Defining Business Roles for Production

Objectives

After completing this lesson, you will be able to:

  • Define a business role
  • Assign business catalogs

Business Roles

For the SAP S/4HANA Cloud, public edition production system, SAP recommends that customers create their own custom business roles based on the specific applications and requirements defined for their implementation. SAP delivered the Maintain Business Roles app for this purpose. 

You can define a business role from scratch and add each business catalog required for that business role using the Maintain Business Roles app. To define a business role, you add one or more business catalogs to it. These predefined catalogs are delivered by SAP and contain the actual authorizations that allow users to access the apps contained in the catalog. 

Each business catalog bundles authorizations for a specific business area. You can tailor the access according to the needs of the business and for compliance purposes using restrictions.

To identify the relevant SAP business catalogs for an application, use the SAP Fiori Apps Reference Library. Here, you can review the SAP Fiori apps implementation information contained under the Implementation Information configuration category. 

Remember, if you create the business role using one of the SAP business role templates as we discussed in lesson 2, the business role will automatically contain a preconfigured set of business catalogs. You must then tailor the access to remove all unneeded business catalogs, add any missing catalogs, and adjust the restrictions based on your specific access requirements.

Note

Custom business roles should be created and maintained in the development system (in a 3-system landscape) and migrated through the system landscape to Production using software collections following SAP best practices for change management. 

Also, assigning multiple business roles to a business user increases the risk of overriding existing authorizations. A user who is assigned multiple business roles gets an aggregated set of authorizations. For example, a user who is assigned a GL Accountant business role and a Cost Accountant - Overhead business role has the combination of all authorizations granted by each role.

This is particularly important where business roles share common authorization objects and have common fields, such as company code and account type of journal entry. If, for example, the GL Accountant business role has "Write Access: No Access", and the Cost Accountant - Overhead business role has "Write Access: Unrestricted", then the business user would be able to post in the Post General Journal Entries app because the user has write access in the companies maintained in the restrictions held in the Cost Accountant - Overhead role. You will find more details about restrictions in the next lesson.

Typically, to define a business role from scratch using the Maintain Business Roles app, you will perform the following steps:

  1. Maintain General Role Details
  2. Assign Business Catalogs
  3. Maintain Restrictions
  4. Assign Launchpad Spaces and Pages

You will learn about each step in this process as you work through our business scenario. In this lesson, you will focus on steps 1 and 2. Steps 3 and 4 will be discussed in later lessons.

 

The business role definition contains basic details about the business role. You can use the Maintain Business Roles app to define the following General Role Details when creating your role:

Business Role ID

The business role ID should be created in the customer namespace and contain the letters BR to denote that it is a business role. Do not begin your business role IDs with BR because this namespace belongs to SAP.  

Business Role Description

The Business Role Description should contain an easy-to-understand description describing the purpose of the business role and its function(s). 

Business Role Long Text

You can use the long text field to provide a more detailed description or explanation of the business role, including its applications, any dependencies with other roles, and so on. Additionally, documentation concerning changes and updates to the business role can be documented here to chronicle the evolution of the business role over time.

Business Role Group 

Business role groups are defined using the Business Role Groups app. You can assign business role groups to help you organize by area and easily search for all business roles of a specific category (for example, assign business users to them). Grouping also facilitates the maintenance of authorizations. If you are the super administrator for all areas, you can delegate maintenance tasks to administrators for their relevant area, such as Financials. In this case, you would create a business role group for Financials.

Access Categories

Access categories represent the default access categories for the business role. Restrictions can be used to refine and restrict access.

Business Role Template ID

If the business role was created using one of the business role templates delivered by SAP, the ID would be linked to the business role definition for maintenance and reporting purposes. 

Leading Business Role ID 

The Leading Business Role ID field denotes whether a business role has been derived from another business role. Derived business roles can simplify role creation and maintenance in scenarios where multiple business roles must be created with the same standard access. The leading business role contains the basic settings such as access restrictions, the assigned business catalogs, and common restrictions, such as General Accountant or Plant Manager. The values defined in the leading business role can't be changed in the derived business role. You can, however, define additional values for the derived business role. 

Is Leading Business Role

The Is Leading Business Role checkbox designates the business role as the leading or parent business role. Additional roles may be derived from a leading business role. 

You will learn more about how to use many of these General Role Details and how they impact your custom business roles later in this unit.

Business Catalogs

You can use the Assigned Business Catalogs tab to manage which catalogs are assigned to your business role. The Add button allows you to search for any required catalogs and link them to the business role definition. Select the catalogs according to the business activities that the users with this role will need to perform. 

 

Some business catalogs require that additional dependent catalogs be assigned to the business role as well to enable access to associated master data information (for example, for business partners or customers). These dependent catalogs ensure access to all business objects required for the SAP Fiori apps of the main catalog.

When you add one or more business catalogs to the business role, a list of dependent business catalogs is displayed. You can then add any dependencies that are relevant to the business role. You can also validate dependencies at any time by selecting the Check Dependencies link. 

Once you have added a catalog to the business role, you can view the Catalog Description by clicking the catalog ID link. You can use this documentation to review the catalog's Functional Description and Authorization Criteria.

Additionally, you can discover all the applications in the catalog by opening the Applications tab, where you can also find the default Access Categories and Restrictions.

Define Business Roles for Production

In the exercise below you will define custom SAP business roles.

Summary

You now know how to define a business role and assign relevant business catalogs

Log in to track your progress & complete quizzes