SAP Learning Journey

Explaining Identity Access Management

Objectives
After completing this lesson, you will be able to:

After completing this lesson, you will be able to:

  • Understand the authorization tools and concept in SAP S/4HANA Cloud, Public Edition
  • Create business users in SAP S/4HANA Cloud, Public Edition
  • Create and assign business roles in SAP S/4HANA Cloud, Public Edition
  • Check user authorization

SAP Cloud Identity Services

SAP Cloud Identity Services

Play the video to gather more information on SAP Cloud Identity Services.

Authorization Concept in SAP S/4HANA Cloud, public edition

Authorization Concept

Access to business applications is controlled by role-based authorization management. Business Roles are assigned to Business Users to grant access to the required applications and functionality needed for their job requirements.

  • A Business User is an employee, contractor, administrator, or any other person who needs access to log into the SAP S/4HANA Cloud system.
  • A Business Role is a template of access rights that can be assigned to business users.
  • A Technical User corresponds to a local or remote process which is typically part of the cloud management process (for example, system provisioning or support), or intrinsic system processes (for example, periodic cleanup of logs). Technical users can belong to the software or service provider, or the customer.

Try it out

Learn how to find business roles for a scope item.

ExerciseStart Exercise

Authorization Process

Get to know more about the Authorization Concept by selecting each step.

  • A Business Role (for example, sales manager) is assigned to a Business User to grant permission to access applications in SAP S/4HANA Cloud.
  • A Business Role can include one or more Business Catalogs (for example, sales order processing).
  • Business Catalogs provide access to one or more applications, dashboards, displays of data, or functionality.
  • Administrators can control visibility to the information/functionality granted through a Business Catalog by applying restrictions (for example, based on sales organization).
  • Restrictions allow you to define what a Business User can view (read) or edit (write) with the information/functionality granted per each Business Catalog within the assigned Business Role.

The Business Catalog defines which access categories are available (Value Help, Read, Write), and for which fields restriction values can be maintained. The fields vary per catalog, as they are based on the fields within the apps in the catalog. The Business Role aggregates restrictions for all Business Catalogs.

Administrators define a restriction based on a supported field (for example, company code, country, controlling area, and so on). Supported restriction fields vary per Business Catalog, as they are based on the fields within the apps in the catalog. You can restrict data access for the Value Help, Read, and Write categories separately.

  • Value Help
    • You can restrict a user's ability to access the value help information (for example, restrict value help access to business partners to belong to certain authorization groups).
    • The value help restrictions do not influence the restrictions defined for read access.
  • Read, Value Help
    • You can restrict a user's Read (view) access based on the available restriction fields.
    • By default, the Read access for any new business role is Unrestricted.
    • You can define restrictions based on the restriction fields (for example, company code, supplier account group).
    • You must grant some type of access for each field. If you do not want to restrict access for a field, you can choose Unrestricted (*) to grant full Read access for data related to the specific restriction field.
  • Write, Read, Value Help
    • You can restrict a user's Write (edit) access based on the available restriction fields.
    • By default, the Write access for any new business role is No Access.
    • You can define restrictions based on the restriction fields (for example, company code, supplier account group).
    • You must grant some type of access for each field. If you do not want to restrict access for a field, you can choose Unrestricted (*) to grant full Write access for data related to the specific restriction field.
    • If a user has access for Write, the assumption is Read access is granted too, because you would have to be able to view the information in a field to be able to edit it.

To apply General Restrictions, an Administrator should first make a copy of the SAP Standard Business Role, or create a new role based on the SAP Standard Business Role Template. For example, if you need to restrict access in the Accounts Payable Accountant Business Role for some users to only Company Code 1710 (United States), and for some users to only Company Code 1010 (Germany), you will create two new Business Roles based on the SAP Standard Accounts Payable Accountant role.

You should name the roles accordingly (for example, Accounts Payable Accountant_1710). In the first business role, you edit the role and maintain the restriction value(s) for the entire Business Role (for example, define the Company Code field = 1710). Then, you may edit the individual business catalogs within the role and define the access category (for example, Value Help, Read, Write) as Restricted.

When you create a new Business Role, the Read access is set to Unrestricted (*) and Write access is set to No Access by default. When an access category is Restricted, you must select a specific field value (for example, Company Code = 1710) or grant unrestricted access (*). If you leave fields empty within a business catalog, a user will have No Access to the field in the business catalog's granted apps.

Create Business Users

Manage Workforce Application

The Manage Workforce app, is used to create and update worker information for both employees and contingent workers, including work agreements and changing employment situations. This app enables you to upload/edit employee information independent of an HR system of record.

