Introduction

On January 17, 2025, my colleague @christian_hochwarth officially announced the availability of App Authorization Variants in his blog SAP S/4HANA Cloud Public Edition 2502: Flexible Business Role Design with App Authorization Variants.  This new feature gives our customers a highly desirable capability to precisely control individual Fiori App access; one step up from past shortcoming of one business catalog grants access to multiple Fiori apps.

This blog is going to give an in-depth discussion on this new feature on a 2502 Release system of the SAP S/4HANA Cloud Public Edition.

Background

Within SAP’s Identity Authorization Management (IAM), user access to transactions or Fiori apps are controlled by the Business User Roles, such as Purchase Manager. Between Business User Roles and apps, there is one layer called Business Catalogs.  You can view Business User Roles as an umbrella supported by one or more Business Catalogs. The real access control power is at these Business Catalogs as illustrated in below figure: when a user has been assigned the Business User Role with Business Catalog 1, he/she gets all access to four Apps, 1 through 4, regardless the App 2 might not be necessary for the user’s job description.

Business Roles, Business Catalogs and Fiori Apps

By taking the business persona into consideration, we give certain business catalogs access to more than one app for the convenience of business users.  For example, the Business Catalog Master Data - Business Partner Display grant access to 20 applications, can display customer data in accounting area as well as in sales area. This thinking is valid when we targeted small and medium enterprises for SAP S/4HANA Cloud Public Edition several years ago.

Business Catalog Master Data - Business Partner Display Grants Access to 20 Apps

Fast forward to today’s environment, this one-to-many (one business catalog to multiple Fiori apps) access control thinking shows its limitation, especially when we have GDPR in place (don’t expose data to an unintended audience), and more and more medium to large enterprises are embracing the Public Cloud with strict roles and responsibilities.  My customer told me clearly that she wanted a very limited number of apps to one user, all clearly defined by the job role.

This request was voted highly in our Customer Influence Council called Improved Flexibility in Business Role Design. SAP answered the call.

App Authorization Variants in a Nutshell

The solution is to add a layer called App Authorization Variants between the Business Catalogs and the Apps.  Each app is controlled by an App Authorization Variant (AAV).  For example, to access App 1, AAV-A is needed.  App 3 was granted access by Business Catalogs 1 and 2. Now you need either AAV-C or AAV-D to access it.

App Authorization Variants between the Business Catalog and the Apps

With this new layer of control, we can easily meet the requirements of our customers in precisely controlling who can access which app.  For example, by removing AAV-B and AAV-C, the user can only access App 1, 3 and 4 as desired. App 3 is granted by the Business Catalog 2, while App 4 is granted from both Business Catalogs.  App 2 can no longer be accessed even it is part of Business Catalog 1.

 Precise App Access Control with the App Authorization Variant

Now let me give more formal introduction of the App Authorization Variant.

The official name of AAV is “IAM apps of the app authorization variant type”.  What does that mean?

IAM Apps are relatively new to our Public Cloud. They are all IAM related for the name’s sake. We divide these apps into eleven types. The App Authorization Variant is one of them, and relevant to this discussion. In total, there are 7,851 IAM Apps as of today.  Among them, 7,709 are App Authorization Variant type. The AAV is the primary user of the IAM Apps for now, at the 2502 Release of the SAP S/4HANA Cloud Public Edition.

Different Types of IAM Apps

For the sake of convenience, I will use the term App Authorization Variant (AAV) throughout the blog.

Not all business catalogs support AAV yet.  Among 2,195 Business Catalogs, 1,760 of them supports AAV.  That is roughly 80%. It is not bad considering we have so many business catalogs.

1,760 (or 80%) Business Catalogs Support IAM Apps

Examples of Using App Authorization Variants

To access the AAV information, we usually start from app Maintain Business Roles. Take SAP delivered business user role template BR_ADMINISTRATOR as an example. This role contains 54 business catalogs, and 100 IAM Apps (all in App Authorization Variant type). All of these AAV’s are active. You can individually select each one of them to deactivate or activate.

IAM Apps in Business User Role Template BR_ADMINISTRATOR

Now let’s take a closer look at transaction F1303, Maintain Business Users. In the SAP Fiori Apps Reference Library, it lists five business catalogs.  That means as long as you have one of these five business catalogs in your business role definition, the user can access app Maintain Business Users.

