The global and independent platform for the SAP community.

This is how the role change succeeds

Role and authorization management in S/4 projects is not a routine exercise. The functionality and authorization concept of the Fiori apps are new for users and SAP managers. These innovations must be taken into account for project planning.
Mathias Cararo, FIS
May 5, 2022
This text has been automatically translated from German to English.

Equally important are a strategic approach, careful documentation and, above all, extensive testing. The management of roles and authorizations should not be underestimated in S/4 migration projects. In a greenfield project, the necessary adjustments to user roles and authorizations are a regular part of the project plan. In a brownfield conversion from ECC to S/4 Hana, on the other hand, the importance and effort of the topic is often underestimated.

In this case, too, various transactions have to be replaced on the basis of the simplification items and the user roles have to be adjusted accordingly. At the same time, there is the opportunity to redefine or correct authorizations in the course of the changeover. If Fiori apps are also used, the project team will face further challenges.

Even for experienced SAP managers, it is initially unusual that two authorizations have to be assigned for Fiori apps - once in the front end for the OData call and once in the back end for the actual execution of the apps. This principle also affects the creation of user roles: If a Central Hub deployment is used, where the front-end and back-end represent two different systems, it is mandatory to assign two roles as well. For most companies with a medium-sized SAP system, on the other hand, the simpler embedded deployment structure is recommended. Since in this case the front end and back end run on one server, it is generally possible and often advisable to combine both authorizations in one role. 

Fiori Launchpad

Fiori apps should not be seen simply as a supplement to classic transactions. In any case, their use changes the user interfaces, but usually also the associated processes. Users no longer start the individual processes via the classic transaction calls, but via the Fiori launchpad. In this central entry point, all required applications are grouped together in Fiori tiles, clearly arranged and individually tailored to the respective user roles.

IT can create launchpads based on standard catalogs for each user or user group. The requirements for this come from the business departments. To do this, the business managers must first get to know the new possibilities of the Fiori applications. 

SAP Activate

The SAP Activate method envisages that those responsible and key users in the specialist departments familiarize themselves with the contents of the SAP standard catalogs in the Explore phase. They should then be able to define their own processes and the required applications. This approach has proven successful in previous projects: Early planning of roles and authorizations in the first two project phases is definitely recommended. However, authorizations also play a central role in the later course of the project up to the implementation phase and must be adapted on an ongoing basis.

The applications selected during the Explore phase are rarely definitively defined at the beginning of the project. In practice, this initial window of opportunity often proves too short for users to get an overview of all the options for using the Fiori apps. For example, the "Insight to Action" principle allows navigation from an overview page down to the document level. For example, the relevant document items can be determined from a graphical representation of purchasing sales by using filters and then edited directly from the application. This opens up other possibilities for organizing workflows. With increasing understanding of the functionality, users thus find further options for process optimization, which should then also be implemented.

For those responsible for the SAP project, this means on the one hand: The Fiori launch pads must be iteratively adapted as the project progresses into the implementation phase. On the other hand, changes to the processes also require adjustments to the roles and authorizations. This means that the work on user roles and authorizations is a cross-sectional subproject that runs through the entire ERP transition. 

The management of user roles and authorizations during the changeover to S/4 thus requires strategic considerations and corresponding resources over the entire course of the project. Automations are helpful and should be used as a matter of course, but thorough testing remains mandatory. Authorizations should therefore also be tested during all integration tests. To avoid coming under pressure towards the end of the project, project managers should plan the necessary personnel and time resources for this from the very beginning. Experience has shown that troubleshooting in the test runs is difficult if detailed documentation has not been provided from the very beginning. FIS has developed a corresponding documentation template. The additional effort for documentation pays off in the test phases in any case.

Mathias Cararo, FIS

Mathias Cararo is Senior Consultant SAP at FIS Informationssysteme und Consulting

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.