Introduction

As a cloud solution, SAP S/4HANA Cloud Public Edition undergoes major upgrades every six months, in February and August each year.  Besides introduction of new innovations, there are many changes in the Identity and Access Management (IAM) area as well.  After going-live and implementation consultants leaving the project, most customers overlooked the IAM area due to lack of resources and expertise. I am going to fill this gap with two related blogs.

The first blog (this one) intends to explain what you need to do before a major upgrade. Besides replacing deprecated Business Catalogs with their successors, the primary effort lies in understanding what is to be changed around Business Roles, especially those roles already used in the Production Tenant. Some decisions are to be made together with business users from the line of business.

The second blog Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition explains the adaptation work of Business Roles after a major upgrade with examples. You need to roll up the sleeves to get the job done in the system.

Note: For the ease of discussion, I am using a system E7Z/100 at 2308 Release before upgrading to 2402 Release unless noted in this blog.  In contrast, I use a system just upgraded to 2402 in the second blog.

Building Blocks of Business Roles

The authorization structure within the SAP S/4HANA Cloud Public Edition is built on top of building blocks called Restriction Type Fields, Restriction Types, Business Catalogs, Business Role Templates, and Business Roles which are assigned to business users. These building blocks form a Hierarchy of Authorization Components (see below Figure).

 Hierarchy of Authorization Components

Among these authorization components within the hierarchy, any changes at the lower levels cause a ripple effect to the components at a higher level.  Following Permutations and Combinations theory, the final possible changes at the Business Role level could be exponential.  In one case I have 11,000+ possible changes to the Business Roles. That is a lot to deal with.

Since many changes in the Restriction Types and Business Catalogs are not being used in customer's systems, it is a waste time to deal with all these changes.  I will deal with the changes more from the Business Role perspective, and only focus on those in-use-in-your-P-Tenant Business Roles in this blog.  This way we can reduce the volume of work dramatically. 

Process of Adapting Business Roles during a Major Upgrade

The major upgrade process starts from a Test Tenant, and then move to the Development and Production Tenants three weeks later. Before, during and after a major upgrade, we have a list of tasks to perform from IAM perspective. They are all illustrated in the below figure.

 Process of Adapting Business Roles during a Major Upgrade

This blog focuses on the tasks before the upgrade:

• Check and replace deprecated Business Catalogs in D/T/P Tenants
• Identify the preliminary IAM changes via What’s New Viewer
• Identify the preliminary IAM changes via SAP Note 2975653

The tasks after the upgrade is described in the sister blog Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition.

Replace Deprecated Business Catalogs

After opening Business Catalogs app, we need to set the filter Status= Deprecated. In this system, I have 13 deprecated Business Catalogs, all announced in 2308 Release. That means all of them will be deprecated during 2402 upgrade. Among them, four of them are not used in any Business Roles. For them, I don’t need to do anything. The upgrade process will remove them automatically. 

 Find Deprecated Business Catalogs

The Business Catalogs need my attention are those used in the Business Roles. If I don’t replace them, or still use them in the Business Roles, the system won’t deprecate them according to the schedule.  For example, the below figure shows deprecated Business Catalogs belong to different releases, some is as early as 2108 Release (the example is from a 2402 Release system).  You need to clean them up at each upgrade!

 Deprecated Business Catalogs from Early Releases

Let’s work on several Business Catalogs as an example.

Business Catalog End to End Implementation Experience - Feature Management (Deprecated)

When we open this Business Catalog, we notice the following info.

• Deprecated with Release: 2308
• Successors: 1
• Used in Business Roles: 1
• Used in Business Role Templates: 0

 Deprecated Business Catalog SAP_CA_BC_FM_DAD_PC

That tells us we need to replace the deprecated Business Catalog SAP_CA_BC_FM_DAD_PC with its successor SAP_CA_BC_IC_LND_FTG_PC (under tab Successors) in the Business Role BR_BPC_EXPERT.

To replace this deprecated Business Catalog, I select the Business Role BR_BPC_EXPERT, and hit Adopt Changes button. The Business Catalog is replaced within the Business Role BR_BPC_EXPERT. The Business Catalogs app shows zero in Used in Business Roles list afterwards.

 No more Business Role Using Business Catalog End to End Implementation Experience - Feature Management (Deprecated)

Business Catalog Extensibility - Situation Handling (Deprecated)

When we open this Business Catalog, we notice the following info.

• Deprecated with Release: 2308
• Successors: 1
• Used in Business Roles: 1
• Used in Business Role Templates: 0

 Deprecated Business Catalog SAP_CA_BC_EXT_SIT_PC

That tells us we need to replace the deprecated Business Catalog SAP_CA_BC_EXT_SIT_PC with its successor SAP_CORE_BC_EXT_SIT_PC in the Business Role BR_EXTENSIBILITY_SPEC.

This time I show a different way of replacing the deprecated Business Catalog, i.e., using the Maintain Business Roles app.

To replace the deprecated Business Catalog, click on the Used in Business Roles tab, then click on the hyperlink of the Business Role ID. This opens the Maintain Business Roles app. Hit Edit button, then Manage Changes After Upgrade button.

