For the SAP S/4HANA Cloud, public edition production system, SAP recommends that customers create their own custom business roles based on the specific applications and requirements defined for their implementation. SAP delivered the Maintain Business Roles app for this purpose.
You can define a business role from scratch and add each business catalog required for that business role using the Maintain Business Roles app. To define a business role, you add one or more business catalogs to it. These predefined catalogs are delivered by SAP and contain the actual authorizations that allow users to access the apps contained in the catalog.
Each business catalog bundles authorizations for a specific business area. You can tailor the access according to the needs of the business and for compliance purposes using restrictions.
To identify the relevant SAP business catalogs for an application, use the SAP Fiori Apps Reference Library. Here, you can review the SAP Fiori apps implementation information contained under the Implementation Information configuration category.
Remember, if you create the business role using one of the SAP business role templates as we discussed in lesson 2, the business role will automatically contain a preconfigured set of business catalogs. You must then tailor the access to remove all unneeded business catalogs, add any missing catalogs, and adjust the restrictions based on your specific access requirements.
Custom business roles should be created and maintained in the development system (in a 3-system landscape) and migrated through the system landscape to Production using software collections following SAP best practices for change management.
Also, assigning multiple business roles to a business user increases the risk of overriding existing authorizations. A user who is assigned multiple business roles gets an aggregated set of authorizations. For example, a user who is assigned a GL Accountant business role and a Cost Accountant - Overhead business role has the combination of all authorizations granted by each role.
This is particularly important where business roles share common authorization objects and have common fields, such as company code and account type of journal entry. If, for example, the GL Accountant business role has "Write Access: No Access", and the Cost Accountant - Overhead business role has "Write Access: Unrestricted", then the business user would be able to post in the Post General Journal Entries app because the user has write access in the companies maintained in the restrictions held in the Cost Accountant - Overhead role. You will find more details about restrictions in the next lesson.
Typically, to define a business role from scratch using the Maintain Business Roles app, you will perform the following steps:
- Maintain General Role Details
- Assign Business Catalogs
- Maintain Restrictions
- Assign Launchpad Spaces and Pages
You will learn about each step in this process as you work through our business scenario. In this lesson, you will focus on steps 1 and 2. Steps 3 and 4 will be discussed in later lessons.
The business role definition contains basic details about the business role. You can use the Maintain Business Roles app to define the following General Role Details when creating your role:
Business Role ID
The business role ID should be created in the customer namespace and contain the letters BR to denote that it is a business role. Do not begin your business role IDs with BR because this namespace belongs to SAP.
Business Role Description
The Business Role Description should contain an easy-to-understand description describing the purpose of the business role and its function(s).
Business Role Long Text
You can use the long text field to provide a more detailed description or explanation of the business role, including its applications, any dependencies with other roles, and so on. Additionally, documentation concerning changes and updates to the business role can be documented here to chronicle the evolution of the business role over time.
Business Role Group
Business role groups are defined using the Business Role Groups app. You can assign business role groups to help you organize by area and easily search for all business roles of a specific category (for example, assign business users to them). Grouping also facilitates the maintenance of authorizations. If you are the super administrator for all areas, you can delegate maintenance tasks to administrators for their relevant area, such as Financials. In this case, you would create a business role group for Financials.
Access categories represent the default access categories for the business role. Restrictions can be used to refine and restrict access.
Business Role Template ID
If the business role was created using one of the business role templates delivered by SAP, the ID would be linked to the business role definition for maintenance and reporting purposes.
Leading Business Role ID
The Leading Business Role ID field denotes whether a business role has been derived from another business role. Derived business roles can simplify role creation and maintenance in scenarios where multiple business roles must be created with the same standard access. The leading business role contains the basic settings such as access restrictions, the assigned business catalogs, and common restrictions, such as General Accountant or Plant Manager. The values defined in the leading business role can't be changed in the derived business role. You can, however, define additional values for the derived business role.
Is Leading Business Role
The Is Leading Business Role checkbox designates the business role as the leading or parent business role. Additional roles may be derived from a leading business role.
You will learn more about how to use many of these General Role Details and how they impact your custom business roles later in this unit.