Maintaining Business Roles in SAP S/4HANA, Public Cloud

The SAP S/4HANA Cloud, public edition authorization concept is based on the concept of the SAP business role. By assigning business roles to each business user, you can control access to specific resources, applications (apps), and data. In this unit, we discuss business roles and the applications provided to manage them.

To review, the authorization concept can be broken down into the following elements:

A Business User is an employee, contractor, or other individual who needs access to SAP S/4HANA Cloud, public edition. Access to business functions is provided via specific SAP Fiori apps. A business role is assigned to a business user to provide access to business applications.

Business Catalogs are assigned to the business role. Administrators control write and read access by maintaining restrictions at the catalog level for the SAP Fiori apps, dashboards, and other data access assigned within the business catalog.

SAP delivers these Fiori Apps, best practice business processes, and scenario models to support every core function the system provides.

You can use the SAP Fiori Apps Reference Library provided by SAP to understand what apps are available and which delivered business roles and business catalogs reference specific apps.

The SAP Fiori Apps Reference Library is a comprehensive online repository that contains detailed information about every SAP Fiori app available by SAP product and version. It is designed to aid users, developers, and administrators by providing complete documentation of each app, including how to use and configure it, technical details and prerequisites for each app's use and deployment, and so on.

You can use the library to:

• Get key information for each app
• Find configuration information required to integrate apps into the SAP Fiori launchpad
• Review changes and updates from previous app versions
• Use installation and configuration information for specific apps
• Link together key SAP resources and documentation.

You can also use this library to find the predefined business roles and business catalogs that SAP has provided to aid customer implementations. Specifically, the Implementation Information outlines technical details and prerequisites for each app's use and deployment, along with any business catalogs and business roles that SAP has delivered.

You can access the SAP Fiori Apps Reference Library online:

1. Open your web browser and navigate to: https://fioriappslibrary.hana.ondemand.com
2. Find SAP Fiori apps using either search or filter:
   • Search Bar: Use keywords to search for specific apps.
   • Filter Categories: You can filter the library content in multiple ways using predefined categories:
     • SAP Product
     • Line of Business
     • Industry
     • Role
     • Application Component
     • Product Version
     • SAP Best Practices
3. Once you identify a suitable SAP Fiori app, you can select it to view detailed information, including the app's name, description, technical ID, product version, and so on.
4. Explore the app's features and learn how to use it. Identify related apps and access the Implementation Documentation for more technical details and the available implementation content.

For the SAP S/4HANA Cloud, public edition, production system, SAP recommends that customers create custom business roles based on the specific applications and requirements defined for their implementation. For this purpose, SAP delivered the Maintain Business Roles app.

Using the Maintain Business Roles app, you can define a business role from scratch and add each business catalog required for that role. You can add one or more business catalogs to define a business role. SAP delivers these predefined catalogs and contains the actual authorizations that allow users to access the apps included in the catalog.

Each business catalog bundles authorizations for a specific business area. You can use restrictions to tailor access according to the business's needs and for compliance purposes.

Use the SAP Fiori Apps Reference Library to identify an application's relevant SAP business catalogs. You can review the SAP Fiori app implementation information under the Implementation Information configuration category here.

Typically, to define a business role from scratch using the Maintain Business Roles app, you perform the following steps:

1. Maintain General Role Details
2. Assign Business Catalogs
3. Maintain Restrictions
4. Assign Launchpad Spaces and Pages

The definition of a business role contains basic details about the business role. You can use the Maintain Business Roles app to define the following General Role Details when creating your role:

• Business Role ID: The business role ID can be created in the customer namespace and contain the letters BR to denote that it is a business role. Do not begin your business role IDs with BR because this namespace belongs to SAP.
• Business Role Description: The business role description can contain an easy-to-understand description describing the purpose of the business role and its function(s).
• Business Role Long Text: You can use the long text field to provide a more detailed description or explanation of the business role, including its applications, any dependencies with other roles, and so on. Also, documentation concerning changes and updates to the business role can be documented here to chronicle its evolution.
• Business Role Group: Business role groups are defined using the Business Role Groups app. You can assign business role groups to help you organize by area and easily search for all business roles of a specific category (for example, assign business users to them). Grouping also facilitates the maintenance of authorizations. If you are the super administrator for all areas, you can delegate maintenance tasks to administrators for their relevant areas, such as Financials. In this case, you create a business role group for Financials.
• Access Categories: Access categories represent the default access categories for the business role. Restrictions can be used to refine and restrict access.
• Business Role Template ID: If the business role was created using one of the business role templates delivered by SAP, the ID is linked to the business role definition for maintenance and reporting purposes.
• Leading Business Role ID: The Leading Business Role ID field denotes whether a business role has been derived from another business role. Derived business roles can simplify creation and maintenance in scenarios where multiple business roles must be created with the same standard access. The leading business role contains the basic settings, such as access restrictions, the assigned business catalogs, and common restrictions, such as the General Accountant or Plant Manager. The values defined in the leading business role can't be changed in the derived business role. You can, however, define extra values for the derived business role.
• Is Leading Business Role: The Is Leading Business Role checkbox designates the business role as the leading or parent business role. More roles can be derived from a leading business role.