Introduction: In today's rapidly evolving business landscape, organizations are increasingly turning to SAP S/4HANA Public Cloud to drive digital transformation and enhance operational efficiency. One of the critical components in ensuring a secure and streamlined business process is effective role design. The "Maintain Business Role" Fiori app plays a pivotal role in this strategy, allowing organizations to manage user access and restrictions with precision. This blog delves into the importance of a well-thought-out role design strategy in SAP S/4HANA Public Cloud and how leveraging the "Maintain Business Role" app can empower businesses to optimize their security and compliance while facilitating smooth operations.
Understanding the Basics:
The Fiori Apps Library is an online repository that offers detailed information on all SAP Fiori apps. It helps users explore, filter, and learn about app functionalities, technical details, and deployment options, assisting organizations in selecting and implementing relevant apps for their SAP environment. SAP Fiori Apps Reference Library (ondemand.com)
Business Catalogs
This App contains organized collections of related Fiori apps or business applications grouped by their functional area or business role.
Business Role Templates
This App provides Standard SAP roles that group together restrictions for specific job functions. They simplify user access management by providing ready-made roles aligned with business processes, which can be easily assigned and customized. These templates are also updated automatically when new features are activated, ensuring users have access to the latest functionalities. Standard roles in SAP are typically only visible in specific apps like the "Business Role Templates" app, not in the "Maintain Business Role" app. SAP delivers business role templates for different user personas. These templates are only suitable for exploring functionality. Productive use is strongly discouraged.
This can be a Single Role, Leading Role or a Derived Role.
Single Roles serve as the foundational elements of role design in SAP, tailored either by task or business process, and encompassing specific restrictions required for various tasks within the system. These roles are managed through the Fiori app "Maintain Business Role" and are directly assigned to users, providing them with the precise access needed to perform their responsibilities. For instance, a Single Role designed for a Tax Accountant in India would include apps focused on GST-related tasks. By leveraging localized roles with country-specific catalogs, organizations can ensure that Single Roles provide targeted and efficient access, aligning with the unique needs of each user.
Master-Derived Roles offer a more advanced approach, especially useful in large organizations. A Master Role acts as a template, with Derived Roles inheriting its core permissions but allowing adjustments for specific organizational levels, such as regions or business units. This ensures consistent role structure while accommodating necessary variations. In the public cloud, a Master Role is referred to as a Leading Role.
Maintain Business Role Groups
This app lets you create groups for different business roles and assign multiple roles to each group. This makes it easier to organize and find roles and helps with managing authorizations. If you're a super administrator, you can let other admins handle specific areas, like Financials, by creating a role group for that area and restricting role assignments to certain user groups. The app automatically names these role groups in namespace ZCB. How to use the Maintain Business Role Groups funct... - SAP Community
With the "Manage Launchpad Spaces and Pages" app, you can organize and configure the SAP Fiori Launchpad to suit your business needs. This app allows you to:
The older "groups" concept has been replaced by this more flexible approach, allowing for better organization and customization of the launchpad.
The "Display Restriction Types" app lets you view restriction types, their associated fields, and where they are used within business catalogs. In SAP S/4HANA Public Cloud, authorization objects are referred to as restriction types. Restriction types group together one or more restriction fields. For instance, the restriction type "Sales Area: SALES_AREA" includes fields like Saes Organization, Division and Distribution Channel.
Custom Catalogs
In S/4HANA Public Cloud, creating custom catalogs is restricted to developers, who can only create them using Developer extensibility via ADT (ABAP Development Tools) for purely custom apps. Standard apps cannot be added to these custom catalogs. I strongly recommend reading this blog, which highlights the importance of adopting a cloud mindset by embracing the fit-to-standard approach. Successful SAP S/4HANA Cloud, public edition, impl... - SAP Community
Custom Tiles
This App enables you to create and customize tiles for accessing external applications from the SAP Fiori Launchpad in SAP S/4HANA Cloud. You can set a title, subtitle, optional icon, and define the application’s URL with parameters. After previewing, the tile can be assigned to a business catalog. Additionally, the URL can be adjusted after deployment to the production system. However, the app does not grant access to users without the necessary authorizations.
Custom catalog extensions
This refers to the process of modifying or enhancing the existing Fiori catalog by adding, removing, or adjusting applications and tiles to better fit the specific needs of a business or organization. This App allows you to make an app available on the SAP Fiori Launchpad by assigning it to the necessary business catalogs and activating it. After creating an app, use this tool to assign the required catalogs and ensure it is linked to a business role that includes those catalogs.
