This is how the role change succeeds
Equally important are a strategic approach, careful documentation and, above all, extensive testing. The management of roles and authorizations should not be underestimated in S/4 migration projects. In a greenfield project, the necessary adjustments to user roles and authorizations are a regular part of the project plan. In a brownfield conversion from ECC to S/4 Hana, on the other hand, the importance and effort of the topic is often underestimated.
In this case, too, various transactions have to be replaced on the basis of the simplification items and the user roles have to be adjusted accordingly. At the same time, there is the opportunity to redefine or correct authorizations in the course of the changeover. If Fiori apps are also used, the project team will face further challenges.
Even for experienced SAP managers, it is initially unusual that two authorizations have to be assigned for Fiori apps - once in the front end for the OData call and once in the back end for the actual execution of the apps. This principle also affects the creation of user roles: If a Central Hub deployment is used, where the front-end and back-end represent two different systems, it is mandatory to assign two roles as well. For most companies with a medium-sized SAP system, on the other hand, the simpler embedded deployment structure is recommended. Since in this case the front end and back end run on one server, it is generally possible and often advisable to combine both authorizations in one role.
Fiori Launchpad
Fiori apps should not be seen simply as a supplement to classic transactions. In any case, their use changes the user interfaces, but usually also the associated processes. Users no longer start the individual processes via the classic transaction calls, but via the Fiori launchpad. In this central entry point, all required applications are grouped together in Fiori tiles, clearly arranged and individually tailored to the respective user roles.
IT can create launchpads based on standard catalogs for each user or user group. The requirements for this come from the business departments. To do this, the business managers must first get to know the new possibilities of the Fiori applications.
SAP Activate
The SAP Activate method envisages that those responsible and key users in the specialist departments familiarize themselves with the contents of the SAP standard catalogs in the Explore phase. They should then be able to define their own processes and the required applications. This approach has proven successful in previous projects: Early planning of roles and authorizations in the first two project phases is definitely recommended. However, authorizations also play a central role in the later course of the project up to the implementation phase and must be adapted on an ongoing basis.
The applications selected during the Explore phase are rarely definitively defined at the beginning of the project. In practice, this initial window of opportunity often proves too short for users to get an overview of all the options for using the Fiori apps. For example, the "Insight to Action" principle allows navigation from an overview page down to the document level. For example, the relevant document items can be determined from a graphical representation of purchasing sales by using filters and then edited directly from the application. This opens up other possibilities for organizing workflows. With increasing understanding of the functionality, users thus find further options for process optimization, which should then also be implemented.
For those responsible for the SAP project, this means on the one hand: The Fiori launch pads must be iteratively adapted as the project progresses into the implementation phase. On the other hand, changes to the processes also require adjustments to the roles and authorizations. This means that the work on user roles and authorizations is a cross-sectional subproject that runs through the entire ERP transition.
The management of user roles and authorizations during the changeover to S/4 thus requires strategic considerations and corresponding resources over the entire course of the project. Automations are helpful and should be used as a matter of course, but thorough testing remains mandatory. Authorizations should therefore also be tested during all integration tests. To avoid coming under pressure towards the end of the project, project managers should plan the necessary personnel and time resources for this from the very beginning. Experience has shown that troubleshooting in the test runs is difficult if detailed documentation has not been provided from the very beginning. FIS has developed a corresponding documentation template. The additional effort for documentation pays off in the test phases in any case.