Creating Users in SAP S/4HANA Cloud Private Edition

In the SAP S/4HANA system, a user is added by creating a user master record. In order for a person to connect to the system, they must either

• Know the username and password necessary to login (sometimes referred to as 'basic authentication'), or
• Have a Single Sign-On method configured in the system and have the appropriate credentials on their device to pass authentication checks

Once authenticated, the user's authorizations are made available and are checked when the user attempts to run an app in the Launchpad or execute a transaction code in SAP GUI.

The user master record is where all the roles granted to the user are available and where a security team member can change any number of the details describing the user and their authorizations to do work within the system.

The user master record does not entitle the user to access the SAP HANA Platform directly, nor access components at the operating system level of the server. It only allows access to SAP S/4HANA and controls what the user is allowed to do within the application itself. The user does not need access to the SAP HANA Platform or the OS of the server host in order to perform the normal functions of a day to day user of SAP S/4HANA. When a user accesses SAP HANA via SAP S/4HANA this is normally done via a technical user account, which allows access based on the authorizations configured at and controlled by the SAP S/4HANA application.

In order for a user to utilize the SAP Fiori Launchpad, they must first be added as a user of the SAP S/4HANA system, i.e. have a user master record created. This can be accomplished using Transaction Code SU01 - User Maintenance.

Once the user has logged on to the system, the user master record will show all roles assigned to the user. Within these roles, access to any necessary transaction codes and SAP Fiori Application Catalogs will be assigned. Once assigned to the roles, the authorizations must be maintained within that role; those needed to start the transaction code/OData Service and those that delineate the data that is allowed to be accessed via the transaction code or SAP Fiori applications within the catalog. If any authorizations are not present, an error will result when the user attempts to perform that activity or see a particular data value/set of values.

Additionally, an SAP Fiori Launchpad Space may be granted within the role. This will allow the app tiles configured on any pages within that Space will show automatically, as long as the user also has the SAP Fiori Launchpad Catalog assigned as well. If the app tile within the Space is not a part of any Catalog the user has been granted access to, the tile will NOT display.

Authorizations are assigned to the user based on the roles which have been maintained in the user's master record via transaction code SU01. Authorizations are contained within profiles which are associated with specific role definitions.

For a detailed description on how to perform this process and to learn about the many options shown here in the user master record, please refer to this training path.

Users are added via the User Maintenance transaction code SU01. At a minimum a user must have the Last Name and Password fields assigned. There are many other values and options that will be assigned at various times to allow the user access to the tasks necessary to perform their work duties as well as the data access necessary when performing those duties.

In order for a user to access the SAP Fiori Launchpad these roles will include the SAP Fiori user role (or admin role if they are an admin), as well as the catalogs (and likely Spaces) that contain the apps their job role requires.