Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Dhanshree
Explorer
4,314

Introduction: In today's rapidly evolving business landscape, organizations are increasingly turning to SAP S/4HANA Public Cloud to drive digital transformation and enhance operational efficiency. One of the critical components in ensuring a secure and streamlined business process is effective role design. The "Maintain Business Role" Fiori app plays a pivotal role in this strategy, allowing organizations to manage user access and restrictions with precision. This blog delves into the importance of a well-thought-out role design strategy in SAP S/4HANA Public Cloud and how leveraging the "Maintain Business Role" app can empower businesses to optimize their security and compliance while facilitating smooth operations.

Understanding the Basics:

The Fiori Apps Library is an online repository that offers detailed information on all SAP Fiori apps. It helps users explore, filter, and learn about app functionalities, technical details, and deployment options, assisting organizations in selecting and implementing relevant apps for their SAP environment. SAP Fiori Apps Reference Library (ondemand.com)

1_1.png

Business Catalogs

This App contains organized collections of related Fiori apps or business applications grouped by their functional area or business role. 

Business Role Templates

This App provides Standard SAP roles that group together restrictions for specific job functions. They simplify user access management by providing ready-made roles aligned with business processes, which can be easily assigned and customized. These templates are also updated automatically when new features are activated, ensuring users have access to the latest functionalities. Standard roles in SAP are typically only visible in specific apps like the "Business Role Templates" app, not in the "Maintain Business Role" app. SAP delivers business role templates for different user personas. These templates are only suitable for exploring functionality. Productive use is strongly discouraged.

 

2_2.png

Business Role

This can be a Single Role, Leading Role or a Derived Role.

Single Roles

Single Roles serve as the foundational elements of role design in SAP, tailored either by task or business process, and encompassing specific restrictions required for various tasks within the system. These roles are managed through the Fiori app "Maintain Business Role" and are directly assigned to users, providing them with the precise access needed to perform their responsibilities. For instance, a Single Role designed for a Tax Accountant in India would include apps focused on GST-related tasks. By leveraging localized roles with country-specific catalogs, organizations can ensure that Single Roles provide targeted and efficient access, aligning with the unique needs of each user.

Master-Derived Roles/Leading-Derived Roles

Master-Derived Roles offer a more advanced approach, especially useful in large organizations. A Master Role acts as a template, with Derived Roles inheriting its core permissions but allowing adjustments for specific organizational levels, such as regions or business units. This ensures consistent role structure while accommodating necessary variations. In the public cloud, a Master Role is referred to as a Leading Role.

Maintain Business Role Groups

This app lets you create groups for different business roles and assign multiple roles to each group. This makes it easier to organize and find roles and helps with managing authorizations. If you're a super administrator, you can let other admins handle specific areas, like Financials, by creating a role group for that area and restricting role assignments to certain user groups. The app automatically names these role groups in namespace ZCBHow to use the Maintain Business Role Groups funct... - SAP Community 

4_4.png

Manage Launchpad Spaces and Pages

With the "Manage Launchpad Spaces and Pages" app, you can organize and configure the SAP Fiori Launchpad to suit your business needs. This app allows you to:

  • Create and Manage Spaces: Spaces are high-level containers that group related pages together, providing a structured layout for users.
  • Design and Customize Pages: Pages are specific areas within a space where you can add and arrange apps and tiles, tailoring the user experience.
  • Organize Content: Control which apps and tiles appear on each page, making it easier for users to find and use the tools they need.

The older "groups" concept has been replaced by this more flexible approach, allowing for better organization and customization of the launchpad.

5_5.png

Display Restriction Types

The "Display Restriction Types" app lets you view restriction types, their associated fields, and where they are used within business catalogs. In SAP S/4HANA Public Cloud, authorization objects are referred to as restriction types. Restriction types group together one or more restriction fields. For instance, the restriction type "Sales Area: SALES_AREA" includes fields like Saes Organization, Division and Distribution Channel.

6_6.png

Custom Catalogs

In S/4HANA Public Cloud, creating custom catalogs is restricted to developers, who can only create them using Developer extensibility via ADT (ABAP Development Tools) for purely custom apps. Standard apps cannot be added to these custom catalogs. I strongly recommend reading this blog, which highlights the importance of adopting a cloud mindset by embracing the fit-to-standard approach. Successful SAP S/4HANA Cloud, public edition, impl... - SAP Community 

Custom Tiles

This App enables you to create and customize tiles for accessing external applications from the SAP Fiori Launchpad in SAP S/4HANA Cloud. You can set a title, subtitle, optional icon, and define the application’s URL with parameters. After previewing, the tile can be assigned to a business catalog. Additionally, the URL can be adjusted after deployment to the production system. However, the app does not grant access to users without the necessary authorizations.

