Comprehensive and Detailed Explanation From Exact Extract:

In RAP/ABAP Cloud, authorization objects define authorizations for roles and are invoked from CDS (read) and behavior (modify). This ties app operations to authorization objects and roles administered in IAM.

RAP services are exposed for Fiori apps via service bindings; the resulting Fiori app uses the service and its enforcement (which includes the authorization objects configured for roles). Putting it together for S/4HANA Cloud IAM: Apps carry/trigger checks based on authorization objects; Business Catalogs collect apps; Business Roles collect catalogs; Business Users are assigned roles. This aligns with the ABAP Cloud guidance that authorizations are grouped into roles and checked against authorization objects during access.

===========