Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 
My name is Jonas Willschewski, by trade an SAP S/4HANA Cloud consultant with a focus on Identity & Access Management. With this ­blog, in the light of the upcoming 2302 release, I would like to draw attention to the release activities for IAM specialists in SAP S/4HANA Cloud.

„Give me six hours to chop down a tree and I will spend the first four sharpening the axe.“ Abraham Lincolns’s quote emphasizes a crucial aspect that is applicable to any cloud authorization project: don’t just hope for the best – rather, you should start well-prepared and reap the fruits that were sown early. Especially during the bi-annual releases, where authorization experts have to conduct certain tasks and activities on their systems to keep the Business Roles up to date and compliant. Since these tasks can be cumbersome and labor intensive, SAP offers the accelerator SAP S/4HANA Cloud, public edition Identity and Access Management Release Activities, where the authorization administrators get an overview of certain tools and activities how the business roles need to be updated.

In this accelerator, you find a detailed step by step manual to prepare for the release cycle and how to update your Business Roles. The core of this process is a spreadsheet, which shows you directly the changes related to the business roles of your system. In order to cultivate the spreadsheet, you have to download certain data from the app “IAM Information System”, which you then copy into the file. After performing these steps, you will be rewarded with an overview of the data that will be changed.

In this blog, I had an extensive talk with Ralf Köhler, the MEE consulting security Lead and global lead for the SAP S/4HANA Cloud Authorization Methodology. With over 20 years of experience in authorizations in On Premise and Cloud, Ralf is able to provide us with valuable insights and tips on the topic of IAM release activities. As we conducted the interview, we had a two days IAM workshop in London and sat in a small meeting room in London’s SAP Office with a beautiful view on the River Thames and the Lloyd’s building.

Jonas: From an IAM perspective, what should a typical release change look like in terms of time, activities, and required tools?

Ralf: Approximately four weeks before the release change of the Q-System, the critical phase of the release change begins, when the preliminary “What's New” documentation is published.

It consists of the detailed “What's New” documentation in different languages and the What's New Viewer. Since the What's New documentation is a several hundred pages long file, we determined that there must be a more efficient way for the IAM teams to find out what has changed in the system with the new release than working through the document page by page. By the way, that is exactly what the customer’s teams did for days in the earlier times. For this, the SAP documentation team came up with a trick: in order to easily find all IAM specific news, they have linked this content with a tag. To find this content, the customer simply has to enter the term "IAM" in the What's New Viewer’s search bar and all the important changes from an IAM perspective will be listed.

Jonas: Before you continue, a short question. Since there must be a large number of hits, are all these changes equally important for all customers?

Ralf: That's a good question and also a good remark. You are right, there can be several dozens of hits. But many of these changes are only relevant for specific countries. For example, if a customer does not have Japan activated in his system, all changes that only affect Japan are uninteresting and can be safely ignored.

For this purpose, there is a separate column called “functional localization” in the What's New Viewer, which can significantly reduce the list of changes that are relevant for me. In order to filter by this column, please download the list to Excel. Afterwards, send this list together with other findings from the Crystal Ball Tool to the relevant departments. With the information, the departments can then decide, which of the new features they would like to use in the future and for which workplaces they should be made available.

Jonas: Can you elaborate what the Crystal Ball Tool is exactly?

Ralf: The Crystal Ball Tool, as I like to call it, is an Excel file which is made available for each release change via a release specific SAP Note. A first version is released four weeks before the release change. It provides a preview of effects of the upcoming release change on the customer's existing authorization concept. The list shows, just as in a crystal ball, the future changes in each individual customer’s Business Roles on the different levels. This starts with the new applications in existing Business Catalogs that are automatically added through the release change to the Business Roles to which these Business Catalogs have been assigned to and goes down to the Restriction Fields that are added or removed. On the one hand, this allows me to estimate the scope of the upcoming changes and, on the other hand, to inform the departments about these changes at the application level. It is possible that they don't want some of these automatically added changes to be available for a specific workplace (the Business Role). As you can see, I am still absolutely enthusiastic about this Crystal Ball Tool, because where in the world do you ever have the opportunity to foresee the effects of something four weeks before it actually happens in a system?

