Setting up roles and authorization for a country report in SAP S/4HANA advanced compliance reporting

With the increased adoption of SAP S/4HANA advanced compliance reporting (ACR), more and more customers are using the solution to address their statutory reporting requirements. Since ACR is a global reporting solution, and typically organizations would have different business users with segregated responsibilities for reporting; the set up of roles and authorizations becomes very important. After all, organizations would want to ensure that the business user has the right access to perform the right operation on the right set of reports. Some of the typical access requirements that we see with ACR are:

• Business user should have authorization for all reports for a given country

• Business user should have authorization to generate and submit reports, but not to do manual adjustments on the generated report

• Business user should have authorization for multiple reports across countries

Authorizations for these, and other similar scenarios can be configured in ACR. Before we look at a specific example, let us first understand how the Fiori launchpad (FLP) and Authorization concept works in SAP S/4HANA for On-Premise customers. Organizations using S/4HANA On-Premise can have both backend and frontend components deployed on the same system or in different systems based on their preference.

FLP and authorization concept overview

Let’s take an example: A G/L accountant responsible for the reporting in GB needs access to the  relevant ACR reports. We will consider a deployment with separate frontend and backend systems and would create separate roles for both.

Front end system: The user requires access to the Run Compliance Reports application tile. The tile is delivered in the Business catalog SAP_FIN_BC_GL_REPORT_GB which is contained in the standard Business Role SAP_BR_GL_ACCOUNTANT_GB. Customers can choose to model their Z role entirely on the standard business role or create a custom role which provides access to the required content that the user needs. We’ll explain the second scenario in this blog where the user creates a custom role for access to ACR.

1. In the frontend system’s SAP GUI, open transaction PFCG and create a Z role: ZACR_ROLE_GB. Provide a description and save the role.
2. In the newly created role, go to the ‘Menu’ tab and click on the menu button to add a new ‘Launchpad Catalog’. In the popup, search for the catalog: SAP_FIN_BC_GL_REPORTING_GB and click the OK button (green arrow).
   
3. Once the catalog gets correctly added, the role will look like this.
4. Now, go to the ‘User’ tab in the role menu and assign the role to the corresponding business user.
5. Now, if you open the Fiori launchpad for the corresponding business user(ZACR_DEMO in this example), he/she should be able to see the ‘Run Compliance Reports’ tile for GB.
   The tile would have ‘error’ state because we have only configured the access to the tile, but the user does not have corresponding authorizations to execute actions.

Back end system: Now, let’s create a role in the backend system to provide the user with the necessary authorizations to perform reporting via ACR.

1. Like we created a role in the frontend system, login to the backend system and open the transaction PFCG. Create a new role: ZACR_BEROLE_GB. Provide a suitable description and save the role.
2. In the newly created role, Go to the ‘Menu’ tab and click on the menu button to add a new ‘Launchpad Catalog’. In the popup, specify values as shown in the screenshot and search for the GB catalog: SAP_FIN_BC_GL_REPORTING_GB and click the OK button (green arrow). Remember to choose the relevant RFC destination to the frontend system as per the organization’s setup.
3. Once the catalog gets added correctly, the role will look like this. We can see that the application specific oData services get listed in the role menu. The next step is adding the corresponding authorizations.
4. Go to the ‘Authorizations’ tab and select the option ‘Expert Mode for Profile Generation’
5. The ‘organizational unit Level’ popup will appear like shown below. In case the popup does not appear automatically, click on the button ‘Organizational Levels’ in the topmost toolbar. Specify the relevant values for each organizational unit and click on the save icon.
6. • From the list of authorization objects, expand the authorization object ‘F_SRF_RNTM’. This is the authorization object for ACR functionality, and you can specify values for the fields
     1. Activity: Controls the specific operations that a user in allowed to do
     2. Country: Controls the countries whose reports a user has authorizations for
     3. Report Categories: Controls the specific reports which user has authorizations for

   For our case, specify the country as ‘GB’ and choose the corresponding Report Categories for the field SRF_REPCAT. Multiple values can be specified for users who are responsible for reporting in more than one country.

7. • Similarly, for the field ACTVT, you can specify the operations the user should have authorizations for. Most of the activities are self-explanatory and we’ll skip the obvious ones and explain the last two:
     1. Process(D5): This activity controls the Manual Adjustment Once you open the Preview for a generated report, authorized users would see the EDIT button which facilitates last minute changes directly into the generated file.
     2. Submit(I1): This activity controls the submission of the generated report to authorities and status update post submission. Authorized users would see the ‘Submit’ and the ‘Update submission status’ option for generated reports.

   Once you’ve specified the activities of choice, save and generate the role using the red ball icon.

8. (Optional) While not required in the latest S/4HANA releases, this step may be relevant for lower releases. Expand the authorization objects S_RS_COMP and S_RS_COMP1 and check if the values have been populated in the corresponding fields. If not done automatically, the authorizations for the data sources need to be maintained manually.
9. Now our role is ready for use. Go to the ‘User’ tab and assign the role to the corresponding business user.

10. Now, once you open the fiori launchpad for the business user in the frontend system, the ‘Run Compliance Reports’ tile is ready to use and the ‘error’ state is replaced by the real time count of pending reports.

With these steps, we can configure the roles which enable a G/L accountant to generate and submit ACR reports for country GB. In a similar manner, we can create roles for different countries and reports. The information of the standard Business roles and the Business catalogs for each report are maintained in this table available with the release specific help documentation.

For more content on SAP solutions for advanced compliance reporting, please visit the SAP community topic. 

(Written in collaboration with Jai Shree Seth)