7_7.png

Custom catalog extensions

This refers to the process of modifying or enhancing the existing Fiori catalog by adding, removing, or adjusting applications and tiles to better fit the specific needs of a business or organization. This App allows you to make an app available on the SAP Fiori Launchpad by assigning it to the necessary business catalogs and activating it. After creating an app, use this tool to assign the required catalogs and ensure it is linked to a business role that includes those catalogs.

8_8.png

Display IAM Apps (Available from 2408)

This app allows you to view all supported IAM apps and their details, helping you manage assigned business roles. You can see general information like app ID and transaction, view app descriptions, and display assigned business catalogs and roles. For external apps, it also shows related authorizations, including authorization objects, instances, and fields.

9_9.png

IAM Information System

This app offers a detailed overview of business users, including their assigned roles and restrictions. It enables you to view and analyze the relationships and usage of business roles, catalogs, users, and restrictions. By clicking on any entity such as business roles, derived roles, users, catalogs, role templates, restrictions, launchpad spaces and pages; you can access additional details directly. This app is a valuable tool for administrative tasks, helping you understand how different elements are interconnected and used within your system. It offers functionalities similar to the SUIM transaction code.

11_11.png

IAM Key Figures

This App provides crucial insights into user and role management. It allows you to view several key metrics, including the number of business users assigned to roles, their last log-on dates, and the count of locked versus unlocked users. Additionally, it tracks the validity of business users, identifies business roles with unmaintained restrictions or unrestricted access, and provides details about business roles with default values from business catalogs.

10_10.png

12_12.png

Display Security Audit Log

This app enables users to access security-relevant event information within the SAP system, which can be crucial for audits. It records events such as changes to the ABAP platform, logon attempts, and transaction starts, providing transparency and helping to reconstruct sequences of events. Users can view audit analysis reports from specified log files. The app "Display Static System Audit," designed for external auditors, offers a detailed view of these Security Audit Log events. SAP Note 2903873 lists the events currently recorded.

Understanding On-Premise, Public Cloud, and Private Cloud

AspectPublic CloudOn-PremisePrivate Cloud
StandardizationHighly standardized with predefined processes and configurations.Full control, allowing extensive customization.Balance of standardization and flexibility.
CustomizationLimited customization to maintain ease of upgrades.Highly customizable to meet specific business needs.More customization than public cloud, less than on-premise.
MaintenanceManaged by the vendor, with automatic updates and patches.Managed internally, including updates and infrastructure.Managed by a third-party provider, with customizable options.
ScalabilityEasily scalable within vendor constraints.Requires planning and investment in hardware and licenses.Easier to scale than on-premise, with more control than public cloud.
CostSubscription-based pricing with lower upfront costs.Higher upfront costs for hardware, licenses, and maintenance.Higher than public cloud, lower than on-premise, mix of subscription and infrastructure costs.

 

Prerequisites:

1) Scope Activation

Scope activation in SAP Central Business Configuration (CBC) is the process of enabling specific business functions and processes in your SAP S/4HANA Cloud system. It allows you to tailor the system to your organization’s needs by selecting only the necessary functionalities, making the implementation more focused and efficient.

16_16.png

Impact on Business Role Templates and Catalogs

  • Business Role Templates: When you activate new scope items, the system may update existing business role templates or create new ones. These templates define the restrictions and access rights for users based on the activated functionalities. This ensures that users have the appropriate access to the new features without manual adjustments.

  • Addition of New Catalogs: Activating new scope items can also lead to the introduction of new business catalogs in the system. These catalogs group related Fiori apps and functionalities, making them accessible to users based on their roles. As new catalogs are added, they must be integrated into the relevant business roles to ensure users can access the newly activated features.

  • 17_17.png

By carefully managing scope activation, you ensure that your SAP system remains aligned with your business needs while automatically updating roles and catalogs to reflect the newly enabled capabilities.

