Explaining Identity and Access Management

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Understand the authorization tools and concept in SAP S/4HANA Cloud
  • Create Business Users in SAP S/4HANA Cloud
  • Create and Assign Business Roles in SAP S/4HANA Cloud
  • Check User Authorization

SAP Cloud Identity Services

SAP Cloud Identity Services

Play the video to gather more information on SAP Cloud Identity Services.

Authorization Concept in SAP S/4HANA Cloud

Authorization Concept

Access to business applications is controlled by role-based authorization management. Business Roles are assigned to Business Users to grant access to the required applications and functionality needed for their job requirements.

  • A Business User is an employee, contractor, administrator, or any other person who needs access to log into the SAP S/4HANA Cloud system.
  • A Business Role is a template of access rights that can be assigned to business users.
  • A Technical User corresponds to a local or remote process which is typically part of the cloud management process (for example, system provisioning or support), or intrinsic system processes (for example, periodic cleanup of logs). Technical users can belong to the software or service provider, or the customer.

Try it out

Learn how to find business roles for a scope item.

Authorization Process

  • A Business Role (for example, sales manager) is assigned to a Business User to grant permission to access applications in SAP S/4HANA Cloud.
  • A Business Role can include one or more Business Catalogs (for example, sales order processing).
  • Business Catalogs provide access to one or more applications, dashboards, displays of data, or functionality.
  • Administrators can control visibility to the information/functionality granted through a Business Catalog by applying restrictions (for example, based on sales organization).
  • Restrictions allow you to define what a Business User can view (read) or edit (write) with the information/functionality granted per each Business Catalog within the assigned Business Role.

The Business Catalog defines which access categories are available (Value Help, Read, Write), and for which fields restriction values can be maintained. The fields vary per catalog, as they are based on the fields within the apps in the catalog. The Business Role aggregates restrictions for all Business Catalogs.

Administrators define a restriction based on a supported field (for example, company code, country, controlling area, and so on). Supported restriction fields vary per Business Catalog, as they are based on the fields within the apps in the catalog. You can restrict data access for the Value Help, Read, and Write categories separately.

  • Value Help
    • You can restrict a user's ability to access the value help information (for example, restrict value help access to business partners to belong to certain authorization groups).
    • The value help restrictions do not influence the restrictions defined for read access.
  • Read, Value Help
    • You can restrict a user's Read (view) access based on the available restriction fields.
    • By default, the Read access for any new business role is Unrestricted.
    • You can define restrictions based on the restriction fields (for example, company code, supplier account group).
    • You must grant some type of access for each field. If you do not want to restrict access for a field, you can choose Unrestricted (*) to grant full Read access for data related to the specific restriction field.
  • Write, Read, Value Help
    • You can restrict a user's Write (edit) access based on the available restriction fields.
    • By default, the Write access for any new business role is No Access.
    • You can define restrictions based on the restriction fields (for example, company code, supplier account group).
    • You must grant some type of access for each field. If you do not want to restrict access for a field, you can choose Unrestricted (*) to grant full Write access for data related to the specific restriction field.
    • If a user has access for Write, the assumption is Read access is granted too, because you would have to be able to view the information in a field to be able to edit it.

To apply General Restrictions, an Administrator should first make a copy of the SAP Standard Business Role, or create a new role based on the SAP Standard Business Role Template. For example, if you need to restrict access in the Accounts Payable Accountant Business Role for some users to only Company Code 1710 (United States), and for some users to only Company Code 1010 (Germany), you will create two new Business Roles based on the SAP Standard Accounts Payable Accountant role.

You should name the roles accordingly (for example, Accounts Payable Accountant_1710). In the first business role, you edit the role and maintain the restriction value(s) for the entire Business Role (for example, define the Company Code field = 1710). Then, you may edit the individual business catalogs within the role and define the access category (for example, Value Help, Read, Write) as Restricted.

When you create a new Business Role, the Read access is set to Unrestricted (*) and Write access is set to No Access by default. When an access category is Restricted, you must select a specific field value (for example, Company Code = 1710) or grant unrestricted access (*). If you leave fields empty within a business catalog, a user will have No Access to the field in the business catalog's granted apps.

Create Business Users

Import Employees Application

With the Import Employees app, you can create users in the system independent of an HR system of record. Even if you have integrated an HR system of record and are replicating employee data, this app can still be used to update specific employee information, such as service cost level (billable rate for Professional Services line of business) for employees.

