Dear finance experts,
with the latest incremental release of SAP S/4HANA Cloud for advanced financial closing on January 23, 2022, the access management abilities of the solution were massively enhanced.
Background of this update
Segregation of duties is a central requirement when it comes to authorization control. It ensures that an individual user doesn’t have the authorization to execute a process end-to-end. Instead, you rather want to distribute the respective authorizations across several people responsible for specific parts of the process.
In the context of financial closing, the requirements regarding access controls are very diverse and vary depending on the organizational and process setup of each customer. The enhanced access management abilities provide a flexible basis for granting access by providing fine-granular access levels that can be combined into roles as required. In this blog post, I will introduce you to the new access management features of SAP S/4HANA Cloud for advanced financial closing and give you tips on how to prepare for the switch to the new user role maintenance.
Scoped user roles
The Manage User Roles app within the configuration of SAP S/4HANA Cloud for advanced financial closing now allows you to create so-called “Scoped User Roles”. This means that each user role you create is applied to actions within a specific part or process step of the financial close, allowing for a clean and built-in separation of authorizations between design time and run time of closing task lists. We distinguish between two distinct scopes here:
Task List Creation
User role for the setup and maintenance phase of task lists and their respective templates. Access rights are applied in the following apps:
- Define Closing Tasks (future: Manage Closing Task Lists)
- Change Log
Task Processing
User role for the execution phase of closing tasks and their monitoring. Access rights are applied in the following apps:
- Process Closing Tasks
- Approve Closing Tasks
- Financial Close Overview
- Closing Task Completion
- Change Log
New access levels
Feedback from our customers has shown that a mere distinction between read and write access is not enough to meet all the requirements for a complex setup of closing responsibilities in large multinational organizations. Therefore, the new user role maintenance comes with a much more fine-granular set of access levels. On the one hand, this allows for a strict segregation of duties. On the other hand, roles can also be combined into a collection of access levels within one user role, depending on the needs of the respective organization.
Access levels for “Task List Creation” scope
The major enhancements regarding access levels for the task list creation are as follows:
- Authorization to create and copy templates is no longer part of the static authorization to access the application and must be granted separately, therefore a clean read-only access is possible.
- Authorization to generate task lists and change their status has been carved out into a separate access level so that it can be treated as a distinct responsibility.
- As a preparation for the Manage Closing Task Lists app announced for February (successor of the Define Closing Tasks app), you can already maintain the “User Assignment” access level which will provide authorization for a separate quick action to maintain the user responsible and processing user. This means, there can be one group of people (e.g., a central team in the HQ) who maintain the closing structures and other groups (e.g., decentral teams in the subsidiaries) that maintain the task responsibilities, which is especially helpful in complex organizational setups.
Access levels for “Task Processing” scope
Similarly, fine-granular access levels are also available for task processing. Apart from basic read access, the following authorizations are offered:
- Approving and rejecting closing tasks
- Assigning users as user responsible or processing user
- Changing parameters for task execution
- Changing plan values of tasks, such as planned start and duration
- Processing-related activities on task level, for example scheduling and status changes
Cutover to new concept
The scoped user roles including the new fine-granular access levels are planned to be released in January 2022 as an addition to the existing user roles. This gives you the chance to get familiar with the new maintenance UI and set up and test user roles along the new access levels. All new roles should be set up as scoped user roles from now on since the new user role maintenance will replace the old UI which is planned to be set to read only in May 2022. An adjustment to the default authorizations attached to the direct assignment of users as owner, user responsible, and processing user is planned to follow in August 2022, concluding the switch to the new authorization concept.
As of the January release, we recommend the following actions:
Task List Creation
Create and assign user roles for authorization to create task list templates
Authorization to create new task list templates and to copy existing ones must now be granted explicitly.
What you need to do:
- You should immediately check which users require authorization to create new templates that don’t have unrestricted write access.
- For those users that require authorization to create task list templates but don’t have unrestricted write access, create a new user role.
- Scope: Task List Creation
- Restriction: Unrestricted
- Authorizations: Read, Create
- Assign the user role to the respective users.
Review owner or owner group
A field for the owner of a template or task list has already been introduced in a previous release. Initially, the creator is set as the owner of a template. However, you can still change the owner or owner group later.
What you should do:
Review who should own a template or task list and is responsible for its setup and maintenance. This person or group must be maintained in the “Owner” field and not in the “User Responsible” field. Owners have edit rights in the Manage Closing Task Lists app and don’t need an additional role unless they need further authorization such as generating task lists out of templates.
Decide how to model the roles along the new access levels
While your existing user roles can still be used, the new access levels give you more options than a mere distinction between read and write access.
What you should do:
If you want a stricter segregation of duties, for instance, you can create separate user roles to grant authorization for editing templates on the one hand and generating task lists and changing task list status on the other hand.
If you want to keep the current role setup, we recommend that you already familiarize yourself with the new user roles and access levels. You can already create scoped user roles and bundle different access levels into one role, if desired.
When you assign scoped user roles to users, make sure to remove the existing roles as the new authorizations always apply in addition to the existing ones.
Task Processing
Create and assign user roles for clean read-only access
The current read authorization also includes some processing-related actions. The scoped user roles now allow you to grant clean read access to users who shall only be able to observe the task processing.
What you should do:
- Identify the users who need read-only access.
- Create a scoped user role:
- Scope: Task Processing
- Type: System-dependent or system-independent depending on your setup
- Restriction: Unrestricted or restricted depending on your setup
- Authorizations: Read
- Assign the scoped user role to the respective users and remove the old user role.
Decide how to model the roles along the new access levels
While your existing user roles can still be used, the new access management gives you a higher granularity in defining and bundling access levels.
What you should do:
If you want a stricter segregation of duties or a different bundling of access levels, you can create separate user roles to grant authorization for processing or editing tasks.
If you want to keep the current role setup, we also recommend here that you already familiarize yourself with the new user roles and access levels and create scoped user roles.
When you assign scoped user roles to users, make sure to remove the existing roles as the new authorizations always apply in addition to the existing ones.
Summary
The enhanced access management abilities provide you with greater flexibility and more options when it comes to ensuring segregation of duties and bundling access levels according to your organization’s requirements. The parallel availability of both access management concepts allows you to smoothly transition to the scoped user roles.
Stay tuned!
For more information on SAP S/4HANA Cloud for advanced financial closing, check out the following links:
Follow us via @SAP and #AdvancedFinancialClosing, or myself via Jana Kasselmann.
Disclaimer
Please note that SAP S/4HANA Cloud for advanced financial closing gets frequent updates and enhancements. Therefore, the current features and functions may not be exactly as described here. For the latest information, you can refer to the product documentation on the SAP Help Portal.