Viewing App-Scope Relationships in SAP Fiori Apps Library and RASD Tool

Fiori Apps Library:

  • Filter by Scope Item: In the SAP Fiori Apps Library, filter apps by “Scope Item” to see which apps are linked to specific functionalities.
  • App Details: Select a scope item to view related apps, including technical data, required roles, and business catalogs. If you search by App, navigate to Product Features and subsection Scope items.

RASD Tool (Release Assessment and Scope Dependency tool):

  • Search by Scope: Use the RASD Tool in SAP to search for scope items and see related apps, business roles, and catalogs.
  • Analyze Dependencies: Understand how activating a scope item affects your system and app availability.

IAM Information System:

  • You can filter main entity by Business Catalog and refer Business Catalog- Scope Items tab.
  • 18_18.png

These tools help you ensure the right Fiori apps are available when activating new functionalities in SAP S/4HANA.

2) Requirement Gathering Process

The requirement gathering process from a Business Process Design Document involves reviewing the document to understand the process design, engaging stakeholders to clarify and validate requirements, and then documenting functional and non-functional needs. These requirements are prioritized, compiled into a functional specification, and reviewed for approval to ensure alignment with the process design before moving forward. Here’s how the consultant would proceed

 a) Understand Business Processes and Requirements

  • Review Process Requirements: The process consultant reviews the process requirements listed in the Business Process Design Document, focusing on critical business processes. The goal is to understand the specific business scenarios and how they translate into SAP functionalities.
  • Map Processes to SAP FIORI Apps: The process consultant maps the business processes n the Business Process Design Document to available FIORI apps by identifying from FIORI Apps Library and mentioned (e.g., Manage Project Billing, Plan Customer Projects) that support the required functionalities. The Security Consultants then creates Role matrix containing Business Role, Catalog and FIORI App details based on Business Process: H2R (Hire to Retire, R2R (Record to Report), etc. Security Consultant also identifies gaps in the requirement and conducts workshops with the Process Consultant for clarifications.
  • Custom FIORI Development: If there are gaps between the standard FIORI apps and business needs, the Process consultant will consider the development team for creation of custom FIORI apps, as mentioned in the Business Process Design Document (e.g., custom app for maintaining investment profiles). The Security Consultants maps the Custom apps to appropriate Business Roles. 

   b) Design Role Concept

  • Role Definition: Based on the identified FIORI apps and the business process owners, the Security consultant will design roles that reflect the responsibilities and tasks of different user groups (e.g., Project Management, Project Billing, etc.).
  • Role Segregation: Roles are defined based on the principle of least privilege and tasks within the roles are segregated based on the segregation of duties policies within the organization.
  • Access ControlThe roles must be defined with restricted access based on the principle of least privilege as mentioned earlier and moreover other security requirements from the business such as restriction on document types, organizational restrictions such as company code etc.

c)Validate and Test

  • Security TestingThe designed roles are thoroughly tested to confirm they provide appropriate access to Fiori apps while preventing unauthorized access. Security consultants can perform technical unit testing to check if the Apps open w/o errors, followed by Functional Unit Testing (FUT) by Functional Consultants who verify the specific functions or features work as intended according to business requirements. Finally, User Acceptance Testing (UAT) is conducted by end-users to validate that the entire system meets their needs and performs in real-world scenarios before going live. Security specific testing includes below, but not limited to: 
    • Display Roles: Ensure that display roles only grant view access and do not allow any editing capabilities.
    • Cross-Company Code Restrictions: Verify that roles with access to a specific company code (e.g., BE01) do not grant access to other company codes (e.g., IN01).
    • Segregation of Duties (SoD) Checks: Ensure that a single user does not have conflicting access rights, such as both Vendor Master Data management and Payment Processing.
    • Sensitive Access: Confirm that roles with access to sensitive or confidential data are strictly controlled and limited to authorized users only, with no unauthorized access permitted.

    This comprehensive testing approach ensures that roles are accurately configured, access conflicts are identified and resolved, and sensitive data remains secure.

  • User Feedback: Pilot testing might involve key users to validate the role design, making adjustments based on feedback before full deployment.

d)Document and Implement

  • Documentation: The final role designs, along with mapping to FIORI apps, are documented. This documentation is crucial for future audits and role maintenance. 13_13.png
  • Role DeploymentRoles are initially developed in the development system, where each app undergoes functional unit testing. After this phase, the roles are transported to the QA system for system integration testing and user acceptance testing. Once they pass these tests, the roles are imported into the production system and assigned to users.

