Setting up user access and authorization for SAP Fiori apps in SAP DRC involves a comprehensive understanding of the authorization model, configuring user roles, and managing access through business catalogs and app authorization variants.
This process ensures that you have the appropriate permissions to access the necessary apps and perform your job functions effectively.
Let’s look at some key elements that are critical to understanding the authorization model, as follows:
SAP Fiori employs a combination of business roles, business catalogs, and target mappings to control user access. Business roles define the actions you can perform, while business catalogs group related apps that you can access.
Each SAP Fiori app is linked to target mappings, which define how the app is launched from the SAP Fiori launchpad. These mappings are crucial for ensuring you can access the correct applications based on your roles.
Users are assigned business roles that determine their access to various SAP Fiori apps. Each role can be associated with one or more business catalogs, which contain the apps relevant to that role. As shown in the figure below, you can select the business role from variety of roles provided by SAP and then the technical team can help you assign this with your user role.
These catalogs are collections of apps that you can access. They can be standard catalogs provided by SAP or custom catalogs created to meet specific business needs. Each catalog references the target mappings necessary for launching the apps.
This feature allows for granular control over app access. AAVs can be assigned to individual apps, enabling precise control over which users can access specific functionalities within the apps.
Let’s now look at the three key tasks in configuring user roles and access.
Use Transaction PFCG to create and manage business roles. Assign the necessary authorizations and link them to the relevant business catalogs. Once you go to Transaction PFCG, you’ll be able to see the role, and you’ll get the Edit option, as shown here.
Ensure that the business catalogs linked to the roles contain all the necessary apps. This can be done through the SAP Fiori launchpad designer. In the figure below, you can see the Launchpad Catalog being assigned to the business role.
In our example in the figure below, you can see that we begin by creating a user in the SAP system. This involves entering the user’s personal information and assigning a unique user ID. Once the user is created, you can proceed to assign the roles and authorizations that align with the user’s job functions.
Learn more about SAP DRC here.
Editor’s note: This post has been adapted from a section of the book SAP Document and Reporting Compliance: The Comprehensive Guide for Finance and Tax by Genevieve Watson, Eliza Alberts-Muller, and Iain MacIntosh. Genevieve is an experienced tax ERP and transformation leader, and a Partner within Deloitte's Tax Technology Consulting team. Eliza is a Partner within Deloitte‘s Tax Technology Consulting team with close to 20 years of experience in (indirect) tax and tax technology gained both in industry and consulting. Iain is a Principal at Deloitte with more than 25 years of experience implementing SAP.
This post was originally published 2/2026.