Enterprise Resource Planning Blog Posts by SAP
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Managing Business Role Groups in SAP S/4HANA Cloud Public Edition

Dhanashree_23
Product and Topic Expert
Product and Topic Expert
‎2025 May 02 10:40 AM
421

 

Introduction 

Among the variety of features offered by SAP S/4HANA Cloud Public Edition, one important feature is grouping business roles into business role groups, which is useful when the administrator roles require restrictions with regards to the business roles they can manage. 

A common scenario in an organization may be when an IT super administrator wants to maintain multiple sub-administrators for different areas, so that they can only manage roles relevant to them and not be able to manage other roles which belong to other sub-administrator’s area. 

 Let's go through the steps below to understand how to create business role groups and use them for your requirements. 

Create a Business Role Group 

  1. Go to the “Maintain Business Role Groups” (Fiori ID - F6461) app. 
  2. Click on the “Create” button. 
  3. Fill in the mandatory fields “Business Role Group” and “Description”. 
  4. Click on the “Create” button again to save the business role group. 

Note: The name of the business role group must start with the prefix ZCB and should have a maximum of 12 characters (e.g.,. ZCB_XXXXXXXX).  

Dhanashree_23_0-1746172661827.png

Fig 1: Business Role Group Creation 

Note: 

  1. Business role group creation is also possible via the SCIM interface (SAP_COM_0465), (Refer to documentation - link) 
  2.  For maintaining a business role group, the administrator needs to be authorized for the  “Identity and Access Management – Group Management” business catalog. (The SAP_CORE_BC_IAM_GRP_PC business catalog includes the authorization for the “Maintain Business Role Group” app.) 
  3. For naming conventions of business role groups, you can refer to How to set up a Naming Convention for Business Roles.

Assign Business Roles to a Business Role Group 

Once the business role group has been created, click on the “Add button and assign the business roles to the business role group. Alternatively, you can also go to the Maintain Business Roles app and assign the business role group to the business role.

Dhanashree_23_1-1746173082589.png

Fig 2: Assignment of Business Roles to a Business Role Group 

Note: 

You can upload the .csv file to mass assign the business roles to business role groups by using the “Upload” button in the “Maintain Business Role Groups” app. 

You can also mass assign business roles to the business roles group using the “Maintain Business Roles” app as shown in the screenshot below.

Dhanashree_23_2-1746173521870.pngFig 3. Assignment of Business Roles to a Business Roles Group Using the Maintain Business Roles App 

 

Mass Assignment with Mass Changes in the “Maintain Business Roles” App 

Go to the “Maintain Business Roles” app, select the business roles, and click on the “Mass Change” button.  

Under “Area”, select “Business Role Data” and under ”Attributes”, select “Roles Group”. Then click on the “Next Step” button.  

Finally, review and confirm the changes as shown in the screen shots below. 

Dhanashree_23_3-1746173667046.png

Fig 4.a. Mass Change Wizard - 1 

Dhanashree_23_4-1746173704206.pngFig 4.b. Mass Change Wizard - 2 

Dhanashree_23_5-1746173764615.pngFig 4.c. Mass Change Wizard - 3 

Authorization Restrictions for Maintaining Business Role Groups

To be able to effectively use the business role group to govern the access for a business role, the business role group should be assigned to the required business role as a restriction. For more details on how to use restrictions, please refer to - link 

To authorize an administrator to change business roles that are assigned to a specific business role group, the maintenance of restrictions is required. The restriction type “Business Role” (S_BRL) is part of the app below:

  • F1492 - Maintain Business Roles 

For a business role which contains the above app, the restriction for a business role group can be maintained.

You can create a copy of SAP_BR_ADMINISTRATOR role template via Maintain Business Roles app  or alternatively, you can create a custom role using the above catalogs and maintain the restrictions as per the below steps. 

Follow the steps below to assign the business role group as a restriction to the required business role. 

  1. Go to the “Maintain Business Roles” app.  
  2. Use an existing business role. Alternatively, you can also add a restriction to a custom business role. 
  3. Click on the “Maintain Restrictions” button for the business role. 
  4. Select the restriction type as “Role Group”. 
  5. Select the business role group created earlier as a restriction to this administrator business role. 

Now, this restricted administrator business role can be assigned to the required administrator user, who can then only manage business roles included in the business role group. 

Dhanashree_23_6-1746174172641.png

Fig 5a: Assignment of a Business Role Group as a Restriction in the Role Copied from the BR_ADMINISTRATOR Role.

Dhanashree_23_7-1746174262840.png

Fig 5b: Assignment of a Business Role Group as a Restriction in the Custom Role Z_ADMIN. 

Example of How to Implement Business Role Group Functionality  

Suppose in an organization, the IT super administrator user needs to maintain sub-administrator users who can manage the business roles LoB-wise (eg: finance-related roles, sales related roles, etc.)

You can follow the steps below to implement the same: 

Step 1: Create the required business role group, for example, “ZCB_FINANCE”, for managing finance- related roles. 

Step 2: Assign finance- related business roles like “BR_Asset_Accountant”, “BR_GL_Accountant”, etc. to this business role group (Note: You can refer Fig 2 above.) 

Step 3: Create the finance administrator business role “BR_ADMINISTRATOR_FINANCE”, from the business role template “SAP_BR_ADMINISTRATOR” by using the “Maintain Business Roles” app. 

Step 4: Select the business role “BR_ADMINISTRATOR _FINANCE” and maintain its restriction for the business role group with value “ZCB_FINANCE” (Note: you can refer to Fig 3 above). 

Step 5: Assign the  “BR_ADMINISTRATOR_FINANCE” business role to the required sub-administrator user. 

Now, this sub-administrator user who has been assigned the business role “BR_ADMINISTRATOR_FINANCE’’ can only manage finance roles which were assigned to the business role group “ZCB_FINANCE”.  

This sub-administrator user will not be able to manage other business roles which are not included in the “ZCB_FINANCE” business role group, as the “Edit” button is disabled for other business roles. The screenshot below shows the same: 

Dhanashree_23_8-1746174526058.png

Fig 6: Edit Button Is Disabled for the Admin User 

Also, if the sub-administrator user tries to edit other business role groups that are not assigned to him/her, the error below is displayed: 

Dhanashree_23_9-1746174620376.png

Fig 7: Error if Admin User Tries to Manage Other Business Role Group 

Note: To be able to effectively manage this feature, every business role must be assigned to a business role group. These business role groups can be transported from a development tenant to test and production tenants using the “Export Software Collection” app. 

 

Conclusion 

This feature offers a robust framework for managing and controlling access for business roles. 

Thank you for reading this blog post, hopefully it was informative and helped you to understand how to use business role groups to manage your organization more efficiently. 

Find more details under Maintain Business Role Groups on SAP Help Portal.