Skip to Content
Product Information
Author's profile photo Jana Kasselmann

SAP S/4HANA Cloud for advanced financial closing: Enhanced Access Management

Dear finance experts,

with the latest incremental release of SAP S/4HANA Cloud for advanced financial closing on January 23, 2022, the access management abilities of the solution were massively enhanced.

Background of this update

Segregation of duties is a central requirement when it comes to authorization control. It ensures that an individual user doesn’t have the authorization to execute a process end-to-end. Instead, you rather want to distribute the respective authorizations across several people responsible for specific parts of the process.

In the context of financial closing, the requirements regarding access controls are very diverse and vary depending on the organizational and process setup of each customer. The enhanced access management abilities provide a flexible basis for granting access by providing fine-granular access levels that can be combined into roles as required. In this blog post, I will introduce you to the new access management features of SAP S/4HANA Cloud for advanced financial closing and give you tips on how to prepare for the switch to the new user role maintenance.

Scoped user roles

The Manage User Roles app within the configuration of SAP S/4HANA Cloud for advanced financial closing now allows you to create so-called “Scoped User Roles”. This means that each user role you create is applied to actions within a specific part or process step of the financial close, allowing for a clean and built-in separation of authorizations between design time and run time of closing task lists. We distinguish between two distinct scopes here:

Task List Creation

User role for the setup and maintenance phase of task lists and their respective templates. Access rights are applied in the following apps:

  • Define Closing Tasks (future: Manage Closing Task Lists)
  • Change Log

 

Dialog%20for%20the%20creation%20of%20a%20user%20role%20for%20the%20task%20list%20creation%20scope

Task Processing

User role for the execution phase of closing tasks and their monitoring. Access rights are applied in the following apps:

  • Process Closing Tasks
  • Approve Closing Tasks
  • Financial Close Overview
  • Closing Task Completion
  • Change Log

 

Dialog%20for%20the%20creation%20of%20a%20user%20role%20for%20the%20task%20processing%20scope

Dialog for the creation of a user role for the task processing scope

 

New access levels

Feedback from our customers has shown that a mere distinction between read and write access is not enough to meet all the requirements for a complex setup of closing responsibilities in large multinational organizations. Therefore, the new user role maintenance comes with a much more fine-granular set of access levels. On the one hand, this allows for a strict segregation of duties. On the other hand, roles can also be combined into a collection of access levels within one user role, depending on the needs of the respective organization.

 

Access levels for “Task List Creation” scope

The major enhancements regarding access levels for the task list creation are as follows:

  • Authorization to create and copy templates is no longer part of the static authorization to access the application and must be granted separately, therefore a clean read-only access is possible.
  • Authorization to generate task lists and change their status has been carved out into a separate access level so that it can be treated as a distinct responsibility.
  • As a preparation for the Manage Closing Task Lists app announced for February (successor of the Define Closing Tasks app), you can already maintain the “User Assignment” access level which will provide authorization for a separate quick action to maintain the user responsible and processing user. This means, there can be one group of people (e.g., a central team in the HQ) who maintain the closing structures and other groups (e.g., decentral teams in the subsidiaries) that maintain the task responsibilities, which is especially helpful in complex organizational setups.

 

Dialog%20for%20the%20selection%20of%20access%20levels%20within%20the%20task%20list%20creation%20scope 

Dialog for the selection of access levels within the task list creation scope

 

Access levels for “Task Processing” scope

Similarly, fine-granular access levels are also available for task processing. Apart from basic read access, the following authorizations are offered:

  • Approving and rejecting closing tasks
  • Assigning users as user responsible or processing user
  • Changing parameters for task execution
  • Changing plan values of tasks, such as planned start and duration
  • Processing-related activities on task level, for example scheduling and status changes

 

Dialog%20for%20the%20selection%20of%20access%20levels%20within%20the%20task%20processing%20scope

Dialog for the selection of access levels within the task processing scope

 

Cutover to new concept

The scoped user roles including the new fine-granular access levels are planned to be released in January 2022 as an addition to the existing user roles. This gives you the chance to get familiar with the new maintenance UI and set up and test user roles along the new access levels. All new roles should be set up as scoped user roles from now on since the new user role maintenance will replace the old UI which is planned to be set to read only in May 2022. An adjustment to the default authorizations attached to the direct assignment of users as owner, user responsible, and processing user is planned to follow in August 2022, concluding the switch to the new authorization concept.

As of the January release, we recommend the following actions:

 

Task List Creation

Create and assign user roles for authorization to create task list templates

Authorization to create new task list templates and to copy existing ones must now be granted explicitly.

What you need to do:

  • You should immediately check which users require authorization to create new templates that don’t have unrestricted write access.
  • For those users that require authorization to create task list templates but don’t have unrestricted write access, create a new user role.
    • Scope: Task List Creation
    • Restriction: Unrestricted
    • Authorizations: Read, Create
  • Assign the user role to the respective users.

