***Image/data in this Blog is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.***
Hello SAP S/4HANA Cloud Community,
I work on the LO-MD-BP component for SAP S/4HANA Cloud and I have had several customers raise incidents about how Roles and Authorizations work in the area of Customer and Supplier Business Partner Master Data in S/4HANA Cloud so I thought it would be good to write a blog on the topic to share my knowledge and experiences.
While this blog will be aimed specifically at LO-MD-BP the majority of its content will be true on a Cross Topic level.
The best place to start from a general IAM point of view would be the SAP Activate Methodology for SAP S/4HANA Cloud
Starting in section 3. Explore to plan and design the Identity and Access Management in SAP S/4HANA Cloud
Then, Section 4. Realize contains information and guidance on how to create, size, and test the business roles in the Q-System according to the previously developed concept.
It is a best practice to have a Naming Convention for your Business Roles to help you to identify them and their purpose. A good example would be similar to this YPIEGWBP_CUSTOMER_MASTER_ROLE_DEPT_1010 with the Y indicating that this is a custom role, the P indicating the target system where this role is intended to be used (P-Production / Q-Quality), the IE representing a Country and the GW representing a Subsidiary within that country. The next characters can then be used a role description with optional information placed at the end to identify a Business Area or other Organisational Specification. A solid naming convention will help with role maintenance.
It is also very strongly recommended that the Business Roles are developed and tested in the Quality system first and then transport to the Production system.
How to Create and Edit Business Roles (Relevant to other areas also):
In SAP S/4HANA Cloud authorization objects are grouped into Business Roles to provide business users with the required authorizations.
These Business Roles can be created and edited in the Maintain Business Roles App ID F1492
The Maintain Business Roles App can be found under the Identity and Access Management section by users who have the SAP_BR_ADMINISTRATOR administrator role assigned.
It is possible to create a role from scratch by pressing the "New" and then select which business catalogs you would like to be available to the user.
It is also possible to create a role based on an existing template such as SAP_BR_BUPA_MASTER_SPECIALIST by pressing the "Create from Template" button and then adding or removing catalogs as per your requirement. However, it is recommended to use the Business Role Templates only in the Starter System and Quality System (e.g. for the fit-to-standard workshop and testing in general). For the business roles in the Production System, it is strongly recommended to create your own business roles.
A role can also be uploaded from a file so if one has been created in another system it can be uploaded as a copy.
To help demonstrate we will create a Business Role which will allow Business Users to have Display only access to Customer Business Partner Master records which have been created in the FLCU01 Customer Role. As well as Display access to Business Partner General Data.
First, we have chosen the Create From Template option and we have also chosen to create the Business Role from the SAP_BR_BUPA_MASTER_SPECIALIST Business Role and we have given the new Business Role a clear description.
For the business roles in the Production System, it is strongly recommended to create your own business roles as opposed to creating them based on a template.
Now we have a new Business Role based on the SAP_BR_BUPA_MASTER_SPECIALIST role. We can see that the 10 Business Catalogs from the SAP_BR_BUPA_MASTER_SPECIALIST role have been assigned to our new business role.
To find the Business Catalog required for Business Users to be able to see a particular App please follow the steps below;
- Open the Fiori Apps Library
- Enter the name of the App or the App ID
- Select SAP S/4HANA Cloud
- Open Implementation Information
- Open the Configuration section
- Scroll down to the Business Catalog(s) section
It is possible then to add or remove catalogs to the new Business Role as shown below.
By clicking on the catalog it can be opened to see a description explaining what the catalog will allow as well as several other key pieces of information such as which business roles and which business role templates the catalog is used in along with more information relating to the catalog as seen below.
Difference Between The Catalogs SAP_CMD_BC_BP_APP_MAINT_PC and SAP_CMD_BC_BP_MAINT_PC:
We recently made it possible for our customers to control access to the Manage Business Partner Master Data App ID F3163 and the
Maintain Business Partner Master Data App ID BP separately.
