Introduction

As a cloud solution, SAP S/4HANA Cloud Public Edition undergoes major upgrades every six months, in February and August each year.  Besides introduction of new innovations, there are many changes in the Identity and Access Management (IAM) area as well.  After going-live and implementation consultants leaving the project, most customers overlooked the IAM area due to lack of resources and expertise. I am going to fill this gap with two related blogs.

The first blog Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition intends to explain what you need to do before a major upgrade. Besides replacing deprecated Business Catalogs with their successors, the primary effort lies in understanding what is to be changed around Business Roles, especially those roles already used in the Production Tenant. Some decisions are to be made together with business users from the line of business.

The second blog (this blog) explains the adaptation work of Business Roles after a major upgrade with examples. You need to roll up the sleeves to get the job done in the system.

Authorization Building Blocks

The authorization structure within the SAP S/4HANA Cloud Public Edition is built on top of building blocks called Restriction Type Fields, Restriction Types, Business Catalogs, Business Role Templates, and Business Roles which are assigned to business users. These building blocks form a Hierarchy of Authorization Components (see below Figure).

 Hierarchy of Authorization Components

Among these authorization components within the hierarchy, any changes at the lower levels cause a ripple effect to the components at a higher level.  Following Permutations and Combinations theory, the final possible changes at the Business Role level could be exponential.  In one case I have 11,000+ possible changes to the Business Roles. That is a lot to deal with.

Since many changes in Restriction Types and Business Catalogs are not being used in customer's systems, it is a waste to deal with all these changes.  I will deal with the changes more from the Business Role perspective, and only focus on those in-use business roles in this blog.  This way we can reduce the volume of work dramatically. 

 Ripple Effect of Authorization Component Changes

Review Business Role Related Changes

Luckily, there is an app called Manage Business Roles after Upgrade, which helps us to review the changes at different levels within the hierarchy.  I usually use this app to explore all the changes but make changes in other apps to be discussed shortly.

Note 1: In the SAP Fiori Apps Reference Library, the app is marked as deprecated from 2308 Release. This is not correct. The app has no plan to be retired.

Note 2: The screenshots within this blog are from a Starter System but marked as “Test VHE/100”. At a customer site, we should conduct all of business user role adaptation work in the Customizing Tenant, then creating a transport to transfer changes to Test and Production tenants.

Note 3: If your system has been used for several years, AND you haven’t done any adaptation work after several past upgrades, it could take some time to bring the data up when launching the Manage Business Roles after Upgrade app.

 The App Manage Business Roles after Upgrade

To explore the changes, you can explore from five different perspectives, hence the five tabs: Restriction Types, Business Catalog Dependencies, Deprecated Business Catalogs, Business Role Templates, and Affected Business Roles.

Restriction Types – This tab (refer to above figure) lists all the changed Restriction Types and their affected Business Catalogs.  For example, the Restriction Type Access to Price Elements has three line-items, each represents a unique change (adding a restriction type for Write and Read, adding a restriction type for Read, removing a restriction type) and its impact to a set of business catalogs. If you want to know its further impact to the business roles, you can follow the “>” sign to get below figure. Here three affected business roles are listed.

 Impact of Restriction Type Access to Price Elements to the Business Roles

Business Catalog Dependencies – This tab lists business catalog dependency change, either a new dependency is added, or an existing dependency is removed.  In the following figure, I use the filter Change = Dependencies removed to list those business catalogs having dependencies removed.  

 Business Catalogs with Dependencies Removed

The impact of this change can also be observed by selecting the business catalog and click the “>” icon.  The below figure shows one business role BR_OVERHEAD_ACCOUNTANT which is affected by removing a dependency in the business catalog Worker – Payment Information Display (the last business catalog in the above figure).  The required business catalog ID was SAP_CMD_BC_BP_DISP_PC.

 Affected Business Role from Removing Dependency in Business Catalog Worker – Payment Information Display

Note: When the business catalog A has a dependency on B, the business role using A should also contain B as a prerequisite. Sometimes you see B in one business role but not other, although both contain A. The reason is that some dependency is optional.  The optional dependency is sometimes not marked clearly.