By following this approach, the Security Consultant ensures that FIORI apps are effectively identified and that roles are designed to meet both business needs and security requirements.

 

Implementation:

4.png

Once you've confirmed the activated scope or if you're working on a new implementation, go to the Business Role Templates app. From there, copy the relevant standard roles and create custom roles tailored to your needs, using your organization's naming convention.

For example, the scope for India country is activated in my SAP system, I will navigate to the Business Role Templates, choose all the relevant roles, and then click the "Create Business Role" button.

BRM.png

Enter Prefix for Business Role ID: For example, if all my Role start with Z, I can enter Z. Select the Default Restrictions for Write, Read and Value Help as per your business need. I am providing Unrestricted access, so that Functional Consultants can explore all the functionalities. Unrestricted access is similar * in on-premise system.

BRM2.png

Once you click on OK, you will receive the overview of the result.

BRM3.png

Creating Leading and Derived Roles, and the pivotal role of Leading Restriction feature.

Navigate to Maintain Business Roles App and click on New

BR1.png

Enter Business Role ID and Description

BR2.png

In the below screenshot, Access Categories- Write is NO Access, you can change these values only when you have added Business Catalogs in the Role. Under Others section: Is Leading Business Role needs to be checked for all Leading/Master Role. You can also check Inherit Spaces in Derived Business Roles.

BR3.png

Navigate to Business Catalogs and Click on Add

br4.png

Search the Business Catalog you need to add based on your Business Requirement, select the Catalog and click on OK.

BR5.png

Check for any Dependent Catalogs and add them if needed and click on OK. The optional column represents whether the Dependent business catalog is Mandatory or Optional.

br6.png

You can change the Access Categories for Write, Read and Value Help to Restricted. Click on Maintain Restrictions to enter Restriction type values. br7.png

Maintain the Restriction type values as per your Business Requirement; Company Code can be a Leading Restriction maintained value can be as Maintained in Derived Role. Maintain all the values and Save the Role. When a field is marked as a Leading Restriction, its value is automatically propagated to other restriction types that use the same field.

br8.png

This helps significantly from Derived Role perspective:

For instance, if you want the values for Belgium and India to apply across all restriction types for the Company Code field, you will select BE01 (for Belgium) and IN01 (for India) and check the Leading Restriction checkbox. This action activates the Leading Restriction status, ensuring that these values are automatically inherited in all instances of the Company Code field within the role. This can be considered similar to Organizational Fields button on on-premise system. 

Search for your Leading Role and click on Create Derived Business Role.BR9.png

Enter the Derived Role ID and Description and Navigate to Maintain Restrictions

br10.png

I maintained Company Code value in the General section as BE01 and the values are automatically propagated to Other Restriction types.

br11.pngbr12.png

You can use Own values in Derived Business Roles for maintaining Unique values to a specific role. For example: I need some common values Billing type in All Derived roles, this can be maintained in Leading Role. Although, if you need S1 value only for IN01 Company Code, you can maintain the same in Own values.

Dhanshree_1-1723799816418.png
You can input multiple values in the text box under Ranges using Comma Separated values.
1.png
 
You can create the Launchpad Spaces and Pages simply by Navigating to Apps: Manage Launchpad Spaces and Manage Launchpad Pages respectively. You can refer this Blog Steps to create Space and Pages in Fiori Launchpad - SAP Community with the difference that click on Add button- and drop-down Use Customer-Created Space for Space is already created. Alternatively, you can create new Space from this window as well.

br13.png

Mass change of Business Roles: Please refer blog: How to Use 'Maintain Business Roles – Mass Mainten... - SAP Community 

Transporting Roles

To export roles, use the Export Collection app in the Development environment. For importing transports, the BASIS Team should use the Import Collection app. You can find more detailed instructions in the blog: Transport Your Spaces and Pages Configurations in ... - SAP Community Extensibility Inventory App is used to check Business Role to Export collection mapping.

Download and Upload Roles: You can download and upload roles using Maintain Business Roles App. You can also download and upload pages for existing spaces in version 2408. Note that modifying pages in the QA system is not allowed, and the functionality for downloading and uploading spaces is not available in version 2408.

Troubleshooting

Display Authorization trace enables authorization traces for business users to identify missing or insufficient authorizations. Key Features: Activate or deactivate authorization traces, view results showing assigned authorizations along with failed checks and display business roles that grant access to specific fields and values. Important Considerations: Supports up to 10,000 data sets; adjust selection criteria, especially date ranges, accordingly.