Note
  • Currently, the app only supports comma (,) and semicolon (;) as Delimiter (list separators).
  • Users are created only if you have the authorization to create users.
  • You cannot delete employee/employment/user data using this app.

Try it out

Learn how to create business users with the Import Employees app.

Maintain Business Users Application

With the Maintain Business Users app, you can change user data (for example, user name) and regional settings (for example, date and time format), and grant access to applications and data in the system by assigning Business Roles. A business role contains one or more business catalogs, which in turn grant access to one or more applications, dashboards, displays of data, or functionality.

Display Technical Users Application

With the Display Technical Users app, you can display all technical users in the system. Technical users can be services that are used to automate tasks in the system (for example, print queue user to pull print jobs remotely), or the support users of the software provider or hosting provider to access the system if troubleshooting is required to resolve an incident.

When the SAP S/4HANA Cloud Starter System is initially provisioned for a customer, the user provided to access the system is a technical user. This initial technical user is provided so you can create a new admin user to use for future activities. You then lock the initial technical user and do not use it moving forward.

Try it out

Assign a business role to an individual user and lock the initial technical user.

Create and Assign Business Roles

Maintain Business Roles Application

The Maintain Business Roles app is used to create and edit business roles, add business catalogs to the roles, and maintain access restrictions. You define business roles by combining predefined business catalogs and, if necessary, define value help, read and write access by maintaining values for restriction fields. You use business roles to control the access to your applications. The predefined catalogs contain the actual authorizations that allow users to access apps and allow to define instance-based restrictions where necessary. Business catalogs bundle authorizations for a specific business area. Once you have created a business role, you can assign it to multiple business users who perform similar business tasks.

Try it out

Learn how to create a business role, manage restrictions for the role, and assign users to the role.

Download and Upload Business Roles

Try it out

Learn how to download business roles from your quality system and upload them to your productive system.

Business Role Templates Application

Play the following short video to get an overview of the delivered business role templates and their use.

Business Catalogs Application

Play the following short video to get an overview of the Business Catalogs, their status and usage

How to Handle Deprecated Business Catalogs

Due to ongoing development of new features and new apps, SAP needs to periodically revise existing business catalogs. This means that some business catalogs are deprecated and replaced by new ones, and you may need to assign business roles and business users to these new catalogs. Rather than disappearing, deprecated business catalogs are identified as being obsolete, which allows you to identify them at a glance. You can also check how many deprecated business catalogs you still have in use with the Business Catalogs app. This app lets you change assignments from the old, deprecated business catalogs to the new, active catalogs quickly and easily.

Note
If a business catalog is deprecated or redesigned after a release, it's important to check the assignments for your business roles and business users and make the necessary changes to the assignments as soon as possible. The process is detailed in the SAP Activate Roadmap Viewer - Revise Business Roles and Business Catalogs task.
  1. In the Business Catalogs app, check how many deprecated business catalogs you still have in use. You can use the Status filter to search for only deprecated catalogs, and you will also notice deprecated catalogs have (Obsolete) in their titles.
  2. Select Go to apply the filter and search.
  3. Select a business catalog from the list.
  4. Identify the Successor catalog, review the Restriction Types, and determine if the catalog is being used in any of your Business Roles or Business Role Templates. You can then change the assignment of the old, deprecated business catalogs, to the new, active catalogs.
Note
Once the deprecation of a business catalog is announced via the Business Catalogs app, the catalog will remain in the system for two more releases before being deleted. During these two releases you can use the old or the new business catalog. Within this timeframe you can do the replacement when it suits you best. In the Business Catalogs app, you can see the release in which the deprecation of a business catalog was announced.

Check User Authorization

IAM Information System Application

With the IAM Information System app, you can display information about the usage of business roles, business catalogs, business users and restrictions, and how they are related. For example, you can use this app to check if a business user is using a particular app and to check which authorizations he or she has.

Display Restriction Types Application

With the Display Restriction Types app, you can display the assignment of restrictions to restriction fields and business catalogs.

Display Authorization Trace Application

With the Display Authorization Trace app, you can enable an authorization trace for a business user to analyze if any authorizations are missing or insufficient. This app allows you to activate or deactivate a trace and display the authorization check results, including already assigned authorizations and failed checks.

Note
A maximum of 10,000 data sets is possible, therefore you should be careful when defining the selection criteria, especially the date range.

Save progress to your learning plan by logging in or creating an account