Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Outlining Security Concepts for SAP S/4HANA, Public Cloud Edition

Objectives

After completing this lesson, you will be able to:

Describe the key elements of the authorization concept.
Describe business catalogs and apps.

Authorization Concept

Access to business applications is controlled by role-based authorization management. To this end, business roles are assigned to business users to provide access to applications and functionality for a user's job requirements. Once a business user is assigned a business role, they can access applications through business catalogs.

Elements of the Authorization Concept

The following graphic illustrates the elements of the authorization concept:

Diagram showing business users assigned to a business role. The business role includes two components: business catalogs and business or custom apps.

A business user is an employee, contractor, administrator, or anyone who can log on to the SAP S/4HANA Cloud, public edition, and must complete the relevant business tasks. This person needs access to data to fulfill their tasks but only to the data required for these specific tasks.
A business role is a collection of access rights that can be assigned to business users.
A business catalog is a set of applications that usually belong together semantically.

Identifying the Elements in the Authorization Concept

The authorization concept can be broken down into the following elements:

Diagram showing the relationship between Business Role and Business User. Business Role branches into multiple Business Catalogs, including SAP Fiori App, SAP HTML GUI App, Dashboard, or Display.

A business role is assigned to a business user to provide access to applications.
One or more business catalogs are assigned to the business role. Administrators control visibility to data by applying general restrictions to individual catalogs within the business role.
Catalogs contain apps, access to data, or access to configuration steps. Catalogs carry restriction types with different access categories (write, display, or value help) that can be maintained to control access within the apps and accesses within the catalog.

A business role (for example, sales manager) is assigned to a business user to grant permission to access applications in SAP S/4HANA Cloud, public edition.

A business role can include one or more business catalogs (for example, sales order processing).

Business catalogs provide access to one or more apps, dashboards, displays of data, or functionality.

Administrators can control write and read access to the data and functionalities granted through the assignment of a business catalog by maintaining the restrictions (for example, sales organization).

Restrictions allow you to define what a business user can view (read) or edit (write) with the information/functionality granted per each business catalog within the assigned business role.

Business Catalogs and Apps

An app is assigned to a business catalog, a set of applications that usually belong together semantically.

Diagram showing Application A assigned to a Business Catalog. The catalog contains six applications labeled Application A, Application B, Application C, Application D, Application E, and Application X.

SAP delivers predefined business catalogs that can be used as they are or extended by adding custom apps.

SAP interface displaying Business Catalogs overview. Left panel has filter options. Right panel shows a box with 11 Deprecated in use. Main table lists various Business Catalogs with details.

All available business catalogs and their apps can be displayed in the Business Catalogs app. In this app, you can also see whether business catalogs are deprecated. You can do this in the Custom Catalog Extension app if custom applications must be added to business catalogs.

Illustration of a business catalog with applications listed, flanked by an unlocked padlock with stars on the left and a locked padlock with stars on the right.

A business catalog also contains access restrictions for the apps' value help and read and write access. The Display Restrictions app can display an overview of all limits and their use in business catalogs.

Business Users on Public Cloud

To support the new Business User identity model, SAP S/4HANA Cloud, public edition, has a simplified creation process for defining the business user and the worker. The new process provides tools to manage the user's lifecycle and enhanced functionality, such as the ability to create a worker without assigning a company code and cost center or the possibility of creating multiple work agreements. The aim is to ensure a faster and more unified SAP S/4HANA Cloud, public edition onboarding process.

A flowchart of SAP S/4HANA Cloud shows IAM Admin assigning Business Roles to Business Users. Business Roles define Restrictions and contain Business Catalogs with Fiori Apps requiring Authorizations.

For SAP S/4HANA Cloud, public edition, an end user must register as a worker in the organization. The worker is then linked to the system as a business user to log into the system and use the actual applications.

Lesson Summary

You are now familiar with the authorization concept and its key principles.

Next lesson