To allow for this we have a separate catalog SAP_CMD_BC_BP_APP_MAINT_PC for the Manage Business Partner Master Data App and the for the Maintain Business Partner App the catalog is SAP_CMD_BC_BP_MAINT_PC.
Once the desired catalogues have been added or removed we can press the Edit and then Maintain Restrictions buttons to set the restrictions to meet our business need which in keeping with our example here of allowing business users with this Business Role display only access to Customers with the FLCU01 role.
As this will be a display only role we first need to set the restrictions on Write, Read, Value Help to "No Access".
As per keeping with our example, we will open the "Read, Value Help" section and set it to "Restricted". It is then possible to add restrictions based on BP Role, Authorization Group, Company Code etc. In the example below this Business, Role would allow Business Users to view Customer Master Data created in the FLCU01 Customer role, but it will also allow Business Users to view the general data of all Business Partners without seeing any other role data apart from FLCU01.
If the criteria which you would like to set the restriction on is missing from the list in the screenshot above like for example the ability to maintain restrictions based on Sales Area is missing then press the Add button to see any available hidden options.
*** See also the steps from KBA 2598733 - Maintain Restrictions in Business Role for information on how to handle the other fields as the system can interpret blank fields as "No Access".
N.B. Role/Catalog Conflicts:
The most common issue which I have seen customers face in regards to Business Roles and Catalogs and the main reason for me wanting to create these blogs would have to be around Business Role and/or Catalog conflicts.
Authorizations are cumulative and when the system checks for authorization it will accept the least restrictive authorization. That is to say, if a Business User has been assigned several Business Roles which contain Catalogs which for example relate to maintenance of Business Partner Master Data and all but one of these Business Roles has been restricted to display only access but the business user has one business role which allows Write authorization for Business Partner Master Data then the system will accept that the Business User has authorization to Create/Edit Business Partner Master data regardless of any other Business Roles which are assigned to the user with Read-only restrictions.
The system will accept authorization restrictions on a role level first, that is to say, if a Business Role has been created which allows the Business User to create data e.g. "Write, Read, Value Help" Unrestricted and then a Catalog within this Business Role has been set to "Write, Read, Value Help" No Access then the system will accept that the Business User with this Business Role has Unrestricted "Write, Read, Value Help" access as it is the least restrictive.
It is best to create multiple Business Roles each with its own specific task and to then assign multiple Business Roles to Business Users to meet the particular requirement for that user.
For further information on this please feel free to view this Blog: Business Role / Catalog Conflicts (LO-MD-BP examples but relevant across other areas)
How to Assign Business Roles to Business Users:
Now that we have created our custom Business Role and set the restrictions to meet our particular business need we can use the Maintain Business Users App ID F1303 to assign our Business Role to a Business User.
Search for the user(s) to be assigned a role and press Edit.
Roles can be assigned to this user by pressing Add or Add Business Roles.
One or more Business Roles can be assigned to a Business User at once by selecting the Busines Role(s) and pressing Assign.
Once the Business Role(s) have been assigned to the Business User press Save.
The Business Role and Catalogs which we have assigned to the Business User will allow this user to see the Maintain Business Partner, Manage Business Partner Master Data and Manage Customer Master Data Apps.
The Business User will be able to View the General Data of Business Partners as the Role 000000 Business Partner (Gen.) was included in the restrictions and the Business User will also be able to view BPs which have the FLCU01 Customer role. As per the restrictions applied this Business Role does not allow the Business User to see the company code data maintained with the FLCU00 Customer (Fin. Accounting) role.
Information on Additional Related Blogs:
For information on how to avoid Business Role and Catalog conflicts see this blog:
Business Role / Catalog Conflicts (LO-MD-BP examples but relevant across other areas)
For information on Customer / Supplier Business Partner Master Data: Authorization Groups see this blog:
Customer / Supplier Business Partner Master Data: Authorization Groups
The example in this blog is intended for explanation purposes.
SAP Product Support