Last Updated October 2019
Disclaimer: Please note the authors of the blog disclaim any responsibility or liability relating to the use of the suggested resources/tools. Recommendations and functionality of the 3rd party tool mentioned shall under no circumstances whatsoever, cause the authors to be liable for any special, incidental or consequential issues which may arise. All steps carried out from the blog are at the user’s own risk. If the data or coding is jeopardized, it is at the responsibility of the user.
One of the most important tasks within the SAP Activate Methodology is to ensure that your business users follow your company’s requirements and access authorizations. In S/4HANA Cloud, the Identity and Access Management Toolkit allows you to easily adopt standard business roles delivered and tailor them to your needs. Further, it is important to always keep in mind the need to proactively manage changes in business catalogs in quarterly releases and reflect them to your customized business roles. This blog is targeted to key business users and implementation consultants to share some useful tips for Identity and Access Management by walking you through an end-to-end scenario.
Scenario: Suppose company XYZ has four company codes created in the system and accordingly needs to maintain business role restrictions across all its entities. This task can become easily challenging in the absence of mass maintence tools. During the Realize phase, roles will need to be created to test the outcome of the Fit to Standard workshop and truly reflect a day in the life of company XYZ business personas. Here are some of our tips that can walk you through the journey using SAP Activate Methodology.
*Please note that the below screenshots have been executed from an 1811 release of an S/4HANA Cloud system.
[Step 1]: Start by mapping the required business catalogs to your custom business roles. You may use this accelerator, as well as the IAM Fiori application to obtain a holistic view of which apps are assigned to which catalog. We suggest creating the initial roles restricted to one of the entities within the system manually within the Fiori application, Maintain Business Roles. Thereafter, as we will demonstrate in the next steps. The mass creation and adoption of other entities can be handled in XML commands.
- Cloud Mindset Tip: you may find that some business catalogs may contain more applications than you had initially envisioned, this cannot be changed. To accommodate this limitation, you may implement business role restrictions in combination with workflows to achieve the desired outcome in control. A good example of this is seen in FI postings and purchasing processes.
[Step 2]: Suppose that the outcome of step one was a business role created and restricted for one entity. Now, we will show how to create another role for another entity with the restrictions in mass.
[Step 3]: Export the business role as an XML file. You will need the two following: 1.) text editor and 2.) XML formatting software. For the purpose of this blog, we used Notepad++ and XML Beautifier
Open the file via Notepad++
[Step 4]: Copy & paste the file content into XML Beautifier
Please create a new XML file in Notepad++ and copy and paste the output of XML Beautifier
Now, we will mass edit all the restrictions and names from legal entities 1710 to 1712, which is essentially creating a new role for 1712, with all the restrictions and characteristics inherited.
[Step 5]: Upload the XML file to your system, and activate the Lifecycle status
In this example we have demonstrated how to create a business role using XML. The true value of this process lies when there are multiple restriction objects [company code, cost center, sales organization, etc.] and across entities. Also, this could help you in updating and maintain business role catalogs in mass, as quarterly releases continue to evolve the solution. Furthermore, you may use the business role assignment functionality, import and export the assignment of business users to roles in mass.
- Cloud Mindset Tip: Leverage your work and the outcome of segregation of duties completed in the Q-System by exporting these roles and directly importing them to the P-System together with the user role assignments.
We hope this information was valuable to you and please don’t hesitate to reach out with any questions and comments! We also encourage you to share your experience with S/4HANA Cloud segregation of duties.
Feras Al-Basha, SAP
Riwa Mouawad, SAP