Display IAM Apps (Available from 2408)
This app allows you to view all supported IAM apps and their details, helping you manage assigned business roles. You can see general information like app ID and transaction, view app descriptions, and display assigned business catalogs and roles. For external apps, it also shows related authorizations, including authorization objects, instances, and fields.
IAM Information System
This app offers a detailed overview of business users, including their assigned roles and restrictions. It enables you to view and analyze the relationships and usage of business roles, catalogs, users, and restrictions. By clicking on any entity such as business roles, derived roles, users, catalogs, role templates, restrictions, launchpad spaces and pages; you can access additional details directly. This app is a valuable tool for administrative tasks, helping you understand how different elements are interconnected and used within your system. It offers functionalities similar to the SUIM transaction code.
IAM Key Figures
This App provides crucial insights into user and role management. It allows you to view several key metrics, including the number of business users assigned to roles, their last log-on dates, and the count of locked versus unlocked users. Additionally, it tracks the validity of business users, identifies business roles with unmaintained restrictions or unrestricted access, and provides details about business roles with default values from business catalogs.
Display Security Audit Log
This app enables users to access security-relevant event information within the SAP system, which can be crucial for audits. It records events such as changes to the ABAP platform, logon attempts, and transaction starts, providing transparency and helping to reconstruct sequences of events. Users can view audit analysis reports from specified log files. The app "Display Static System Audit," designed for external auditors, offers a detailed view of these Security Audit Log events. SAP Note 2903873 lists the events currently recorded.
Understanding On-Premise, Public Cloud, and Private Cloud
Aspect | Public Cloud | On-Premise | Private Cloud |
Standardization | Highly standardized with predefined processes and configurations. | Full control, allowing extensive customization. | Balance of standardization and flexibility. |
Customization | Limited customization to maintain ease of upgrades. | Highly customizable to meet specific business needs. | More customization than public cloud, less than on-premise. |
Maintenance | Managed by the vendor, with automatic updates and patches. | Managed internally, including updates and infrastructure. | Managed by a third-party provider, with customizable options. |
Scalability | Easily scalable within vendor constraints. | Requires planning and investment in hardware and licenses. | Easier to scale than on-premise, with more control than public cloud. |
Cost | Subscription-based pricing with lower upfront costs. | Higher upfront costs for hardware, licenses, and maintenance. | Higher than public cloud, lower than on-premise, mix of subscription and infrastructure costs. |
Prerequisites:
1) Scope Activation
Scope activation in SAP Central Business Configuration (CBC) is the process of enabling specific business functions and processes in your SAP S/4HANA Cloud system. It allows you to tailor the system to your organization’s needs by selecting only the necessary functionalities, making the implementation more focused and efficient.
Business Role Templates: When you activate new scope items, the system may update existing business role templates or create new ones. These templates define the restrictions and access rights for users based on the activated functionalities. This ensures that users have the appropriate access to the new features without manual adjustments.
Addition of New Catalogs: Activating new scope items can also lead to the introduction of new business catalogs in the system. These catalogs group related Fiori apps and functionalities, making them accessible to users based on their roles. As new catalogs are added, they must be integrated into the relevant business roles to ensure users can access the newly activated features.
By carefully managing scope activation, you ensure that your SAP system remains aligned with your business needs while automatically updating roles and catalogs to reflect the newly enabled capabilities.
Viewing App-Scope Relationships in SAP Fiori Apps Library and RASD Tool
Fiori Apps Library:
RASD Tool (Release Assessment and Scope Dependency tool):
IAM Information System:
These tools help you ensure the right Fiori apps are available when activating new functionalities in SAP S/4HANA.
2) Requirement Gathering Process
The requirement gathering process from a Business Process Design Document involves reviewing the document to understand the process design, engaging stakeholders to clarify and validate requirements, and then documenting functional and non-functional needs. These requirements are prioritized, compiled into a functional specification, and reviewed for approval to ensure alignment with the process design before moving forward. Here’s how the consultant would proceed
a) Understand Business Processes and Requirements
b) Design Role Concept
c)Validate and Test
This comprehensive testing approach ensures that roles are accurately configured, access conflicts are identified and resolved, and sensitive data remains secure.
d)Document and Implement
By following this approach, the Security Consultant ensures that FIORI apps are effectively identified and that roles are designed to meet both business needs and security requirements.
