Enterprise Resource Planning Blog Posts by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Managing Business User Groups in SAP S/4HANA Cloud Public Edition

Dhanashree_23
Product and Topic Expert
Product and Topic Expert
‎2025 May 02 6:57 PM
454

Introduction 

Among the variety of features offered by SAP S/4HANA Cloud Public Edition, one important feature is around grouping business users into business user groups, which is useful when the administrator roles require restrictions with regards to the business users they can manage. 

A common scenario in an organisation may be when an IT super administrator wants to maintain multiple sub-administrators for different areas, so that they can only manage users relevant to them and not be able to manage other users which belong to other sub-administrator’s area. 

Let's understand with steps below on how to create business user group and use it for your requirements. 

Create business user group. 

  1. Go to the “Maintain Business User Groups (F6399)” app. 
  2. Click on the “Create” button. 
  3. Fill the mandatory fields “Business User Group” and “Description”. 
  4. Click on the “Create” button again to save the business user group. 

Note:

Business user group name must start with the prefix ZCB and should be maximum of 12 characters long (Ex. ZCB_XXXXXXXX).You can refer to the guide "How to set up a Naming Convention for Business Users". 

Dhanashree_23_0-1746181535820.png

Fig 1: Business user group creation 

Note:  

  1. You can also create business user groups through the SCIM interface (SAP_COM_0465). For more information, refer to documentation - link)    
  2. For maintaining a business user group, the administrator needs to be authorized for the business catalog – “Identity and Access Management – Group Management” (SAP_CORE_BC_IAM_GRP_PC) 

Assign business users to a business user group 

Once the business user group has been created, click on the “Add” button and assign the business users to the business user group. Alternatively, you can also go to the “Maintain Business Userapp and assign the business user group to the business user.

Dhanashree_23_1-1746181698116.png

Fig 2: Assignment of business users to a business user group 

Note: 

  1. You can upload the .csv file to assign the business users to business user groups in mass as well by using the “Upload” button in the “Maintain Business User Groups” app. 
  2. You can also assign the business users to the business user group via the “Maintain Business Users” app. (Screenshot below) 

Dhanashree_23_2-1746181944425.png

Fig 3. Assignment of business users to the business user group via the Maintain business users app 

 

Mass assignment possible via mass changes in “Maintain Business User app

You can go to the “Maintain Business Users app, select the business users and click on the Mass Change button. Select "Business User Data" for the area and "User Group" for the attributes. Then, click the "Next Step" button. Finally, review and confirm the changes as shown in the screenshots below. 

Dhanashree_23_3-1746182045309.png

Fig 4.a. Mass change Wizard-1 

Dhanashree_23_4-1746182107960.png

Fig 4.b. Mass change Wizard-2

Dhanashree_23_5-1746182184379.png

Fig 4.c. Mass change Wizard-3

Authorization required for maintaining business user group 

To effectively use business user groups to govern access for business users, assign the groups to the necessary business roles as restrictions.  

For more details on how to use restrictions, please refer - "How to Define Authorizations Based on Restrictions"

To authorize administrators to change business users assigned to specific business user groups, you need to maintain restrictions. The restriction type "Business User" is part of the Maintain Business User (F1303) app. 

For a business role which contains the above app, the restriction for a business user group can be maintained. 

 You can create copies of the "SAP_BR_ADMINISTRATOR" role template using the "Maintain Business Roles" app. Alternatively, you can create custom roles using the business catalogs mentioned above. Maintain the restrictions by following the steps below. 

Go to the “Maintain Business Roles”app.  

  1. Use an existing business role. Alternatively, you can also add a restriction to a custom business role. 
  2. Click on the “Maintain Restrictions” button for the business role. 
  3. Select  “User Group” for the restriction type. 
  4. Select the business user group created earlier as a restriction to this administrator business role. 

Now, this restricted administrator business role can be assigned to the required administrator user, who can then only manage business users included in the business user group. 

Dhanashree_23_6-1746182465357.png

Fig 5a: Maintain business user group as a restriction in the Z_ADMIN custom role

Dhanashree_23_7-1746182501624.png

Fig 5b: Maintain business user group as a restriction  of the copied BR_ADMINISTRATOR business role. 

 Implementing Business User Group Functionality 

 In an organization, IT super administrators need to maintain sub-administrator users. These sub-administrators manage business users based on their line of business, such as Finance or Sales. 

You can follow the below steps to implement the same: 

Step 1: Create the required business user group e.g. “ZCB_SAL_TEAM”, for managing sales team.  

Step 2: Assign the business users related to sales to this “ZCB_SAL_TEAM” business user group (Note: You can refer Fig 2 above). 

Step 3: In the “Maintain Business Roles” app, create the sales administrator business role “BR_ADMINISTRATOR_SALES”, from the “SAP_BR_ADMINISTRATOR” business role template. . 

Step 4: Select the  “BR_ADMINISTRATOR_SALES” business role and maintain its restriction for  the “ZCB_SAL_TEAM” business user group (Note: You can refer Fig 3 above). 

Step 5: Assign the above created “BR_ADMINISTRATOR_SALES” business role to the required sub-administrator user. 

Now, this sub-administrator user who has been assigned the  “BR_ADMINISTRATOR_SALES” business role can only manage sales team business users which were assigned to the  “ZCB_SAL_TEAM” business user group.  

This sub-administrator user will not be able to manage other business users which are not included in the “ZCB_SAL_TEAM” business user group, as the “Edit” button is disabled for other business users. The sub-administrator user will get the following error if he/she tries to manage other business user groups which are not assigned to him/her, except for “ZCB_SAL_TEAM”. 

Dhanashree_23_8-1746182623828.png

Fig 6: Error message if the admin user tries to manage other business user groups 

Note – To be able to effectively manage this feature, every business user must be assigned to a business user group. 

These business user groups can be transported from the Development tenant to the Test Tenant and forwarded to the Production tenants using the “Export Software Collection” app. 

Conclusion 

This feature offers a robust framework for managing and controlling access for business users. 

Thank you for reading this blog post, hopefully, it was informative and helped you to understand in detail how to use business user groups to manage your organization more efficiently. 

More details on this can also be found in Maintain Business User Groups in the SAP help portal.