Click on the available pictogram to display according information and the relevant piece of the hierarchy.
Access to business applications is controlled by role-based authorization management. You assign Business Roles to Business Users, and the roles provide access to business tasks. Business Users are defined as employees, contractors, or other individuals that need access to the SAP S/4HANA Cloud, public edition system.
How to Find Business Roles for a Scope Item
- Navigate to SAP Best Practices for SAP S/4HANA Cloud, public edition for Enterprise Management.
- Select your country localization from the Version dropdown list.
- In the Solution Scope section, expand the relevant scope item group.
- Select a scope item.
- Download the test script.
- Navigate to the Roles section of the test script.
A business role is assigned to a business user to grant permission to access applications in SAP S/4HANA Cloud, public edition.
One or more business catalogs have been assigned to a business role. Business catalogs include access to one or more applications, dashboards, or displays of data.
Administrators can control visibility to the data granted through the catalog by applying general restrictions to business catalogs. By maintaining access restrictions, you can define the subset of all existing business objects a user can view (read) or edit (write) when working with a particular business role.
The business catalog defines which access categories are available (value help, read, write), and for which fields restriction values can be maintained. The fields vary per catalog, as they are based on the fields within the apps in the catalog. The business role aggregates restrictions for all business catalogs.
Administrators define a restriction based on a supported field (for example, company code, country, controlling area, and so on). Supported restriction fields vary per business catalog, as they are based on the fields within the apps in the catalog. You can restrict data access for the value help, read, and write separately. Read access always includes value help access, and write access always includes read access.
How to Identify the Business Catalog(s) Mapped to a Business Role and the SAP Fiori Application(s) Mapped to a Business Catalog
- Log into the SAP S/4HANA Cloud, public edition system.
- Select the Manage Business Roles application from the launchpad.
- Select a Business Role.
- Select the Assigned Business Catalogs tab to view the standard Business Catalogs assigned to the standard Business Role.
- Select a Business Catalog.
- Select the Catalog Description tab to view the Functional Description, Authorization Criteria, and Associated Catalogs information.
- Select the Applications tab to view the SAP Fiori apps mapped to the Business Catalog.
Please do not edit SAP Standard Business Roles directly. To customize Business Roles, always make a copy of the SAP Standard Business Role or use the Create From Template option in the Maintain Business Roles application.
To apply general restrictions, an administrator should first make a copy of the SAP standard business role, or create a new role based on the SAP standard business role template. For example, if you need to restrict access in the Accounts Payable Accountant Business Role for some users to only Company Code 1710 (United States), and for some users to only Company Code 1010 (Germany), you will create two new Business Roles based on the SAP Standard Accounts Payable Accountant role. You should name the roles accordingly (for example, Accounts Payable Accountant_1710).
In the first business role, you will edit the role and maintain the restriction value(s) for the entire Business Role (that is, define the Company Code field = 1710). Then, you may edit the individual business catalogs within the role and define the access category (that is, Value Help, Read, Write) as Restricted. When you create a new business role, the read access is set to Unrestricted and write access is set to No Access by default. When an access category is Restricted, you must select a specific field value (for example, Company Code = 1010) or grant unrestricted access. If you leave fields empty within a business catalog, a user will be assigned No Access to the field in the business catalog's granted apps.