Jonas: That shows, yes! How can it happen that new applications can get into the Business Roles without the customer's knowledge?

Ralf: The reason for this is that new applications come into the customer systems through the assignment of Business Catalogs. This assignment is not only to new Business Catalogs but also to existing ones. In cases where customers have already added these Business Catalogs to Business Roles, these new applications are also automatically added to the Business Roles. For this reason, it is even more important that we have a tool such as our Crystal Ball Tool, with which customers can see these changes transparently. On this basis, the customer can then decide before anything has been automatically changed in the customer's system.

The information, where the customer can find the tool and how to put it into function, is described step by step in the Accelerator. The effort is also quite manageable and is done in about 15 minutes with a little practice.

Jonas: Coming to my last question: you talked about the timing of the release change and the associated activities. What are the next steps after the Q-System has been changed to the new release and how are they reflected in the Accelerator?

Ralf: As I initially created the Accelerator together with Danny Wilk for the 2002 release, it has been adapted for almost every release change. Just for the new release 2302, some details have been adjusted in order to improve the fit to IAM Activities. That as a side note, but back to the IAM activities after the Q System has been upgraded to the new release.

I just thought of an extremely significant point that the customers should definitely consider: the use of so-called Deprecated Business Catalogs. It must be ensured that at the time of the release change no Deprecated Business Catalogs are used in the customer’s Business Roles. There is a counter on the Business Catalog app that indicates whether the customer is still using Deprecated Business Catalogs. Before the release change, this indicator must be 0. If the SAP Business Catalogs will be deprecated, the corresponding Business Catalogs are marked with the status deprecated and the customer has one release time to replace them with the corresponding successors. If the customer does not do this and SAP deletes the Business Catalog in the following release, this can seriously endanger the customer's productive processes and can even lead to a standstill in the productive environment. How the concrete processes are designed, can be taken from the respective chapter of the Accelerator.

I stopped to explain how the first IAM activities look like after the release change. First, the Business Roles based on Business Role Templates should be checked and updated. New Business Catalogs come into the customer’s systems through Business Role Templates. So that they and their new features can be used in the Q-System, they must be transferred to the customer namespace. How this works in the system can be derived from the Accelerator’s corresponding chapter. Additionally, which customer’s Business Roles based on Business Role Templates are affected can be determined by using the Crystal Ball Tool or by the App "Business Role change after Upgrade", or the App "Business Role Templates" after the release change has taken place in the Q-System. Particular attention should be paid to the Business Roles that refer to the SAP_BR_BPC_EXPERT template, as changes made in the template can have a direct effect on the configuration capabilities in the Q-System.

Jonas: Thank you for your time and see you around, Ralf!

As the quote in the introduction already anticipated, it is critical to start early enough to have enough time to visit the changes and perform the tasks appropriate for your system. The effort depends on the amount of Business Roles in use and how these roles were maintained in the past. Especially the contact with your LoB colleagues should be intensified during that time to ensure that the proper authorizations are aligned, and you have a smooth transition to the new release.

In any case, I hope that this blog helps you to identify all your tasks to get your system ready for the new release and sparked interest for the Accelerator. If you require further help and guidance, I would like to invite you to get in touch with me or visit the further readings below.

The tools that are available with the required Business Catalogs if applicable:

App “Manage Business Role Changes after Upgrade”, where you can see all the relevant changes to Business Catalogs after an upgrade, for example the Restriction Types that were added (SAP_CORE_BC_IAM_UPGRADE, SAP_CORE_BC_IAM_RA)

App “IAM Key Figures” with the Card: “Business Roles with Unmaintained Restrictions”. With this card, you can see at a glance how many unmaintained restrictions are in your Business Roles and can perform the maintained accordingly (SAP_CORE_BC_IAM_UM, SAP_CORE_BC_IAM_RA, SAP_CORE_BC_IAM_RM)

App “Business Role Templates”, where you can update your Business Roles based on Business Role Templates after the release (SAP_CORE_BC_IAM_RM)

App “What's New in Your System”. This app contains the following Information “Release Independent News”, “Urgent News”, and “What’s New” (SAP_CA_BC_WHATS_NEW_PC)

Further reading:
SAP S/4HANA Cloud, Public Edition Identity Access Management – Your Knowledge Base | SAP Blogs