 

Scoped%20user%20role%20granting%20authorization%20to%20create%20task%20list%20templates

Scoped user role granting authorization to create task list templates

 

Review owner or owner group

A field for the owner of a template or task list has already been introduced in a previous release. Initially, the creator is set as the owner of a template. However, you can still change the owner or owner group later.

What you should do:

Review who should own a template or task list and is responsible for its setup and maintenance. This person or group must be maintained in the “Owner” field and not in the “User Responsible” field. Owners have edit rights in the Manage Closing Task Lists app and don’t need an additional role unless they need further authorization such as generating task lists out of templates.

 

Decide how to model the roles along the new access levels

While your existing user roles can still be used, the new access levels give you more options than a mere distinction between read and write access.

What you should do:

If you want a stricter segregation of duties, for instance, you can create separate user roles to grant authorization for editing templates on the one hand and generating task lists and changing task list status on the other hand.

If you want to keep the current role setup, we recommend that you already familiarize yourself with the new user roles and access levels. You can already create scoped user roles and bundle different access levels into one role, if desired.

When you assign scoped user roles to users, make sure to remove the existing roles as the new authorizations always apply in addition to the existing ones.

 

Task Processing

Create and assign user roles for clean read-only access

The current read authorization also includes some processing-related actions. The scoped user roles now allow you to grant clean read access to users who shall only be able to observe the task processing.

What you should do:

  • Identify the users who need read-only access.
  • Create a scoped user role:
    • Scope: Task Processing
    • Type: System-dependent or system-independent depending on your setup
    • Restriction: Unrestricted or restricted depending on your setup
    • Authorizations: Read
  • Assign the scoped user role to the respective users and remove the old user role.

User%20role%20granting%20read%20authorization%20within%20the%20task%20processing%20scope

Scoped user role granting read authorization within the task processing scope

 

Decide how to model the roles along the new access levels

While your existing user roles can still be used, the new access management gives you a higher granularity in defining and bundling access levels.

What you should do:

If you want a stricter segregation of duties or a different bundling of access levels, you can create separate user roles to grant authorization for processing or editing tasks.

If you want to keep the current role setup, we also recommend here that you already familiarize yourself with the new user roles and access levels and create scoped user roles.

When you assign scoped user roles to users, make sure to remove the existing roles as the new authorizations always apply in addition to the existing ones.

 

Summary

The enhanced access management abilities provide you with greater flexibility and more options when it comes to ensuring segregation of duties and bundling access levels according to your organization’s requirements. The parallel availability of both access management concepts allows you to smoothly transition to the scoped user roles.

Stay tuned!

 

For more information on SAP S/4HANA Cloud for advanced financial closing, check out the following links:

 

Follow us via @SAP and #AdvancedFinancialClosing, or myself via Jana Kasselmann.

Assigned Tags

      3 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Pfaff
      Martin Pfaff

      Hello Jana!

      I appreciate the new authorization concept in AFC for ensuring that only those authorization is granted, which is needed for work.

      At a first glance I'm missing the possibility to create a role based on the property object owner, which was available in AFC S/4HANA.

      AFC%20S/4HANA%20-%20object%20owner%20restriction

      AFC S/4HANA - object owner restriction

      The usage of that authorization object grants access only to those tasks, for which the user was assigned as processing user or responsible user.

      Is there a possibility to ensure such a restriction in the new concept?

      From audit point of view it is essential having such a restriction ("principle of least authorization") - e.g. an accountant for accounts payable shouldn't have access to spool lists of a general ledger task (task type job).

      Thank you very much for your feedback.

      Regards, Martin

       

      Author's profile photo Jana Kasselmann
      Jana Kasselmann
      Blog Post Author

      Hello Martin,

      Thank you for your question and your interest in the new concept!

      To cover your use case, you can make use of the following means within the enhanced access management options:

      • Directly assigned users (e.g. as user responsible or processing user) receive a default level of authorization without requiring an additional role. The details can be found on the SAP Help Portal in the Administration Guide under the topic Direct User Assignment. Note that the entries labelled with “Compatibility” are authorizations that will be removed to conclude the switch to the new concept.
      • A user role for the Task Processing Scope can be set up to grant access to specific tasks based on the assigned authorization groups. This role can contain different authorization levels based on what you require. For more detailed information, you can check the topic How to Grant Access to Specific Objects.

      With this, you can control access to specific tasks in detail and grant only the minimum required authorization.

      Best regards,

      Jana

      Author's profile photo Martin Pfaff
      Martin Pfaff

      hello Jana,

      thank you for the additional information - that sounds pretty fine.

       

      I will check the recommended chapters in the admin guide and will do a retest.

      Best regards, Martin