Comprehensive and Detailed Explanation From SAP S/4HANA Cloud Public Edition, Management Accounting documents:

The security and authorization model in SAP S/4HANA Cloud is built on the relationship between business roles and business catalogs. A business role is a collection of one or more business catalogs that grant the necessary permissions for a user to complete specific job tasks. While catalogs contain the technical links to apps and data, they are "mixed and matched" within a business role to create a custom profile tailored to a customer's specific organization.

Furthermore, a business role restricts access to one or more business catalogs. Within the "Maintain Business Roles" app, administrators can define specific restrictions—such as limiting "Read" or "Write" access—at the catalog level for that role. This allows for fine-grained control over what a business user can view or edit within the applications granted by the catalogs. Every business role must also be assigned to a Space and Page to define how the apps provided by these catalogs are visually organized on the SAP Fiori Launchpad.