Deprecated Business Catalogs – This tab delivers two important information: First, at which release the deprecation was announced. For example, the deprecation of the Business Catalog SAP_FIN_BC_FCCO_ADMIN_PC was announced at Release 2308. Second, if the deprecated business catalog has a successor or not.  For example, the deprecation of the Business Catalog SAP_FIN_BC_FCCO_ADMIN_PC has no successor. However, the deprecation of the Business Catalog SAP_HCM_BC_EMP_DSP_PC has a successor SAP_WFD_BC_EMP_DSP_PC. In fact, this business catalog name change is caused by naming change from Human Capital Management (HCM) to Worker Force Deployment (WFD).

 List of Deprecated Business Catalogs

Similarly, the impact of this change can also be observed by selecting the business catalog SAP_HCM_BC_EMP_DSP_PC and click the “>” icon.  Five business roles are affected.

 Affected Business Roles after Changing in Business Catalog SAP_HCM_BC_EMP_DSP_PC

By looking at the column Deprecated with Release, you will notice the release version range is quite wide, from earliest of 2105 to latest 2402.  All deprecated objects (apps, business catalogs, business role templates) will be removed in six months, i.e., during next major upgrade. Why it is not the case here?  Let’s look at the business catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC, which was declared to be deprecated in Release 2105. By exploring Affected Business Roles, we learn that due to the usage of it within the Business Role Z_Test, the Business Catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC cannot be removed in the system.

 The Business Role Z_Test Causes Business Catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC Cannot Be Deprecated

If we remove the Business Catalog SAP_CA_BC_IC_LND_FIN_EPIC_PC from the Business Role Z_Test, the business catalog should be deleted during next upgrade.

Lesson Learned: If we adapt business catalog changes promptly after each major upgrade, we won’t have very old deprecated business catalogs sitting in our system.

Business Role Templates – We usually recommend our customers to make a new business role by copying from a standard SAP Business Role Template. Over the time, this template has been changed to accommodate the new features and functions. But the copied role won’t reflect this change; in other words, it keeps the outdated content from the original template. However, the system keeps track of those business roles copied from the original business role template. When the template content changes, this tab lists these templates so that you can make adaptation to your business roles accordingly.

 List of Business Role Templates Different from Their Copied from Business Roles

The impact of this template change can be observed.  For example, we select Business Role Template Administrator - Accounts Payable and Receivable (FI-CA), click the “>” icon, and an affected business role BR_ADMIN_APR_FICA is displayed. You can explore what has changed by selecting this business role, and hit the button Compare with Business Role Template.

 Compare Affected Business Role with Its Business Role Template

In this example, there is only one business role copied from the template. In other cases, there might be multiple roles listed as they are all copied from the same template.

In the next section, I will discuss in detail how to execute the comparison and take the necessary actions to do the business role adaptation.

Affected Business Roles – Remember the term Permutations and Combinations I mentioned above? Here it is. There are over 6290 line-items in this tab. It lists all the business roles being affected one way or another, each change is a line-item. The Business Role AP_PARK has 12-line items.

 List of Affected Business Roles

From the Filter Changed Object Type, it lists three types: Restriction Type, Business Catalog and Business Role Template. Any changes in one or more of these types result a change in the business role. Among them, Restriction Type causes most changes (5602 to be precise), Business Catalog (608) and Business Role Template (69), respectively.

By downloading this list to an Excel file, and remove duplicated Business Role names, I found out there are 133 unique business roles. That is a big reduction from 6290. You can breathe much easier now.

In addition, let’s take a closer look at the business role AP_PARK by clicking the hyperlink. It opens the Maintain Business Roles app which I will go in detail soon.

 Maintain Business Role AP_PARK

Click on the button Display Changes After Upgrade. You will see Changes after Upgrade section on the right-hand side.  There are four changed areas:

• Restriction Types
• Business Catalog Dependencies
• Deprecated Business Catalogs
• Business Role Template (not shown here)

There is a long list of changed Restriction Types, but nothing is listed at the Business Catalog Dependencies and Deprecated Business Catalogs. So, our attention only needs to be on the Restriction Types.