 Manage Changes After Upgrade within Maintain Business Roles app

In the opened window, on the right-hand side, there is a section called Changes After Upgrade. There are four possible change areas. For this Business Role, only change occurs at the Business Catalog SAP_CA_BC_EXT_SIT_PC.  By selecting the Business Catalog and hit Adopt Changes button, the system replaces this deprecated Business Catalog with its successor.

 Adopt Changes to Deprecated Business Catalog

After the replacement, the successor Business Catalog is showing up in the Assigned Business Catalogs list, Extensibility – Situation Handling SAP_CORE_BC_EXT_SIT_PC.  There is no more entries under the section Deprecated Business Catalogs.  Total number of assigned Business Catalogs remains 26.  The replacement is a success.

 Successor Business Catalog is showing up in the Assigned Business Catalogs list

Finally, don’t forget to hit the Save button to complete this change.  After the Save action, this business role is no longer on the after-upgrade to-do list, and the hyperlink Manage Changes After Upgrade is permanently grayed out.

Business Catalog Sales - Customer 360 View Display (Deprecated)

When we open this Business Catalog, we notice it is more complicated:

• Deprecated with Release: 2308
• Restriction Types: 8
• Dependencies: 8
• Successors: 1
• Used in Business Roles: 1
• Used in Business Role Templates: 0

About Restriction Types, what they are and how to use them, please refer to my blog Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition.

Dependencies mean when we use the Business Catalog SAP_SD_BC_CUST_SLSOVP_DSP_PC, it requires another Business Catalog to be present. In this case, there are eight Business Catalogs required.

 Dependencies of the Business Catalog SAP_SD_BC_CUST_SLSOVP_DSP_PC

Since there are dependencies this time, you are prompted to confirm adding dependencies to the successor Business Catalog when hit the Adopt Changes button.

 Confirm Adding Dependencies to the Successor Business Catalog

Note: There are two types of dependencies: mandatory and optional. For mandatory dependency, you can see both the Business Catalog and its required Business Catalog present in the Business Role definition. For optional dependency, you might not see the required Business Catalog.

By repeating above procedures to work with each deprecated Business Catalog, eventually I replaced all in-use deprecated Business Catalogs with their corresponding successors. The deprecated Business Catalogs are no longer used in the Business Roles.

 No more Deprecated Business Catalogs Are Used in the Business Roles

Check What’s New Documentation

Four weeks before the Test Tenant upgrade, we advise our customers to check the What’s New Viewer for the next release to find out the forthcoming new features. There are several filters need to be set as following:

• Valid as of: SAP S/4HANA Cloud 2402
• This document: IAM

Now you can find all IAM related changes for Release 2402 in the What’s New Viewer.

 What’s New Viewer

Under Type, you have six possibilities:

• Changed
• Deleted
• Deprecated
• Mandatory task after upgrade
• Must know
• New

The purpose of What's New Documentation gives users a heads-up, so that you can start conversation with your business users on possible impact.  You can use this Documentation together with the Excel worksheets to be discussed soon.

Identify Your Business Roles Impacted by IAM Changes

The SAP Note 2975653 Identity and Access Management (IAM): Change Overview for SAP S/4HANA Cloud is a central note about IAM changes for the SAP S/4HANA Cloud Public Edition. Within this note, it lists all relevant SAP Notes for each Release.  For example, SAP Note 3404825 is for Release 2402.

The primary content of this document consists of two Excel files, and you need to download them:

• Delta_S4CE_2402-2308.xlsx
• Delta_S4CE_BR_2402-2308.xlsx

The first file lists IAM changes introduced with the new Release 2402 from Release 2308 which affect applications, Business Catalogs, Business Role Templates, Restriction Type assignments, Spaces and Pages, and Page Templates. This list is not customer specific but applies to all customers.

The content of the file is explained in the following table:

The second Excel file lists the IAM changes related to Business Roles only. This is the file we should focus on because we will insert our own data to create a true picture where we are in terms of IAM changes.

The worksheets of the file Delta_S4CE_BR_2402-2308.xlsx are divided into three groups:

• Orange Colored Worksheets: were blank and for user input.
• Green Colored Worksheets: show analysis results based on user input. In fact, only the worksheet BRsChanged is customer dependent. Other four worksheets are provided by SAP.
• Gray Colored worksheets: store changed IAM information for the upcoming release.

Here is the idea of this Excel file.  As the file name suggests, this file is to create a list of the Business Roles changed from 2308 to 2402, and the causes of the change. To achieve that, we need to create a list of existing Business Roles in the customer production system. Based on known facts from SAP, i.e., the changes in applications, Business Catalogs, Business Role Templates, Restriction Type assignments, we can create an impact list in the worksheet BRsChanged.

Here are the steps to create a list of changed Business Roles:

Step 1: open IAM Information System app.  Go to Business Role - Business Catalog tab. This tab shows the relationship between Business Roles and underlining Business Catalogs.  There are 1275 entries. Download the entire list to an Excel file by clicking the Export Table button.  Copy the data into the worksheet Customer_BRBC.

