Whether on-premise or in cloud, you want to mitigate risks and you need to have access control processes bedded down – air tight. You need to be able to monitor who has access to your system and more importantly, what is it that they can do and what data are they allowed to have access to, whether it is in a viewing or changing capacity.

SAP S/4HANA Public Cloud editions, out of the box provide you with this governance and compliance capability. The Fiori app itself is named ‘IAM Infomation System’ (IAM stands for Identity Access Management), You can find additional information on this application in the Fiori App library or in the app documentation.

Once you launch the app, you can very quickly search for what you are looking for, which will usually be for a role or a user. You can of course also do an unrestricted search, helpful especially if you aim to then extract that information and do some slicing and dicing outside of the system.

Once you execute the search based on your search criteria, the information is presented to you in three distinct tabs:

  • The business roles to business users assignments – to determine which users have access to which role
  • The business role to business catalogs assignments – to determine which business catalogs are assigned to which business role
  • The business roles restrictions – for available restriction field, what values have been maintained (if any)

The first tab shows you for a business role, which users are using it:

The second tab shows you, for a business role, which business catalogs are assigned to it:

The third and last tab shows you, for a business role what restrictions apply and the mode (read or write):


However, please note that there must be some coherence that must be kept in mind when you maintain restriction values for a given role. To illustrate this point, let’s assume that I have assigned two business roles to a user. For both roles I have maintained restriction values, in read and write modes, for the field ‘Company’. In the first role I inserted the restriction value ‘0001’ and in the second role I maintained the value ‘0002’. If in the backend it is the same object that is checked for the authorizations at run time, then that user will have access to company codes 0001 and 0002 (not just company code 0001 in one role and company code 0002 in the other role) – so beware of that !