 Changes after Upgrade

Click on the hyperlink Display Restrictions. It turns out no restriction types are set for this business role, or the “Business Role is Unrestricted” as declared/displayed in the below figure.

 Unrestricted Business Role AP_PARK

Now we can comfortably draw a conclusion: the changes to the business role AP_PARK all occurs in restriction types; since the role AP_PARK doesn’t set any restrictions; we don’t need to do any adaptation.  Hurray!

Only work left to do is editing this role, doing nothing, then save it. This will remove this business role off from our to do list.  The below figure shows most line-items for the business role AP_PARK are gone as expected.  The only remaining change is a restriction type to be phased out within business catalog SAP_MM_BC_INV_PARK_PC.

 The Affected Business Roles List without AP_PARK

Note: After a major upgrade, you can see which business roles are affected in the Manage Business Role Changes after Upgrade app, or see the button Display Changes after Upgrade in the Maintain Business Roles app. However, as soon as you edit this business role and save it (repeat, save it), these indications disappear.  They only display once.

Adapt Business User Role Related Changes

After the exploration work discussed above, we are entering the phase of adaptation and adoption in three areas with their relevant apps: Business Catalogs, Business Role Templates and Business Roles. 

From a broad sense, the word adaptation and adoption are different. I found a good explanation in this article:

Adapt vs Adopt:

Adapt is used either when a change is made to make something more suitable for a particular use or when adjusting to a new place. Adopt is used when something is taken over, chosen, accepted or approved by choice.

Following this definition, we will adopt SAP defined objects like Business Catalogs and Business Role Templates and adapt user defined objects like Business Roles.

Business Catalog Adoption Using Business Catalogs App

You can access Business Catalogs app by two ways: using the app finder at the top of the screen or following the Space Administration to Page Identity and Access Management. I choose the later approach. In the Section Insights, you can find the Business Catalogs app.

 Business Catalogs app within Insights Section of the Identity and Access Management Page

There is a number 30 on the app. It indicates 30 deprecated business catalogs are still in use. That is our target.

After opening the Business Catalogs app, it shows 2418 entries. This number differs from systems to systems. Basically, the more scope items you activate in the Central Business Configuration (CBC), the more authorization objects you get, including business catalogs.

Applying filter Status= Deprecated, you will see 63 entries. Then add another filter Used in Business Roles and make the value to be larger than and equal to 1, now you get 30 deprecated business catalogs used in at least one business role. This matches the number shown above.

 Business Catalogs app

For our interest after a major upgrade, we only pay attention to these deprecated business catalogs in use by one or more business roles. For those deprecated but not in use business roles, we are not concerned as they will be removed during next major upgrade.

Among those deprecated business catalogs, we can either replace them with their successors, or remove them from the business roles if no successor is listed.

Let’s investigate several of these business catalogs as examples. First, make sure your screen is wide enough to display all the columns. Otherwise, you will see the More button, which can be used to add two columns Used in Business Roles and Used in Business Role Templates if your screen is not wide enough.

 Include All Columns in Business Catalogs app

Example 1: Business Catalog Electronic Payment Integration for China (EPIC) - Configuration (Deprecated)

On the screen you can see this business catalog has zero successor and one business role.

 Business Catalog Electronic Payment Integration for China (EPIC)

Check the business role Z_TEST, it has 23 business catalogs assigned, but no user is assigned. Obviously, it was used one time as a test business role but abandoned afterwards. The business catalog we are working on was clearly marked as Deprecated with 2105.  We should do the garbage collection job: deleting this business role. During next major upgrade, since no more business role is using this business catalog, it will be removed from the system.

 Business Role Z_TEST

Another garbage cleaning option is to use the command Adopt Change within Business Catalogs app. It effectively adapts the business role Z_TEST. This removes the no-successor business catalog from the business role as shown in below figure.  The troublemaking business catalog is gone.  The number of business catalogs is reduced from 23 to 22.

 Business Role Z_TEST without the Deprecated Business Catalog

Example 2: Business Catalog Resource Management (Basic) - Project Based Services (Deprecated)

This business catalog is relatively simple. It has one successor and used in one business role (BR_RESOURCE_MANAGER). All we need to do is replacing the deprecated business role with its successor by selecting the business role Resource Manager and click the Adopt Changes button. The system takes care of the replacement.

