Creating and Customizing Business Roles

Objectives

After completing this lesson, you will be able to:

  • Create a business role from a template
  • Defining restrictions

Create a Business Role from a Template

Which Restriction Values would be most effective?

There are many different business catalogs assigned to each business role. If I'm trying to restrict activities in specific applications, I need to look up the app(s) in the SAP Fiori Apps Reference Library and identify the business catalog(s) that grant access to the app(s). Then I can look at the detailed information about these business catalogs in the Maintain Business Roles app to see which restriction values would be most effective to control end user access to the app(s).

For example, if the concern for an associate-level project manager is about being able to create projects and staff employees to the project activities within their company code, look at the Overview Table section or Test Procedures of the relevant test script to see which apps are used to do these tasks. For Customer Project Management, the apps used for the majority of project tasks are Create Customer Projects (F0719) and Plan Customer Projects (F0719). It's also easier to find the app you're looking for in the Fiori Apps Reference Library when using the app ID to search. As you can see in this case, both Create Customer Projects and Plan Customer Projects have the same ID in the reference library, yet display as two different apps in the Fiori launchpad.

  1. In the SAP Fiori Apps Reference Library, look up the app ID and make sure the correct deployment is selected if there are different options available.
  2. Select the Implementation Information tab, and the Configuration section.
  3. Scroll down to the Business Catalog(s) section to see relevant catalogs.
  4. Copy the business catalog ID and navigate back to the Maintain Business Roles app in SAP S/4HANA Cloud.
  5. Navigate to the Assigned Business Catalogs tab of your custom business role.
  6. Paste the business catalog ID from the reference library in the search field and search.
  7. Select the business catalog and navigate to the Catalog Description tab. This is where you'll find information about which fields are most relevant to use when defining restrictions. This information differs for each business catalog.

Define Unrestricted Access for all Fields

On the Maintain Restrictions page, select the Read, Value Help drop-down menu and choose Restricted. This will provide a set of values you can define restrictions for. If you are going to define a restriction for any field, you must FIRST provide unrestricted access to ALL fields. If you define a restriction for a single field in this list and leave the others blank, the blank fields default to "no access", meaning they are not visible at all. After providing unrestricted access to all fields, you can then selectively choose which field(s) you want to restrict access for.

Define Restricted Access for specific Field(s)

In this example, we restrict the company code, in addition to several other fields (cost centers, responsible cost centers, purchasing organization) to make sure the business user assigned this role would only have the ability to create customer projects or view other existing projects in the United States area, and when staffing people to a project, select employees from within the US. Any projects created in the company code for Germany (1010) should not be visible.

  1. In the search field, enter company code to find the correct restriction.
  2. Select the "pencil" icon to edit the restriction.
  3. In the Field Settings section, select Restricted.
  4. In the Values section, you see the available company codes in the current SAP S/4HANA Cloud system. Select the checkbox to the left of the 1710 company code. This will automatically save and update on the Values screen to the left within a few seconds.
  5. Select the checkbox for Leading Restriction to pass the restriction value on to other relevant restriction types this field happens to be used in too.
  6. Repeat steps 1-5 for these restrictions: cost centers, responsible cost centers, purchasing organization.
  7. The business role has been automatically saving this entire time, so you can select the back button in the top left corner to navigate back to the original Maintain Business Roles page and save the role.
  8. Always make sure to assign the customized role to a user and test it out to verify the restrictions are accurately hiding/showing what you want them to.
Note

When assigning a business role to the user you're currently logged-in with, refresh your browser after the assignment to see the new apps/space(s)/page(s) display on the launchpad.

Define Restrictions for a Business Role

Role-Based Authorization in SAP S/4HANA Cloud

A business user is an employee, contractor, administrator, or other person who needs access to the SAP S/4HANA Cloud system. They can be assigned one or more business roles. A business role includes one or more business catalogs that grant access to data and/or applications (SAP Fiori or SAP GUI for HTML apps) for the user to complete their job tasks. The user interface a user interacts with in SAP S/4HANA Cloud is the SAP Fiori Launchpad. The way in which apps are organized on the launchpad is defined by the Space(s) assigned to a business role, and the Page(s) assigned to the Space. Every business role must have at least one Space with at least one Page to define how apps display for a user on the launchpad. Spaces and Pages will be discussed in more detail in a future unit.

It's common for employees within an organization to be assigned one or two roles that provide access to the applications necessary for their primary job responsibilities, in addition to the Employee role. The Employee role provides access to several self-service applications including Manage My Timesheet for time recording, Concur Travel Expense for booking business-related travel and submitting expense reports for customers who also have a license to SAP Concur, My Inbox, which collects workflow tasks from different areas in a single app, and several other applications.

Business catalogs can be added/removed from a business role to grant/revoke access to data and/or applications. Alternatively within a business role, restrictions can be defined that limit the scope of what a business user can view/edit (read/write) in an application. For example, a senior project manager and associate project manager both need access to the Plan Customer Projects app within the Professional Services line of business, but the senior manager likely needs more data visibility than the associate manager, so we create a business role from the Project Manager template for each use case and restrict the associate manager business role with specific values (e.g. company code, cost center, or other values) so they can only see project data within their area.

