cloud, public edition onboarding process.

For SAP S/4HANA Cloud, public edition, an end user is required to be registered as a worker in the organization. The worker is then linked to the system as a Business User to log into the system and utilize the applications.

diagram presenting the authorization concept

See the following video for more information on the authorization concept.

Note

For learners who come from previous SAP systems

Historically, access to an SAP system required that a user have a user master record. The user master record provided a place to define the basic context for a user, such as their user ID, first name, last name, phone number, email address, and so on. The user master record was also where an administrator assigned the user their security roles, which controlled the business actions that the user is authorized to perform, for example, creating a vendor or initiating a payment.

At the functional level, each user also interacted with applications in the context of one or more business processes. For example, a customer was associated with a specific sales organization, distribution channel, and division in sales. A business partner definition was used to link to the application-specific context required to perform a particular business function through an associated business partner role. However, the business partner and business partner role assignment were maintained separately from the user master record in a different application.

With the release of SAP S/4HANA, SAP introduced the Business User concept. The Business User represents a new identity model for the user in the SAP application, which integrates the business partner concept with the user master record.

Summary

You can now explain the authorization concepts and the relations between business users, business roles, business catalogs, and apps at a more detailed level. Also, you can describe the actions of an IAM admin in this context.

Further, in this course, you will explore how to perform these actions within the IAM apps.

In the following lessons, you will learn about:

  • The Manage Workforce app and how to create the worker and edit your workforce
  • The Maintain Business User app and how to assign a business user to your worker
  • Other apps or sub-apps that are crucial to operate properly as IAM Administrator

Log in to track your progress & complete quizzes