 Replace a Deprecated Business Catalog with Its Successor within the Business Role BR_RESOURCE_MANAGER

Example 3: Business Catalog Employee - Display (Deprecated)

Many times, to meet the requirements of new naming convention, SAP changes the business catalog ID name. This business catalog has an old ID SAP_HCM_BC_EMP_DSP_PC.  Its new ID is SAP_WFD_BC_WRK_DSP_PC.  That’s the reason for deprecation. We can select all five business roles and click on the Adopt Changes button.

 Replace a Deprecated Business Catalog with Its Successor within Multiple Business Roles

Note: When executing the Adopt Changes button, I noticed that only the top three roles were adapted (although the message says all of them were adapted). I had to adapt again for the remaining two business roles. It should not behave this way.

SAP Business Role Template Adoption Using Business Role Templates App

When opening Business Role Templates app, we pay attention to two criteria: in-use and different from business role templates. 

In-use is measured in the column “Business Roles”, which can be filtered out by applying Filter Business Roles=In Use. That reduces the total number of listing templates from 252 to 101. 

As a best practice, we advise our customers to create user roles by copying from SAP Business Role Templates for the easy of creation and maintenance. While doing that, the system keeps track of those roles created from role templates.  Over the time, SAP changes the business role templates, and our in-use business roles are no longer in sync with the latest version of the templates. This is reflected in the column “Different from Business Roles”.

To find out those business role templates we are interested in, we set the Filter Show Business Role Templates = Different from Business Roles. 

 Sort out In-Use Business Role Templates “Different from Business Roles”

Now the total number of listing templates is further reduced from 101 to 55. 

Next filter to apply is Changed Since. If we keep on adopting the template changes at each major upgrade, there should not be so many templates Different from Business Roles. This system is at Release 2402.  Any changes should happen after 2308 upgrade. Let’s apply the Filter Changed Since= 08/01/2023. Now the total number of listing templates is 21.  Much less templates to work with!

 List of Business Role Templates to Work With

Note: In your own system, try to tackle all those old and new Business Role Templates Different from Business Roles, so that they won’t show up again after next major upgrade. I purposely filter out those templates changed before 2308 upgrade to get my point across.

Let’s look at two examples:

Example 4: Business Role Template Maintenance Planner SAP_BR_MAINTENANCE_PLANNER

This template only has one in-use business role.  You can access it by clicking “>” icon. Select the role and hit Compare button.

 Compare a Business Role with its Business Role Template

Currently, the template SAP_BR_MAINTENANCE_PLANNER has 58 business catalogs, but the business role BR_MAINTENANCE_PLANNER has 56 business catalogs. This can be observed by scrolling down the business catalog list. Two check boxes are empty in the Business Role column. You can select the check box individually, or hit button Apply All. Don’t forget to hit Save button to take effect.

 Sync Business Role Template and Business Role

Note: It is up to your business scenario if you want to add above business catalogs into your business role.  If added, new apps might appear as desired.  If not added this time, this template will show up again as “Different from Business Roles” after next major upgrade.  Make a proper documentation as a future reference.

Example 5: Business Role Template Cost Accountant – Overhead SAP_BR_OVERHEAD_ACCOUNTANT

This template has three business roles. The first role matches the template completely, and the third role left many business catalogs out purposely. To adapt these business roles, you need to consult the business users carefully to make the right decision. Ideally, document your findings and solutions so that you don’t need to go back to them after next major upgrade.

 Compare Three Business Roles with Their Role Templates

Business Role Adaptation Using Maintain Business Roles Apps

As our primary goal after a major upgrade is adapting business roles, the Maintain Business Roles app is the tool.

 Identify Changed Business Roles in the Maintain Business Roles

When we first launch the Maintain Business Roles app, make sure we select two columns Business Catalog Deprecation Count and Changes after Upgrade as shown above. Then sort the data by the column Business Catalog Deprecation Count.  This highlights those business roles we need to adapt either with deprecated business catalogs, or changes in Restriction Types. Let’s look one example:

Example 6: Business Role General Ledger Accountant BR_GL_ACCOUNTANT

By clicking on the Display Changes After Upgrade button, we can see the following changes and potential action items:

• Restriction types: many restriction types have been added or removed. ->> We need to go to Edit them.
• There is one dependent business catalog is added. ->> Make sure this dependent business catalog is part of the business role definition.
• There are four business catalogs deprecated without successors.  ->> Make sure they are removed.
• Business Role Template is different from Business Role ->> Do a comparison and make necessary adjustment.