There are also technical users, which are typically not people, but systems being granted some type of access to SAP S/4HANA Cloud to complete a task. For example, a technical user would be created to pull print jobs remotely when setting up the Output Management (1LQ) business process. In addition, a person from SAP accessing the customer's system to provide a service or support would be a technical user. The Maintain Business Users app is only for human users; technical users are grouped together in their own app - Display Technical Users.

Note

Check which business role or catalog is required for a business user to access an application on the Fiori launchpad by looking up the relevant app in the SAP Fiori Apps Reference Library.

Business Role Customization Use Cases

When customizing business roles, first assess the volume of customization needed. We always want to stay as close to the SAP standard business role as possible, because this role has already been defined in the larger context of all other roles that exist in the system and the specific activities this particular role needs to complete in certain apps with access to relevant data. If we need to define different levels of data visibility for the same role (e.g. associate-level version vs. senior-level version), we create two different versions from the same role template and make our changes in each individual template. It's not possible to define different levels of permission and assign that to different business users within the same role.

Let's take the example of an associate-level version and senior-level version of the Project Manager - Professional Services template. The associate-level project manager should be able to create customer-facing projects and maintain the project staffing and billing information within the company code to which they are assigned. What's especially important is that when staffing a project, the associate project manager should only see available resources to staff within their own company code. There are a total of 2 company codes in the customer's system (USA - 1710, Germany (DEU) - 1010). The senior-level version of the Project Manager - Professional Services template should have the ability to create customer-facing projects and maintain the project staffing and billing information across any company code and also have visibility into the data of all customer-facing projects globally for reporting purposes. The Project Manager - Professional Services role is described in the Customer Project Management (J11) test script in the Professional Services industry solution area.

First, we need to create 2 different templates for the associate-level version of the role in each of 2 company codes. Each role template needs to have the data visibility and app functionality restricted to the relevant company code. There would be one "global" role for the senior-level project managers, since they have visibility into data across all company codes. For this role, we can just use the original template without any restrictions. After restricting each of the associate-level role templates, we need to review the corresponding Space(s) and Page(s) assigned to the business role. There may be certain apps that aren't relevant for the associate-level project managers that we should remove from the launchpad. If this is the case, we look up each app in the SAP Fiori Apps Reference Library to see which business catalog grants access to those app(s), then we remove the business catalog(s) from the 2 associate-level role templates. We don't need to remove the app from the Page template, because without the required business catalog assigned to the business role, the app will not display for the end user, regardless of it being on the Page template. However, you can remove the app from the Page template for consistency. Finally, assign the role to a test user and log in as that user to verify an employee with the role assigned wouldn't be able to view/edit what they shouldn't have permission to, and can view/edit what they should have permission to.

Creating a Business Role from a Template

We do not recommend making changes to the existing business roles visible in the Maintain Business Roles app. Instead, use the option to Create From Template, and create as many templates as necessary to address the use-cases identified with your customer LoB experts during the Fit-to-Standard workshops. Using a standard template makes it easier to maintain the role through future release upgrades.

The New Business Role ID and New Business Role Description fields will be pre-populated with information from the template, and you should define a naming structure that would make sense to an administrator who would be assigning this role to the relevant group of business users. For example, if the role will be restricted based on a company code and should only be assigned to project managers located in a specific country, include that in the ID and Description fields. You want a customer administrator to look at the role description and intuitively know who it should be assigned to.

In the field, Option for Spaces, select Create and Assign Spaces Based on Predefined Spaces. This allows you to copy the SAP standard template for Spaces and Pages that corresponds to the role template, but also gives you the ability to customize the Space/Page template. You want this flexibility in case your customer requires additional business catalogs that grant permission to other apps to be added/removed from the business role and therefore the corresponding space(s)/page(s) either now or potentially in the future. You will need to enter something that defines what makes this space different than the standard space in the New Space ID field. The naming structure should be aligned with what you've already entered in the Business Role ID and Business Role Description fields.

Maintain the General Role Details

When you create a new role from a template, the Access Categories default to the following:

  • Write, Read, Value Help: No Access
    • Leave this as-is. This setting disables the Adapt UI functionality (part of Key User In-App Extensibility that will be discussed in a future unit) that allows you to make changes to the user interface of the app that would affect other users in the system (e.g. moving fields around on the screen, adding/removing fields). Technically, you would need the Administrator business role assigned in addition to this field being set to "Unrestricted" for the Adapt UI functionality to be available, but it's still best practice to leave this field as "No Access" when creating business roles to meet the customer's use case requirements.
  • Read, Value Help: Unrestricted
    • This is the field we will apply a restriction to. In this example, we'll use company code as the restriction field, so that users assigned this role will only be able to view data and use app functionality within the defined company code. For example, if I'm staffing people to work packages (tasks) using the Plan Customer project app, I should only see employees available in the company code we've set the restriction for.
  • Value Help: Unrestricted
    • All users should always have access to the value help, so this should always be "Unrestricted". This field refers to accessing the help from the "question mark" icon in the top right corner.

After verifying the selections in the Access Categories section, select Maintain Restrictions to define restrictions for the Read, Value Help field.

Log in to track your progress & complete quizzes