During an implementation project, the Manage Workforce app is used to create business users for the project team members in the SAP S/4HANA Cloud starter system. After logging into the starter system, the implementation consultants use this app to create additional test users to demonstrate business processes in the Fit-to-Standard workshops. This app is also used to create the initial users in the development, test, and production systems during the implementation project.

Once the integration with a customer's HR system of record (e.g. SAP SuccessFactors Employee Central) is activated, the Manage Workforce app becomes read-only to ensure there is only one HR data source. Changes to users must be done directly in the HR system of record after the integration is activated.

You can use the app to do the following:

  • Create workers directly in the app.
  • Edit personal or employment details.
  • Create work agreements and assign company codes, cost centers, and more.
  • Change employment situations, such as global assignment, concurrent employment, or transfers.

Try it out

Learn how to create a business user.

ExerciseStart Exercise

Maintain Business Users Application

The Maintain Business Users app can be used to change user settings and assign business roles to business users.

You can use this app to do the following:

  • Edit business user data.
  • Add/remove business role assignments for users.
  • Lock and unlock users.
  • Download a list of users.
  • Set the language of the user interface for each business user.

Try it out

Learn how to assign a business role to a business user.

ExerciseStart Exercise

Display Technical Users Application

With the Display Technical Users app, you can display all technical users in the system. Technical users can be services that are used to automate tasks in the system (for example, print queue user to pull print jobs remotely), or the support users of the software provider or hosting provider to access the system if troubleshooting is required to resolve an incident.

Create and Assign Business Roles

Maintain Business Roles Application

The Maintain Business Roles app is used to create and edit business roles, add business catalogs to the roles, and maintain access restrictions. You define business roles by combining predefined business catalogs and, if necessary, define value help, read and write access by maintaining values for restriction fields. You use business roles to control the access to your applications. The predefined catalogs contain the actual authorizations that allow users to access apps and allow to define instance-based restrictions where necessary. Business catalogs bundle authorizations for a specific business area. Once you have created a business role, you can assign it to multiple business users who perform similar business tasks.

Try it out

Learn how to create a business role and assign an SAP-delivered Fiori Space to the role.

ExerciseStart Exercise

Download and Upload Business Roles

Try it out

Learn how to download business roles from one system and upload them to another system.

ExerciseStart Exercise

Business Role Templates Application

Play the following short video to get an overview of the delivered business role templates and their use.

Business Catalogs Application

Play the following short video to get an overview of the Business Catalogs, their status and usage

How to Handle Deprecated Business Catalogs

Due to ongoing development of new features and new apps, SAP needs to periodically revise existing business catalogs. This means that some business catalogs are deprecated and replaced by new ones, and you may need to assign business roles and business users to these new catalogs. Rather than disappearing, deprecated business catalogs are identified as being obsolete, which allows you to identify them at a glance. You can also check how many deprecated business catalogs you still have in use with the Business Catalogs app. This app lets you change assignments from the old, deprecated business catalogs to the new, active catalogs quickly and easily.

Note
If a business catalog is deprecated or redesigned after a release, it's important to check the assignments for your business roles and business users and make the necessary changes to the assignments as soon as possible. The process is detailed in the SAP Activate Roadmap Viewer - Revise Business Roles and Business Catalogs task.
  1. In the Business Catalogs app, check how many deprecated business catalogs you still have in use. You can use the Status filter to search for only deprecated catalogs, and you will also notice deprecated catalogs have (Obsolete) in their titles.
  2. Select Go to apply the filter and search.
  3. Select a business catalog from the list.
  4. Identify the Successor catalog, review the Restriction Types, and determine if the catalog is being used in any of your Business Roles or Business Role Templates. You can then change the assignment of the old, deprecated business catalogs, to the new, active catalogs.
Note
Once the deprecation of a business catalog is announced via the Business Catalogs app, the catalog will remain in the system for two more releases before being deleted. During these two releases you can use the old or the new business catalog. Within this time frame you can do the replacement when it suits you best.

Check User Authorization

IAM Information System Application

With the IAM Information System app, you can display information about the usage of business roles, business catalogs, business users and restrictions, and how they are related. For example, you can use this app to check if a business user is using a particular app and to check which authorizations he or she has.

Display Restriction Types Application

With the Display Restriction Types app, you can display the assignment of restrictions to restriction fields and business catalogs.

Display Authorization Trace Application

With the Display Authorization Trace app, you can enable an authorization trace for a business user to analyze if any authorizations are missing or insufficient. This app allows you to activate or deactivate a trace and display the authorization check results, including already assigned authorizations and failed checks.

Note
A maximum of 10,000 data sets is possible, therefore you should be careful when defining the selection criteria, especially the date range.

Save progress to your learning plan by logging in or creating an account

Login or Register