 Business Roles vs. Business Catalogs Tab

Step 2: Go to Business Role - Business Role Template tab. This tab shows the relationship between Business Roles and SAP delivered Business Role Templates.  There are 49 entries. Download the entire list to an Excel file by clicking the Export Table button.  Copy the data into the worksheet Customer_BRBRT.

 Business Roles vs. SAP delivered Business Role Templates

Step 3: Go to the worksheet Customer_BRBC, copy the column Business Role and Business Role ID and paste to the worksheet Customer_BR. In the worksheet Customer_BR, remove duplicated entries to make a list of unique existing Business Roles. You can achieve this by following the command of Data → Data Tools → Remove Duplicates. The result is a list of Business Roles in the system.  There are 51 entries in this case, a huge reduction from 1275 entries in the worksheet Customer_BRBC.

 List of Existing Unique Business Roles in the System

Step 4: Based on your input, the embedded functions in the Excel file create the content of the worksheet BRsChanged.  By opening the worksheet BRsChanged, we can see some Business Roles are changed and causes of the changes, such as BR_MAINT_SUPERVISOR; some Business Roles have no changes at all, such as BR_PRODN_OPTR_LEAN_MFG; some Business Roles are not derived from a Business Role Template but still got impact from Restriction Type change, such as YU_TEST_ROLE.

 List of Changed Business Roles

Each column from C to O represents one of the available worksheets in the Excel file. These columns are divided into four categories, each category represents one object (I changed the color of categories for the easy viewing in the Excel worksheet):

• Business Role Template (Columns C and D)
• Business Role (Columns E to I)
• App (Columns J to M)
• Description Renamed (Columns N and O)

Row 3 gives a short description about what happened to that object. For example, Column C is for adding Business Catalogs to the Business Role Template; and Column D is for removing Business Catalogs from the Business Role Template.  Row 4 displays the number of affected Business Roles by the change described in Row 3. 

The entry “Yes” indicates that for this Business Role a change has occurred. By clicking on the cell, you can see an IF statement to identify if this Business Role is listed in the worksheet RTsNew-Changed:

=IF([@[Business Role ID]]="","",IF(COUNTIF('RTsNew-Changed'!A:A,CONCAT("*",A36,"*"))>0,"Yes","No"))

By clicking on the hyperlink name (Row 5), it jumps to the worksheet which contains more detailed information in a specific category, for example worksheet RTsNew-Changed.

To further utilize this worksheet for preparing the forthcoming upgrade, you can continue the following work on each category.

Category Business Role Templates, look at worksheets BRTsBCsAdded and BRTsBCsRemoved

• In Column Business Role ID, use the filter to remove “Blanks” to see which Business Roles are affected by adding or removing Business Catalogs.

Category Business Role, look at worksheet RTsNew-Changed

• Filter Business Roles existing in the Production Tenant (remove Blanks in the Business Role ID Column) and set filter in Column Type of Change to “New”.  This displays all the Business Roles with newly assigned restriction types.
• Set the filter in Column Phase-in to “No” to list Restriction Type changes which take effect immediately after the upgrade.  If “Yes”, that means these changes won’t take effect immediately after the upgrade.
• All unmaintained Restriction Types should be maintained directly after the upgrade (including Phase-In Restriction Types).  The IAM Key Figures app can be used to check for undefined restrictions in P tenant.

Category App, look at worksheets AppsAdded, AppsDeprecated, and AppsDeleted-Moved

• Filter out “Blanks” in the Column Business Role ID to identify those roles with the impact.  The changes in Apps are mostly driven by the Business Catalog changes.
• Before the upgrade, review the results in these worksheets with the business users to discuss the impact.

New Scopes (Optional service for Line of Business)

• In worksheet AppsAdded, filter the Column Business Role ID to “Blanks” to see which apps are not assigned to any Business Role.  Use Column Application Component to relate the Apps to the Line of Business.
• In worksheet BRTsBCsAdded, filter the Column Business Role ID to “SAP_BR_BPC_EXPERT” to list all configuration Business Catalogs newly added with this release.  Use the Columns Application Component2, Country2, Scope Items2 to relate the Business Catalogs to the Line of Business.
• Before the upgrade, review the results in these worksheets with the business users to discuss the impact.

Conclusion

This blog explained general process of a major upgrade for the SAP S/4HANA Cloud Public Edition from the IAM perspective.  Besides replacing deprecated business catalogs, your primary focus is to identify the to-be-changed Business Roles and plan on the changes after the upgrade.  Close collaboration with business users is a must.

References

• SAP Help: Manage Business Role Changes After Upgrade
• SAP Activate Methodology: SAP S/4HANA Cloud identity and Access Management (IAM) Release Activities – 3SL
• Blog: Using Restrictions to Enhance User Authorizations in the SAP S/4HANA Cloud, public edition
• Blog: User Management in a Nutshell for the SAP S/4HANA Cloud, public edition
• Blog: Review Business Role Changes before a Major Upgrade in the SAP S/4HANA Cloud Public Edition (this blog)
• Blog: Review and Adapt Business Roles after a Major Upgrade in the SAP S/4HANA Cloud Public Edition