Authorization Check Statuses:

  • Successful: Authorization check passed.
  • Failed: Authorization checks failed.
  • Filtered: Data access restricted by DCL; no values shown for restriction fields.

Additional Notes:

  • In "Failed" and "Filtered" statuses, check relevant business roles to resolve issues.
  • Trace entries are automatically deleted after a certain period.

You can refer Blog: Your Sherlock Homes - How to Find Missing Business... - SAP Community for finding missing Business Catalogs. 

Please check dependent catalogs in Business Catalogs under section Dependencies

15_15.png

Issues we encountered during the project implementation and Important notes

  1. Unable to see data in G/L Line Items 3430018 - Line Items Missing in General Ledger Reporting Apps after 2402 - SAP for Me
  2. Issue with SAP Functional Area Restriction
  3. User is getting error "not authorized to schedule program SATC_EXECUTE_PROJECT_VIA_BATCH as a background job" from Eclipse- ABAP Test Cockpit - As of 2408, there is unfortunately no way to run ATC in an S/4HANA test client.
  4. Unable to restrict reverse and post functionalities for Supplier invoice - The authorization for reversing and posting supplier invoices cannot be split. When you reverse a supplier invoice, the system posts a credit memo for the invoice data, which is the same as posting a credit memo. To better understand the posting logic for reversing an invoice, please refer to note 2684816 - Posting logic for the reversal of an Invoice - SAP ERP & S/4HANA
  5. Delete access restrictions for the app "Manage payment media"- IAM Objects in Accounts Payable | SAP Help Portal
  6. Segregate access to create and release transports for Apps: Export customizing transports and Export Software collections: Catalog: SAP_CORE_BC_BCT_TRN_MNG_PC Business Configuration - Transport Management is for Creating transport requests with SAP Fiori app Export Customizing Transports and Catalog: SAP_CORE_BC_BCT_TRN_REL_PC Business Configuration - Transport Release Management is for Releasing transport requests with SAP Fiori app Export Customizing Transports 3414407 - Basic Information on Export Customizing Transports App - SAP for Me 3482742 - Transport Management in S/4HANA Cloud - Central KBA - SAP for Me
  7. Unable to change pre-delivered Field Status Group in configuration activity Define Field Status Variants:2911551 - SSCUI 102393 not able to edit Field Status Group - SAP for Me
  8. Users are not able to launch the FIORI App: MIRO create supplier invoices app- advanced, an error occurred the transaction must be terminated - User needs to be assigned to Catalog SAP_MM_BC_INV_PROCESS_MC
  9. Import button is disabled for app Map Format Data for Payments (F2685A) in SAP QA HANA Cloud system: app "Map Format Data for Payments" is a configuration activity which you can find in CBC system. You can edit format mappings in your D system instead of your T system.
  10. User is not able to access configuration activities tab in SAP CBC application- Check if User is assigned to correct project, since there will be multiple projects.
  11. User is getting WE20 authorization error while maintaining the Partner Profile for IDOC process through Manage Billing Document app - 3103626 - EDI: Partner profile does not exist - S/4HANA Cloud - SAP for Me
  12. When I am calling a service Process Supplier Invoice from SAP BTP Starter Business Application Studio via destination to S4 HANA system and it is throwing an authorization issue "You do not have start authorization for R3TR IWSV API_SUPPLIERINVOICE_PROCESS_SRV 0001, return code 4</message> The documentation for the API is found here https://api.sap.com/api/API_SUPPLIERINVOICE_PROCESS_SRV/resource/Header_Data The central standard documentation for setting up a communication arrangement https://help.sap.com/viewer/0f69f8fb28ac4bf48d2b57b9637e81fa/LATEST/en-US/2e84a10c430645a88bdbfaaa23... 
  13. Developers are getting authorization issue when they try to view T005(database table) entries in eclipse in SAP S4 HANA Cloud Development DEV client. User is already having SAP_BR_ADMINISTRATOR role in S4 Cloud system. Upon switching on the trace, it says user is missing S_TABU_NAM access for T005 table- T005 is not released. Please use the CDS View I_COUNTRY
  14. How to terminate user session in SAP S4 HANA Cloud like we were doing it in on-premise through transaction SM04- Please use App: Maintain User Sessions" in your SAP S/4HANA Cloud system.
  15. In the run statutory report, the TAX number is missing in when we run manage tax item report.
    we get a warning message stating " You have restricted authorization for selected reporting country/region" though the user has full authorization and his auth trace is successful- The Tax number field in Manage Tax Items shows the Tax Number 2 from LFA1 or KNA1 based on whether the business partner is customer or supplier. The corresponding fields are KNA1-stcd2 and LFA1-stcd2. 
    In your system these values are empty, hence you are getting blank tax number in Manage Tax Items. 
  16. Manage Automatic Payment: Restriction type BUKRS_CLPAYM values 1-Parameter, 2- Proposal, 3- Payment and 4- Payment Order Manage Automatic Payments | SAP Help Portal
  17. IPS Sync Read Job is failing between IAS to CBC with below reason:
    Caused by: com.sap.cloud.ips.runtime.exception.ProvisioningException: Could not process successfully all entities from system- 3256165 - Identity Provisioning job failed with error - $.active is not available in content, but is...
  18. How to hide or mask Bank account information for certain group of users- Use Business Catalog "SAP_HCM_BC_EMP_PI_DSP_PC". This catalog controls whether to display payment info or not https://help.sap.com/docs/SAP_S4HANA_CLOUD/a630d57fc5004c6383e7a81efee7a8bb/bce548d02b12448fb5191ced...
  19. SAP S/4HANA Cloud Content Federation with SAP BTP Launchpad Site app is giving 403 Forbidden error:2916153 - Errors when opening apps on Launchpad, Work Zone or Cloud Portal service - SAP for Me
  20. Auth error while doing config activity via Define Sales/Purchase Tax Determination in CBC: SAP_CA_BC_IC_LND_FIN_FICA_PC catalog is currently not available in your system since scope is activated. 2AR -> it's not activated in your system and requires license. You can refer to scope documentation: https://rapid.sap.com/bp/scopeitems/2AR
  21. How to integrate DI policies with IAS Mapping Policies to Identity Providers | SAP Help Portal
  22. How to delete Employee Data in S/4 HANA Cloud: 2922814 - How to Delete Employee Data in SAP S/4HANA Cloud Public Edition - SAP for Me
  23. How to customize views for FIORI apps or creating variants and transporting them: SAP Fiori for SAP S/4HANA – Yes Key Users can crea... - SAP Community SAP S/4HANA Cloud, public edition - Key User Exten... - SAP Community
  24. Price category for licensing: Understanding the Price Category information - SAP Community
  25. SAP Screen Personas with Adapt UIGetting Started with UI Adaptations for Classic Ap... - SAP Community

