Skip to Content
Personal Insights

Mass Maintenance of Business Roles in SAP S/4HANA Cloud

Last Updated October 2019

Disclaimer: Please note the authors of the blog disclaim any responsibility or liability relating to the use of the suggested resources/tools. Recommendations and functionality of the 3rd party tool mentioned shall under no circumstances whatsoever, cause the authors to be liable for any special, incidental or consequential issues which may arise. All steps carried out from the blog are at the user’s own risk. If the data or coding is jeopardized, it is at the responsibility of the user.

One of the most important tasks within the SAP Activate Methodology is to ensure that your business users follow your company’s requirements and access authorizations. In S/4HANA Cloud, the Identity and Access Management Toolkit allows you to easily adopt standard business roles delivered and tailor them to your needs. Further, it is important to always keep in mind the need to proactively manage changes in business catalogs in quarterly releases and reflect them to your customized business roles. This blog is targeted to key business users and implementation consultants to share some useful tips for Identity and Access Management by walking you through an end-to-end scenario.

 

Scenario: Suppose company XYZ has four company codes created in the system and accordingly needs to maintain business role restrictions across all its entities. This task can become easily challenging in the absence of mass maintence tools. During the Realize phase, roles will need to be created to test the outcome of the Fit to Standard workshop and truly reflect a day in the life of company XYZ business personas. Here are some of our tips that can walk you through the journey using SAP Activate Methodology.

 

*Please note that the below screenshots have been executed from an 1811 release of an S/4HANA Cloud system.

[Step 1]: Start by mapping the required business catalogs to your custom business roles. You may use this accelerator, as well as the IAM Fiori application to obtain a holistic view of which apps are assigned to which catalog. We suggest creating the initial roles restricted to one of the entities within the system manually within the Fiori application, Maintain Business Roles. Thereafter, as we will demonstrate in the next steps. The mass creation and adoption of other entities can be handled in XML commands.

 

  • Cloud Mindset Tip: you may find that some business catalogs may contain more applications than you had initially envisioned, this cannot be changed. To accommodate this limitation, you may implement business role restrictions in combination with workflows to achieve the desired outcome in control. A good example of this is seen in FI postings and purchasing processes.

 

 

[Step 2]: Suppose that the outcome of step one was a business role created and restricted for one entity. Now, we will show how to create another role for another entity with the restrictions in mass.

 

 

 

[Step 3]: Export the business role as an XML file. You will need the two following: 1.) text editor and 2.) XML formatting software. For the purpose of this blog, we used Notepad++ and XML Beautifier

 

 

Open the file via Notepad++

 

[Step 4]: Copy & paste the file content into XML Beautifier

 

 

 

Please create a new XML file in Notepad++ and copy and paste the output of XML Beautifier

 

 

Now, we will mass edit all the restrictions and names from legal entities 1710 to 1712, which is essentially creating a new role for 1712, with all the restrictions and characteristics inherited.

 

 

[Step 5]: Upload the XML file to your system, and activate the Lifecycle status

 

 

 

 

In this example we have demonstrated how to create a business role using XML. The true value of this process lies when there are multiple restriction objects [company code, cost center, sales organization, etc.] and across entities. Also, this could help you in updating and maintain business role catalogs in mass, as quarterly releases continue to evolve the solution. Furthermore, you may use the business role assignment functionality, import and export the assignment of business users to roles in mass.

  • Cloud Mindset Tip: Leverage your work and the outcome of segregation of duties completed in the Q-System by exporting these roles and directly importing them to the P-System together with the user role assignments.

We hope this information was valuable to you and please don’t hesitate to reach out with any questions and comments! We also encourage you to share your experience with S/4HANA Cloud segregation of duties.

 

Thank you,

Feras Al-Basha, SAP

Join Feras on LinkedIn

Riwa Mouawad, SAP

Join Riwa on LinkedIn

 

 

 

6 Comments
You must be Logged on to comment or reply to a post.
  • Hi Riwa!

     

    Thanks for this post. This is usefull for doing mass changes in restrictions for Business Roles. Still, using “find and replace” can sometimes be faulty cause of data that shouldn’t be changed is changed. In addition to that, with that amount of lines it is still sometimes difficult to find the right data in Notepad ++.

    Do you know by chance if SAP is looking to easier way of maintaining this (for example simple excel .csv downloadl / upload)?

    This is a question we get from many customers and takes a lot of manual work to do it in Notepad ++ or manual in the system.

     

    Kind Regards,

     

    Sam

    • Hi Sam,

      You make a great point. Editing with Notepad ++ is indeed prone to error and that is why in this blog Feras Al-Basha and I strictly warn readers about the responsibility and consequences of using this approach in a productive environment. Currently, product development is considering and planning mass change functionalities for IAM within S4HC for the coming releases. However, we cannot make a comment as to when and what will be delivered. Stay tuned!

      Thank you!

      -Riwa

  • Hi Riwa,

     

    I use the Leading Restriction setting within the auth object settings of a role, which means I can change the company code in one auth object and all other company code auth objects will inherit the new company code within the same role.  Do you see any issue with this approach?  It is alot quicker than manipulating an XML and less error prone.

     

    Regards

    Christian

    • Hi Christian Wehrle

      What you have described seems to be related to the concepts of parent and derived business roles. When my colleague and I Feras Al-Basha published this blog the product release version did not have parent/derived functionality. As you point out maintaining the company code restrictions at the derived level of roles is indeed an effective and less error-prone process of managing authorization via XML and third-party tool. Thank you for sharing your thoughts.

      Regards,

      Feras & Riwa