 Changes after Upgrade in Business Role General Ledger Accountant BR_GL_ACCOUNTANT

After having a good overview about potential changes, we click on Edit à Manage Change After Upgrade. On the right section Changes After Upgrade, we can expand four areas and take necessary actions.

• Business Catalog Dependencies: Select SAP_FIN_BC_SRF_RUN_PC and click on Adopt Changes. The required business catalog SAP_FIN_BC_MWTI_COMMON_PC is added to the business role definition, together with SAP_FIN_BC_SRF_RUN_PC. Now total business catalog number increases to 42 from 41.

 Take Adopt Changes Action to Business Catalog Dependencies and Deprecated Business Catalogs

• Deprecated Business Catalogs: Select four deprecated business catalogs SAP_FIN_BC_FCCO_XXX and click on Adopt Changes. These four business catalogs are removed. Now total business catalog number decreases to 38 from 42.

 Changes Made to the Business Role after Adopt Changes Actions

• Restriction Types: Click on Maintain Restrictions button. Only Read, Value Help is restricted. By selecting Read Restrictions as a filter and choosing Restriction Types one by one, I don’t see any values in the Restriction Fields. I could change Read, Value Help to be unrestricted, but it is better to talk with business users and administrators how this business role was defined. Take a note of the reason for future reference purpose.

Note: When I save this business role, I get a warning message: “Business Role BR_GL_ACCOUNTANT contains not maintained read restrictions”.  It is another indication this restriction should be removed.

• Business Role Template: We can still see a note there “Business role is different from template”. Using the Business Role Templates app to do a final comparison with the template SAP_BR_GL_ACCOUNTANT, we see the following:
  • Two new business catalogs are in the template, but not the business role. We need to add them after consulting with business users.
  • Five business catalogs at the bottom are “not included” in the template, we should deselect them after consulting with business users. The bottom four business catalogs are deprecated. We just removed them in our previous discussion.
  • There are two more business roles Z_BR_GL_ACCOUNTANT_REQ and Z_BR_GL_ACCOUNTANT, we can do a similar investigation.

 Comparing Business Role BR_GL_ACCOUNTANT with Its Template SAP_ BR_GL_ACCOUNTANT

 Restriction Types of the Business Role BR_GL_ACCOUNTANT

Create a Transport to Transfer Changes to Test and Production Tenants

After all the business role adaptation has been made in the Customizing Tenant on the Development System, we need to create a transport to transfer them to the Test and Production Tenants.  This is accomplished by creating a new software collection in the Export Software Collection app.

 Create a Business Role Adaptation Transport

After the transport is created, click on Add Items button. Using the filter features to select those relevant business roles:

• Type: Business Role (IAM_BROL)
• Last Changed By: George Yu

The business role BR_GL_ACCOUNTANT is one of those changed ones.

 Selecting Business Roles to be Included in the Transport

Now this software collection “Biz Role Transport 1” containing business role BR_GL_ACCOUNTANT is ready to be exported.

 The Software Collection Containing Business Role BR_GL_ACCOUNTANT

Conclusion

This blog explained and demonstrated why and how to adapt business roles after a major upgrade. It is a necessary step to keep business roles in-sync with the latest and the greatest of the SAP S/4HANA Cloud Public Edition, especially in the Identity Access Management area.  When working on adaptation, focusing on the Business Roles, especially those in-use roles to limit the scope of your work. Any changes in Restriction Types and Business Catalogs can be overlooked as long as they are not be assigned to your business roles.

References

• SAP Help: Manage Business Role Changes After Upgrade
• SAP Activate Methodology: SAP S/4HANA Cloud identity and Access Management (IAM) Release Activities – 3SL
• Blog: Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition
• Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition
• Blog: Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition
• Blog: (this blog) Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition