Describing an Overview of Identity Access Management

A Business Role represents a job a person does, including all workplace responsibilities. Employees usually have responsibilities that cross more than one business role, with varying degrees of data access (e.g. Senior vs. Junior Consultant).

SAP provides hundreds of predelivered business role templates that include:

• SAP Fiori apps and Classic UI apps that match the system tasks for the business role
• Networked navigation between relevant applications
• Markings that delineate which apps are supported for different devices
• A default assignment of content on the launchpad for groups (Fiori 2.0) or spaces and pages (Fiori 3.0)
• Matching security role in the SAP S/4HANA system that can be assigned to users who perform the role
  • Security roles start with "SAP_BR_"

SAP Business Role templates can be a starting point for a customer's own business roles. Instead of editing an SAP template directly, make a copy of the role, then make your customizations to the copy. You can also create custom roles from scratch. Business Roles are assigned to Business Users.

Customers own their business roles completely. Within the customer organization, role administrator(s) must be identified to complete tasks, such as:

• Collaborating with LoB experts to ensure roles in the new system provide access to the necessary apps and functions. SAP standard roles can be used as a starting point, or you can build completely custom roles.
• After an upgrade is installed, review which roles may have been deprecated, any new roles that have been created, and other changes that could affect the end-user's ability to access what they need to complete their job tasks
• Set up the launchpad spaces and pages for the business roles and maintain them as needed after release upgrades
• Ensure the right authorization is given to members of the external implementation team during a project and revoked after project completion
• Maintain the security rule of "least privilege" to provide users only the minimum access they need to complete their job tasks

You may find it helpful to start by considering who should NOT be the role administrator(s):

• Your security administrator - because they are primarily concerned with authorizations, not user experience
• Your functional consultant - because they are primarily concerned with the end to end business process, not user experience
• Your basis/technical consultant - because they are primarily concerned with the end to end system landscape, not user experience
• Your UI designer and/or developer - because they are primarily concerned with the design and development of individual apps, not with the end to end user experience
• Your project manager - because they will likely move onto other sites or other projects

• Business User
  • Person using apps on launchpad to complete business tasks
  • Assigned one or more business roles; gains access to apps on launchpad based on assigned business role(s)
  • Employees are replicated to SAP S/4HANA through the integration with the HR system of record (recommended: SAP SuccessFactors Employee Central)
• Business Role
  • Contains one or more business catalogs
  • Can reuse standard SAP business roles, use standard SAP role as a template and edit, or create own custom roles
  • Typical user roles & tasks
    • Administrators set up and configure the launchpad. They also create and configure content and adapt it if necessary to enable end users to optimally use the launchpad for their daily tasks.
    • End users carry out their daily tasks in the launchpad. They can search for apps and add them to their home page, personalize their settings, adapt content to suit their business scenario and collaborate with their colleagues.
    • Developers can customize the launchpad user interface by using various APIs to create buttons, add user options, and activating other features.
  • SAP standard roles that grant access to configure, adapt, and extend SAP S/4HANA with Fiori apps on the launchpad:
    • Administrator
    • Analytics Expert
    • Business Process Specialist
    • Configuration Expert e.g. Business Process Configuration (there are multiple "configuration expert" roles)
    Note

    Review these security considerations when granting implementation project team users SAP Fiori launchpad access.
• Business Catalog
  • Contains a collection of tiles and target mappings relevant for a business role (i.e. contains one or more apps)
  • Catalogs can include a mix of SAP Fiori apps, Web Dynpro ABAP apps, SAP GUI transactions, or WebClient apps.
  • Content of a business catalog is a subset of the content of the technical catalog.

Technical Catalog (also: Launchpad App Descriptor)

• Contains the original tile and target mapping
• Launchpad app descriptor is a single entity that contains both the tile and target mappings. It is maintained with the Launchpad App Manager (further discussed in next section). A Launchpad app descriptor contains a target mapping to one or more tiles, depending on the app type. Applications require a launchpad app descriptor item if they are to be called from the launchpad.
• One technical catalog can contain multiple launchpad app descriptor items
• After maintaining the launchpad app descriptor, you can map one or more tiles to it
• Tiles and target mappings are referenced from business catalogs
• Back-end authorization role SAP_FLP_ADMIN must be assigned to manage technical catalogs

The SAP Fiori Launchpad UI terminology includes the following main categories:

• Launchpad
  • Single entry point to all apps permissioned to a user on any device.
• Tile / Link
  • Visual representation of an app on the launchpad in either a tile or link
  • Link is just the tile name; can be useful for adding relevant apps (tiles) to a section without taking up the amount of space a tile would.
• App (also: OData services)
  • An application; piece of software that is designed for a specific function
  • Referred to as a Tile or Link on the launchpad
  • Look & feel based on the Fiori design guidelines
  • Can be many different types; differentiated by front-end or back-end server
    • Front-end server app types: SAPUI5 Fiori app, SAPUI5 Fiori app on SAP Business Technology Platform, Tile Only, URL App
    • Back-end server app types: Transaction, Web Dynpro app, WebClient UI app
    Note

    OData Services must be activated for each app in order for them to function properly. You can activate OData services for each app individual, or use task lists to activate several apps at once. Read more in the SAP Help Portal.
• Target Mapping
  • Mapping of a navigation target to the intent (i.e. when you click on the tile, what app opens?)
  • Target mapping is a prerequisite for the navigation to an app in the launchpad
  • It can refer to only one target application, that could be built with different UI technologies (e.g. SAPUI5, SAP GUI for HTML)
• Groups
  • SAP Fiori 2.0 design concept; successor is Spaces and Pages
  • Defines the grouping, sort order, and general appearance (tile or link) of apps displayed on the SAP Fiori Launchpad home page for a user.
  • Groups are deprecated as of S/4 2021 and should no longer be used unless it can be guaranteed that users will not personalize administrator delivered groups WITHOUT the administrator disabling the personalization capability via the SAP Fiori Launchpad Designer.
    • If a user personalizes a group, subsequent administrator changes will not be seen by that user
    • If personalization is disabled for all groups, the My Home group and any user defined Groups will be displayed AFTER all administrator defined groups on the header.
• Spaces and Pages
  • SAP Fiori 3.0 design concept; supersedes Groups, however spaces/pages must be specifically enabled, otherwise Groups will display by default
  • It is possible to remove the capability for the user to enable or disable Spaces/Pages within the SAP Fiori Launchpad. Consequently, existing Groups could be used until all Spaces/Pages are complete, then a switchover could be made, keeping users from switching back to Groups.
  • Within a business role, you can assign one or more spaces. Within each space, you can organize app tiles/links within sections on a page. It was designed to offer more flexibility to influence the launchpad layout for specific user groups (e.g. different regions).