User Authorizations in SAP S/4HANA Cloud
Вставка
- Опубліковано 11 вер 2024
- S4HCKS22 - SAP S/4HANA Cloud Knowledge Snippet
For the full post please visit the corresponding post at
pascalrenet.com...
For those of you that want to jump right to a topic, I have below indicated the time markers:
Introduction to authorizations in SAP S/4HANA Cloud - how things hang together 00:45
The apps to work with to manage roles 01:30
From authorization to user and everything in between 03:00
A concrete example - Setting it up in the system 10:22
Topic round offs 36:00
Very good information, thanks. Admittedly I had you on speed x2 setting for the bits I already knew but I thought it was really well done.
Thank you for the comment. Admittedly, it was published 2+ years ago when there was quasi no information available. Probably needs an update.
Great video, very helpful, much appreciated.
Superb Video. got clear understanding of Cloud Auth.
Thank you for the great comment! Glad to hear it gave you clarity.
@@pascalrenet in SAP S/4HANA Cloud how can we check SOD risk?
A great method of explanation ...really appreciate your kind effort to produce such this helpful video
Thank you very much for such a nice comment, and glad to read you found this helpful!
It's very enlightening and clear. Thank you
Thanks!
Excellent Pascal..thank you for your detailed explanation..
Thank you for the comment. Always nice to hear that it is helpful!
Thanks for your snippets. really helpful
Thank you - happy to hear they are helping!
Excellent... Very Much Helpful.
Perfect video. Thank you
Glad it was helpful!
Great information.. Thank you so much :)
Glad it was helpful!
Excellent video. What would have made this even more useful is if (1) you would have explained what is a good way to export all this info (incl restriction details) in order to perform an effective access review (2) what does the SoD check button do that is shown there and (3) are there any tools available (similar to GRC, CSI) that help with reviewing the appropriateness of access rights more automatically.
Thanks for the note and comment. Whilst this video was uploaded in 2018, some things have remained and some have changed. The SOD (Segregation Of Duty) button has disappeared, roles need to be downloaded/uploaded to be moved between systems and I am not aware of tools such as GRC (not to say they do not exist/are available).
@@pascalrenet how I understand it SAP has a product available called IAG that brings many GRC features to the cloud. I'm trying to figure out how this works as it is all relatively new. Then again many companies dont have IAG yet and they would still need to manage their accesses.
Thank you!
Hi pascal, I see that you have completely done this role configuration from fiori but this authorization assignment could be easily done via sap gui rite. Please correct me if I am wrong. Is it that while integrating with cloud we should follow this process ??
Hi sumithra. In this particular, I was using an SAP S/4HANA Cloud (Essentials - fka, Multi-Tenant), which can only be accessed via a web browser, hence the Fiori Launchpad. If you are looking at SAP S/4HANA Extended or Private Cloud Edition, then yes, the access is via GUI.
Hi Pascal, what would be the process to allow Approval rights to a User, say, for example Sales orders?
Hi - check the script associated with scope item BD9 - Sale from stock -> rapid.sap.com/bp/#/browse/scopeitems/BD9 it has all the instructions
Wonderfully explained.. thanks for the tutorial ..
Thank you for taking the time comment - glad you got something out of it.
Great
Hi Pascal, is there a way to transport roles rather than download and upload in 2102 release?
Nice one .. Easy to understand. What to learn S4 Hana could from basis .. please assist thanks
Nice and informative content
Thank you ! Watch for an update some time before the 1908 release !
Hii pascal, Is there a way to to have authorization
based on region or country ??
Hi Suman. Thanks for the comment. If you mean can you restrict a user to access ALL the data in the system based on a region or country, the answer is no. You have to remember that the authorisations are determined by authorisation objects that are directly dependent on the objects for which you are trying to set a restriction. For example, it would not make sense to use the Purchase Organisation to restrict in what Plant you can create a production order ! So, it could be that in some cases a region or country code can be used for authorisation but that will not be the case for all authorisations. Hope this helps.
@@pascalrenet Thanks for ur explanation
Adding to my previous question, so when we use cloud, we do security administration using Business role in Fiori Apps library but when its just on-premise and fiori, we do administration using SAP GUI..
Your latter comment would also apply to SAP S/4HANA Cloud Extended or SAP S/4HANA Cloud PE (Private Cloud Edition)
good one
Thanks!
Hi Pascal, is there a way to transport roles rather than download and upload?
Hi. No unfortunately this is not possible.
Dear Pascal,
Wonderful video for the beginners:) Thanks a lot for sharing this video.
We have nearly 50 master business roles to be created in S/4 HANA Cloud and derived roles are expecting to be nearly 1000+ roles ( 50*21 = 1050). We are facing challenges in creating all these 1000+ derived roles manually in the system as it is time-consuming and involves the manual creation of roles.
I have already gone through the blog Mass Maintenance of Business Roles in SAP S/4HANA Cloud, but again this suggestion also leads to creating more number of files as the same as the number of derived roles.
Does anyone come across this situation? Do we have any provision to automate or doing mass derived roles creation in the S/4 HANA cloud system?
Thanks
Sindhu
Do you know of any report/table in SAP S4 to show the relationship between role and catalog? - similar as in ECC was AGR_1251
Check the IAM Information System app for what is setup specifically in your system, or check the Fiori Apps library (list view - which tells you the standard catalog to role relationship for an app)
Thanks for the good video. Is the same business role viewable through PFCG. If the business role is the same as PFCG role, then i think if the role has been restricted at auth. object level, but not at level of restrictions, then the role will follow according to auth. object level. Am i right.
Thanks for the comment. Not sure I fully understand your comment. However this recording is specific to S/4HANA Cloud Essentials (Multi tenant) and PFCG is not available there. That said, yes if you were to compare, yes a role created in the app 'Maintain Business Roles' in cloud, would be viewable via PFCG if this were an on-prem flavour. A role is made up of catalogs, that are themselves linked to 'authorisation objects' that are used to restrict the data a user can see or create/modify.
Excellent 5 stars
wow - Thank you !