Implementation:
Once you've confirmed the activated scope or if you're working on a new implementation, go to the Business Role Templates app. From there, copy the relevant standard roles and create custom roles tailored to your needs, using your organization's naming convention.
For example, the scope for India country is activated in my SAP system, I will navigate to the Business Role Templates, choose all the relevant roles, and then click the "Create Business Role" button.
Enter Prefix for Business Role ID: For example, if all my Role start with Z, I can enter Z. Select the Default Restrictions for Write, Read and Value Help as per your business need. I am providing Unrestricted access, so that Functional Consultants can explore all the functionalities. Unrestricted access is similar * in on-premise system.
Once you click on OK, you will receive the overview of the result.
Creating Leading and Derived Roles, and the pivotal role of Leading Restriction feature.
Navigate to Maintain Business Roles App and click on New
Enter Business Role ID and Description
In the below screenshot, Access Categories- Write is NO Access, you can change these values only when you have added Business Catalogs in the Role. Under Others section: Is Leading Business Role needs to be checked for all Leading/Master Role. You can also check Inherit Spaces in Derived Business Roles.
Navigate to Business Catalogs and Click on Add
Search the Business Catalog you need to add based on your Business Requirement, select the Catalog and click on OK.
Check for any Dependent Catalogs and add them if needed and click on OK. The optional column represents whether the Dependent business catalog is Mandatory or Optional.
You can change the Access Categories for Write, Read and Value Help to Restricted. Click on Maintain Restrictions to enter Restriction type values.
Maintain the Restriction type values as per your Business Requirement; Company Code can be a Leading Restriction maintained value can be as Maintained in Derived Role. Maintain all the values and Save the Role. When a field is marked as a Leading Restriction, its value is automatically propagated to other restriction types that use the same field.
This helps significantly from Derived Role perspective:
For instance, if you want the values for Belgium and India to apply across all restriction types for the Company Code field, you will select BE01 (for Belgium) and IN01 (for India) and check the Leading Restriction checkbox. This action activates the Leading Restriction status, ensuring that these values are automatically inherited in all instances of the Company Code field within the role. This can be considered similar to Organizational Fields button on on-premise system.
Search for your Leading Role and click on Create Derived Business Role.
Enter the Derived Role ID and Description and Navigate to Maintain Restrictions
I maintained Company Code value in the General section as BE01 and the values are automatically propagated to Other Restriction types.
You can use Own values in Derived Business Roles for maintaining Unique values to a specific role. For example: I need some common values Billing type in All Derived roles, this can be maintained in Leading Role. Although, if you need S1 value only for IN01 Company Code, you can maintain the same in Own values.
Mass change of Business Roles: Please refer blog: How to Use 'Maintain Business Roles – Mass Mainten... - SAP Community
Transporting Roles
To export roles, use the Export Collection app in the Development environment. For importing transports, the BASIS Team should use the Import Collection app. You can find more detailed instructions in the blog: Transport Your Spaces and Pages Configurations in ... - SAP Community Extensibility Inventory App is used to check Business Role to Export collection mapping.
Download and Upload Roles: You can download and upload roles using Maintain Business Roles App. You can also download and upload pages for existing spaces in version 2408. Note that modifying pages in the QA system is not allowed, and the functionality for downloading and uploading spaces is not available in version 2408.
Troubleshooting
Display Authorization trace enables authorization traces for business users to identify missing or insufficient authorizations. Key Features: Activate or deactivate authorization traces, view results showing assigned authorizations along with failed checks and display business roles that grant access to specific fields and values. Important Considerations: Supports up to 10,000 data sets; adjust selection criteria, especially date ranges, accordingly.
Authorization Check Statuses:
Additional Notes:
You can refer Blog: Your Sherlock Homes - How to Find Missing Business... - SAP Community for finding missing Business Catalogs.
Please check dependent catalogs in Business Catalogs under section Dependencies
Issues we encountered during the project implementation and Important notes
Limitations of S/4 HANA Public Cloud:
Upgrade
S/4HANA Public Cloud receives upgrades twice a year, in February and August, with releases identified by the year and month (e.g., 2402 for February 2024 and 2408 for August 2024). For detailed information on these upgrades, refer to the Upgrade Master Note 2975653 - Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud - SAP for Me and navigate to the Solution section, which provides notes for each specific upgrade. Please refer below blogs/links for Upgrade.
References: Security Recommendations | SAP Help Portal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 |