Business Catalogs Associated with App Maintain Business Users

Now I am going to apply AAV to the user management.  To showcase its effects, I use a 2408 Release system.  Because I have two accounts there, one for System Admin (GY) and another one for Testing (TY). The AAV feature was enabled on this 2408 Release system as an Early Adopter.

First, I create a new business user role by copying from SAP role template BR_ADMINISTRATOR, called it ZYU_BR_ADMINISTRATOR. The user TY is assigned to it.  To simplify the user role, I removed all business catalogs but five IAM related ones.

Five Business Catalogs within Business User Role ZYU_BR_ADMINISTRATOR

There are 15 IAM Apps associated with this Business User Role ZYU_BR_ADMINISTRATOR.  Three of them are user management related as highlighted in green.

15 IAM Apps associated with this Business User Role ZYU_BR_ADMINISTRATOR

As the Business User Role ZYU_BR_ADMINISTRATOR is created by copying from a standard SAP template BR_ADMINISTRATOR, all five Launchpad Spaces are copied over.  When user TY logs on to the system, due to removing 49 unrelated business catalogs, four of these Launchpad Spaces are no longer there.  There is only one Administration Launchpad Space visible. There are 11 Pages belong to this Space, only the Identity and Access Management Page has active app tiles listed.  There are no app tiles shown up on other Pages. We are going to focus on three apps surrounded by the green boxes.

The Identity and Access Management Page for User TY

Now I am going to showcase the effects of AAV.

Scenario 1 – Removing App Tile Display Technical Users

Enter the Edit mode of the Business User Role ZYU_BR_ADMINISTRATOR. Select the IAM App Display Technical Users, hit the Deactivate button, the Save button.

Deactivate IAM App Display Technical Users

After refreshing the web browser, user TY only see three app tiles in the Users and Roles section.  The app tile Display Technical Users is invisible.

The Display Technical Users App Is No Longer part of Identity and Access Management Page for User TY

Scenario 2 – Removing User Role Assignment Capability

To assign a user to the business role, we can hit the Add button as below in the app Maintain Business Roles.

Visible Add button in the app Maintain Business Roles

Now I plan to remove this Add privilege from user TY, I can deactivate the IAM App Assign Business Users to Business Roles F1303_22_TRAN.

Deactivated IAM App Assign Business Users to Business Roles F1303_22_TRAN

After refreshing the web browser, user TY only see three app tiles in the Users and Roles section.  The app tile Maintain Business Roles app is still there, as intended.  By entering the app Maintain Business Roles, user TY can still add users to a business role!  Nothing has changed.

Why? Is it a bug of AAV?

The answer is "No".  If we check the IAM App list carefully, we can see that there is another IAM App Assign Business Roles to Business Users F1492_22_TRAN. This IAM App belongs to a different App F1492.  "Assigning a user to a role" and "assigning a role to a user" are the same thing but different sayings.  They are all performed by the same transaction.

Note: Now I understand better that a transaction and a Fiori app are not identical.  There are one or many transactions embedded in a Fiori app.  The same transaction can be embedded in different Apps, such as F1303 and F1492 in this case.

Deactivated IAM Apps Assign Business Users to Business Roles F1303_22_TRAN and Assign Business Roles to Business Users F1492_22_TRAN

After deactivating both IAM Apps, I can no longer edit the users in the app Maintain Business Roles.  The Add and Remove buttons are greyed out.

User TY Cannot Edit Users in Maintain Business Roles App

I am just curious, how about I try to add a role to the user from app Maintain Business User? The Add and Remove button are also greyed out.

User TY Cannot Assign Business Roles in Maintain Business User App

The AAV works as intended.  Bravo!

Conclusion

To meet the customer’s business needs in different environment, SAP released a new feature called App Authorization Variants to create a one-to-one access control between a transaction/app and a business user role. The App Authorization Variants become the smallest entity for business user role design.  With this feature, administrators can precisely grant an app/transaction access to a user from a business role.  There won't be any data exposure to unintended users.

References

• Blog: SAP S/4HANA Cloud Public Edition 2502: Flexible Business Role Design with App Authorization Variants
• What’s New 2502: IAM App – App Authorization Variant
• Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition