From the green screens of SAP R/2 in the ’80s to the intelligent, AI-augmented SAP S/4HANA Public Cloud of today, the journey of SAP has been nothing short of transformative. I’ve witnessed this evolution firsthand—when authorizations were managed in spreadsheets and SU01 was the gateway to everything, to now, where role design must align with cloud principles, compliance mandates, and business agility.
In this cloud-first era, authorization design isn’t just a technical setup—it’s a strategic enabler. The shift from monolithic systems to modular, SaaS-based ERP demands a rethinking of how access is controlled, distributed, and monitored. No longer can we rely on static role assignments or legacy concepts like composite roles and user masters. Instead, we embrace Business Role Management—a fusion of central governance and decentralized responsibility, where authorization administrators create scalable business roles, and business units own the task of assignment.
In SAP S/4HANA Cloud Public Edition, every permission granted must be intentional, minimal, and traceable. The goal is not only to empower users to perform their tasks but also to ensure completeness, correctness, and compliance in every transaction. This next-gen model safeguards data integrity, upholds regulatory mandates, and supports seamless audits—all while enabling the speed and scale modern enterprises demand.
Welcome to the new era of authorization by design, not by default—where every access point is a balance between business need and risk control.
Let’s deep dive into how the Business Role Concept functions in SAP S/4HANA Public Cloud ERP.
In S/4HANA Public Cloud, Business Roles serve as templates that encapsulate a user’s job responsibilities, bundling together the necessary access rights (Catalogs, Business Catalogs, and restrictions) required to perform specific tasks. Unlike in on-premise systems where authorization objects and roles were maintained using PFCG transaction, the cloud model emphasizes role clarity, least privilege, and task-based access.
Key Components of the Business Role Concept:
Business Role: An abstract representation of a job function (e.g., Accounts Payable Clerk, Sales Manager). It includes predefined business catalogs that grant access to relevant Fiori apps and services.
Business Catalogs: Collections of Fiori apps and associated authorizations (similar to menu nodes in PFCG), which are assigned to business roles.
Restrictions: Embedded within business roles, restrictions define what a user can or cannot do, ensuring fine-grained access control.
IAM Apps: Tools like “Maintain Business Roles,” “Maintain Restrictions,” and “Maintain Business Users” are used to manage role assignments and access policies within the cloud.
Centralized Governance with Decentralized Assignment
SAP’s Public Cloud model enables a centralized creation and lifecycle management of business roles by security administrators, while allowing decentralized assignment by line-of-business managers or role approvers. This ensures governance without sacrificing agility—an essential requirement for modern enterprises operating across geographies and business units.
Business roles (Job Roles) are the foundational component of the application-level security design. A business role is an abstract that represents a job duty that a person does. The business role includes everything they do related to their SAP workplace responsibilities.
Here is a quick comparison better on-prem and public cloud:
| Aspect | SAP On-Premise (ECC / S/4HANA On-Prem) | SAP S/4HANA Public Cloud |
|---|---|---|
| Role Type | Technical roles (single/composite roles) using PFCG | Business roles using business catalogs and restrictions |
| Access Definition | Authorization objects, values, and organizational levels | Predefined catalogs with app-specific restrictions |
| Tools Used | SU01, PFCG, SUIM, SU53 | Fiori Apps like "Maintain Business Roles", "Maintain Restrictions" |
| User Assignment | Direct user-to-role assignment (manually or via HR triggers) | Business role assigned to user centrally; decentralized assignment possible |
| Flexibility | Highly customizable, granular control | Standardized, cloud-aligned, with limited scope for customization |
| Org-Level Restriction | Manually maintained in role master data | Maintained as part of role restrictions |
| Transport & Versioning | Transportable roles via CTS | Roles managed via lifecycle in cloud tenant; no CTS |
| Compliance & Audit Support | Can be integrated with GRC or custom scripts | Built-in traceability and support for compliance with change tracking |
| Maintenance Overhead | High – requires deep knowledge of objects and continuous review | Lower – relies on predefined SAP-delivered content |
| Upgrade Impact | Manual adjustment needed post-upgrade | SAP pushes updates automatically; roles may need review post-upgrade |
NOTE: While designing roles in the public cloud, avoid cloning existing roles unless absolutely required. Start from SAP-delivered templates, apply only the required restrictions, and adopt a “minimal and necessary” access model. Always test with sample users to validate the business functionality.