Limitations of S/4 HANA Public Cloud: 

  1. Inability to customize catalogs forces heavy reliance on standard catalogs, which limits role customization. As a result, users are granted access to all FIORI apps associated with the catalog.
  2. Inability to separate authorizations from the role menu to create task or enabler roles. The only available option is to create derived roles, but if the required restrictions are too granular, this can lead to the creation of a large number of roles.
  3. Inability to further restrict the write access like create, change, delete, upload, etc. for every Restriction
  4. Troubleshooting authorization issues can be challenging, particularly because the Authorization Trace tool is not yet fully developed and may not provide accurate information. When an authorization error stems from a missing catalog, finding a solution can be particularly difficult, often requiring a trial-and-error approach.
  5. We need to transport all roles with a changed status within the software collection, including dependencies such as derived roles, spaces, and pages. However, an alternative approach is to move the role to a different software collection along with all its dependencies, and then export them.
  6. Automation options like GUI scripts or eCATT are not available. While browser-based automation is possible, it tends to be too slow to be effective.

Upgrade

S/4HANA Public Cloud receives upgrades twice a year, in February and August, with releases identified by the year and month (e.g., 2402 for February 2024 and 2408 for August 2024). For detailed information on these upgrades, refer to the Upgrade Master Note 2975653 - Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud - SAP for Me and navigate to the Solution section, which provides notes for each specific upgrade. Please refer below blogs/links for Upgrade.

  1. Manage Business Role Changes After Upgrade | SAP Help Portal
  2. 3093696 - How to manage business role changes after system upgrade (sap.com)
  3. Review Business Role Changes before a Major Upgrad... - SAP Community
  4. FAQ on Upgrading SAP S/4HANA Cloud Public Edition - SAP Community

References: Security Recommendations | SAP Help Portal

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3 Comments
Labels in this area