Role-Based Authorization in SAP S/4HANA Cloud
A business user is an employee, contractor, administrator, or other person who needs access to the SAP S/4HANA Cloud system. A business user can be assigned one or more business roles. A business role includes one or more business catalogs that grant access to data and/or applications (SAP Fiori or SAP GUI for HTML apps) for the user to complete their job tasks.
The user interface a user interacts with in SAP S/4HANA Cloud is the SAP Fiori Launchpad. The way in which apps are organized on the launchpad is defined by the Launchpad Space(s) assigned to a business role, and the Launchpad Page(s) assigned to the Space. Every business role MUST have at least one Space with at least one Page to define how apps display for a user on the launchpad. Spaces & Pages will be discussed in more detail in a future unit.
It's common for employees within an organization to be assigned one or two roles that provide access to the applications necessary for their primary job responsibilities, in addition to the Employee role. The Employee role provides access to several self-service applications including Manage My Timesheet for time recording, Concur Travel Expense for booking business-related travel and submitting expense reports for customers who also have a license to SAP Concur, My Inbox, which collects workflow tasks from different areas in a single app, and several other applications.
Business catalogs can be added/removed from a business role to grant/revoke access to data and/or applications. Alternatively within a business role, restrictions can be defined that limit the scope of what a business user can view/edit in an application. For example, a senior project manager and junior project manager both need access to the Plan Customer Projects app within the Professional Services line of business, but the senior manager likely needs more data visibility than the junior manager, so we create a business role from the Project Manager template for each use case and restrict the junior manager business role by their company code, cost center, or other values so they can only see project data within their area. Restrictions will be covered in more detail in a future unit.
There are also technical users, which are typically not people, but systems being granted some type of access to SAP S/4HANA Cloud to complete a task. For example, a technical user would be created to pull print jobs remotely when setting up the Output Management (1LQ) business process. In addition, a person from SAP accessing the customer's system to provide a service or support would be a technical user.
Check which business role or catalog is required for your business user to access an application on the Fiori launchpad by looking up the relevant app in the SAP Fiori Apps Reference Library.
Overview of creating users and assigning permission in the SAP S/4HANA Cloud Starter System
The graphic below provides an overview of how to create users and assign permission in the SAP S/4HANA Cloud starter system.
Activate Business Roles
After content is deployed in the SAP S/4HANA Cloud starter system customizing tenant, the customer IT Contact can log into the starter system using the credentials sent in the provisioning email. An administrator business role (SAP_BR_ADMINISTRATOR) is already assigned to the IT Contact's user upon login, so they will see a header titled, Administration with several additional pages in a drop-down menu. No other business roles are available to be assigned right now, so the IT Contact needs to activate all the SAP standard roles from the Business Role Templates app.
- Select the drop-down arrow next to Administration and choose Identity and Access Management
- Navigate to the Business Role Templates app
- Scroll all the way to the bottom of the page to load all business roles
- Select all roles and choose Create Business Role
- Prefix can be left empty
- Choose Create and Assign Spaces based on SAP-Delivered Spaces
- Set all restrictions to Unrestricted
This makes a copy of all SAP standard business role templates and makes them available to be assigned to users through the Maintain Business Roles and/or Maintain Business Users apps. It may take some time for all role templates to be copied.
Assign the standard Administrator Business Role
The role assigned to the IT Contact initially is just meant to get you started in the starter system. After all business roles have become available in the starter system, the IT Contact should remove the originally assigned admin role (SAP_BR_ADMINISTRATOR) and assign the standard admin role (BR_ADMINISTRATOR). In addition, the User Name field may be blank. If so, look up your user in the Identity Authentication Service (IAS). Use the Login Name in the IAS for the User Name field in the starter system.
- Navigate to the Administration space and choose the Identity and Access Management page.
- Select the Maintain Business Users app.
- Select your own user and edit the information. The User Name should match the Login Name for your user in the IAS.
- Select Add to assign the BR_ADMINISTRATOR business role to your user.
- Select the checkbox to the left of the SAP_BR_ADMINISTRATOR role and choose Remove.
- Save your changes and refresh your browser.
Create users for project team members
Even though users for the project team members were already created in the Identity Authentication Service (IAS), we have to manually create users for the project team members again in the starter system, then download a file of the user information and their assigned permission, and import to the IAS to generate email notifications. However, it's important to make sure the user information in the starter system matches the information already in the IAS, especially the Login Name from the IAS. Login Name from the IAS should be used as the User Name in the starter system.
- Select the Administration space and choose the Workforce Master Data page.
- Select the Manage Workforce app.
- Select Import → Worker.
- Set the delimiter to Comma (,) and choose Download Templates.
- Save the template to your desktop and open the CSV file in Microsoft Excel.
- Enter the following information for each project team member:
- WorkerID (same as User ID in IAS)
- UserName (same as Login Name from IAS)
- WorkerType (BUP003)
- Start Date (today's date in YYYMMDD format)
- End Date (99991231)
- Save the file (keep in CSV format) and Import into the Manage Workforce app.
Basic Worker Import Template Example
The graphic below shows an example of a Basic Worker Import Template:
Assign the Administrator Business Role to project team members
After the users have been created, navigate to the Maintain Business Roles app to assign everyone the Administrator business role. You need to assign the project team members the admin role, because this gives each person the ability to maintain their own permissions (add/remove business roles), and create additional test users, which is necessary for the line of business configuration experts to prepare for delivering their Fit-to-Standard workshops in the Explore phase of the SAP Activate Methodology. Since we are assigning one role to multiple users, it's more efficient to navigate to the Maintain Business Roles app (instead of Maintain Business Users) and assign all users to the Administrator (BR_ADMINISTRATOR) role.
- Select the Administration space, then the Identity and Access Management page.
- Open the Maintain Business Roles app.
- Select the Administrator (BR_ADMINISTRATOR) role.
- Select the Edit button and the Assigned Business Users tab.
- Click the Add button and select the checkbox to the left of all the newly created project team member users.
- Select Apply, then Cancel to close the dialog box.
- Select Save.
Verify there is an assigned Launchpad Space
Make sure there is a launchpad space on the Assigned Launchpad Spaces tab. The Space and one or more Pages assigned to the Space define the structure of how apps will display on the launchpad for each user. If there is no assigned launchpad space, no apps will display on the launchpad.
If no space is assigned, select the Add button and choose the option to Create Spaces Based on SAP-Delivered Spaces. This makes a copy of the SAP-defined space that corresponds to the Administrator business role. Finally, save the role.
Download users & their permission assignments
Next, the IT Contact needs to download all users and their assigned business roles from the Maintain Business Users app. Select all users, then choose Download → Download for IDP (Identity Provider) option and save it as a .CSV (comma separated value) file.
Import user file to Identity Authentication Service (IAS)
Finally, the IT Contact can import this file into the Identity Authentication Service (IAS), which will validate the users with their existing accounts and generate email notifications for each user. As long as the Home URL is maintained for the SAP S/4HANA Cloud starter system in the IAS, the email notifications will also include the link for each project team member to directly access the starter system after they've validated their account through the email notification. You can navigate to the IAS directly, or use the Identity Provider app within SAP S/4HANA Cloud.
- Select the Administration space, then the Security page.
- Select the Identity Provider app to launch the Identity Authentication Service.
- Select the Import Users app.
- Choose the Starter System from the list of applications.
- Browse for the file and select the Import Button.
- Select Send to send activation emails to all project team members.