Below image shows the Roles and users to maintain in Identity access management:
What is a business catalog?
A catalog is a set of Tiles / Applications you want to make available for one role. Depending on the role and the catalogs assigned to the role, users can browse through the catalogs and choose the Tiles / Applications that they want to display on the entry page of the SAP Fiori launchpad.
Note: Customization of Catalogs is not allowed in SAP Public cloud system; it is only possible in On-Premises systems. Customization of roles must use all SAP standard catalogs available for cloud systems.
Understanding the Parent and Derived Roles in SAP S/4 HANA Public Cloud ERP
The concept of parent and derived roles was introduced by SAP to simplify role administration tasks. It is helpful while mapping security for large enterprises spread across multiple geographies or divisions. A child/ derived role is inherited/derived from a parent’s role. It will have all Fiori apps (authorization object values) the same as its parent except the values of the Organizational Level fields (plant, company code, sales organization). Thus, maintenance is simplified as only the org levels need to be maintained at the derived role level.
Overview of SAP S4 HANA Public Cloud ERP default restrictions:
A restriction field value can be several single values or value ranges (default value is blank = no authorization). There is also the possibility to select the value “*” for all values (unrestricted access) or the value “Not Maintained” for no authorization.
There are three different access categories as shown in figure 1.4:
- Write, Read, Value Help (write access)
- Read, Value Help (read access)
- Value Help (value help access)
Restriction fields of new created business roles are initially predefined with full display authorization:
Write – The default value access category when a business role is created is “No Access”. This means that this business role has no write authorizations at all (display only). Can add specific authorizations (Restricted) or in cases want to grant full access for all restriction types and restriction fields, can select “Unrestricted” (‘*’).
Changing the write access to “Restricted” allows to define which data can be edited by the business users assigned to business role. In the values area, can define the authorization values for the desired restriction fields. If don’t want to grant access to a restriction field on purpose, can choose the status “Not Maintained”. Every authorization define in the write access category is inherited to the read and value help access category.
Read – The default status of the access category read is “Unrestricted”. Switching the read access to “Restricted” allows to define which data can be seen by the business users assigned to this business role. In the values section, can define the instance-based restrictions for the desired restriction fields used for value helps.
Every authorization define in the read access category is inherited to the value help access category.
Value Help – Authorizations for value helps that are used in a business role. These value help authorizations will not influence the defined restrictions for read access. In the context of a business role, can authorize the value help access, for example to business partners that belong to certain authorization groups.
At the beginning of the sizing of the business roles the access categories must be set to “Restricted” which means that all restriction fields are empty (blank = no authorization). Production readiness for a business role is indicated by completely maintained restriction fields (blank restriction fields are not allowed).
Role Deployment Process:
Role Authorisation design Best Practices in SAP S/4 HANA Public Cloud ERP
The authorization design for business roles is based on granting authorizations (as opposed to denying them). Adding business catalogs to a business role and assigning the business role to a business user can control which Fiori apps the business user is authorized to carry out.
- Users should be limited to the business functions required to perform their authorized activities.
- A role design should meet the audit requirements.
- The role design approach:
- Role is based on a Job-based model, applying organizational restrictions
Maintenance roles and Display roles are separated and intended to assign both combinations based on job duties
Roles designed with specific considerations for long-term maintainability and sustainability.
- Define how the customer data can be accessed. Do this by maintaining authorization values(restricted values) to the restriction fields available in business roles.
- Restriction fields are organized into restriction types. Restriction types that contain general organizational restriction fields (for example, company code, profit center etc)
- The restriction field values requirement is gathered from process teams based on the requirements.
- If there is no value is received, then maintain * values
Conclusion
Implementing a job-based role model with proper segregation of duties, along with restrictive access at the organizational level, helps in ensuring compliance, minimizing risks, and simplifying audits. Since customization is limited in the public cloud, it becomes even more crucial to carefully plan role design upfront, involving both process owners and security administrators.
Ultimately, the goal is to achieve a secure, auditable, and scalable access framework—one that supports business operations seamlessly while safeguarding enterprise data against misuse and unauthorized access. With these best practices in place, organizations can confidently move forward in their cloud transformation journey with SAP S/4HANA Public Cloud.
