More Related Content
Similar to S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
Similar to S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx (20)
S4H_790 IAM - Authorization Concept Guidelines for S4HANA Cloud.pptx
- 1. CUSTOMER
SAP S/4HANA Cloud, extended edition
September 25, 2020
Identity and Access Management (IAM)
Authorization Concepts for 3 Tier Landscape
Approach
- 2. 2
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Purpose of this Document
Overview
Purpose of the Different Systems
Development System
Quality System
Production System
Authorization Guidelines for Different Systems
Development System Authorization Guidelines
Quality System Authorization Guidelines
Production System Authorization Guidelines
Agenda
- 3. 3
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The purpose of this document is to describe the Identity and Access Management (IAM)
Authorization Concept approach for 3 tier landscapes (Development, Quality, Production) for an
implementation projects development, testing and cutover phases as well as the approach for
maintaining an operational system.
Purpose of this Document
- 5. 5
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Authorization Concept must be determined for all the systems provided with the solution and all
potential users, not just for the Production System and the business users.
The Systems provided with SAP S/4HANA Cloud, extended edition are as follows:
Development System (DEV)
Quality System (Q)
Production System (PRD)
The purposes of the Development System, the Quality System, and the Production System are
significantly different from each other. Therefore, the needs of a project team member and post go-
live support user are significantly different than those of a business user when determining their
Authorization.
The Authorization Concepts are defined by guidelines as described in the following slides.
Overview: Systems
- 7. 7
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Development System is where the project team members work to define what the solution will
look like by utilizing preconfigured business processes and any specific customer related
configuration during the fit-to-standard and planning and design processes to document backlog
items and delta requirements.
What activities are typically performed in the Development System for Authorization?
• Master Data Definition and Creation
• SAP Configuration
• SAP Custom Development
• SAP Security, Roles, and Authorizations
• Unit Testing of Configuration, Development Objects, and Security Roles
• Release of Configuration, Development and Security Transports for import to the Quality System
• Audits of Unit Testing
Development System: What is this system initially used for?
- 8. 8
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
After the Project Go-Live, the Development System is used to support the operation of the
Production Landscape.
What activities are typically performed in the Development System after Project Go-Live, when the Production
System is in use, for Authorization?
• Production System defect investigation.
• Corrections/bug fix application and testing prior to introduction into the Quality System.
• Upgrade of applications and testing prior to introduction into the Quality System.
• New Enterprise Extension activation.
• New functionality, business processes, and testing.
• Role maintenance and transport creation.
Development System: What is this system used for after Go-Live?
- 9. 9
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Quality System is where the project team members build upon the work done in the
Development system by testing end-to-end integrated business processes in a Production like
environment.
What activities are typically performed in the Quality System for Authorization?
• Master Data Definition and Creation.
• SAP Client Specific Configuration (example: number ranges).
• Integration testing of configuration, development objects, and security roles in end to end business
processes.
• Conduct Authorization Tracing for any authorization incidents.
• User Acceptance Testing.
• Release of configuration, development, and security transports for import to the Production System
• Audits of Integration Testing.
• End User Training (optional).
• Performance Testing (optional).
Quality System: What is this system initially used for?
- 10. 10
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
After the Project Go-Live, the Quality System is used to support the operation of the Production
Landscape.
What activities are typically performed in the Quality System after Project Go-Live, when the Production
System is in use, for Authorization?
• Production System defect investigation.
• Corrections/bug fix application and testing prior to introduction into the Production System.
• Upgrade application and testing prior to introduction into the Production System.
• New Enterprise Extension activation.
• New functionality and business processes creation and testing.
• Testing of Role changes prior to import into the Production System.
Quality System: What is this system used for after Go-Live?
- 11. 11
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
The Production System is where the project team members will execute Mock Cutovers ( a practice
cutover), it is assumed, to ensure that the build of the Production System will be successful and that
the business processes will work as designed for the business end-users.
What activities are typically performed in the Production System for Authorization?
• Master Data Definition and Creation using Conversions.
• SAP Configuration (example: number ranges).
• SAP Custom Z-Table Data Entry through manual entry and/or through data loads.
• SAP Roles and Authorizations transport import.
• Testing of configuration, development objects, and security roles and authorization.
• Validation of configuration, development, and authorization and role transports imported from the Quality
System.
• Smoke testing of all in-scope business processes to ensure proper operation once a Mock Cutover is
completed.
• Audits of Mock Cutover testing.
Production System: What is this system initially used for?
- 12. 12
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
After the Project Go-Live, the Production System is used to operate the business.
What activities are typically performed in the Production System after Project Go-Live, when the Production
System is in use, for Authorization?
• Execution of all in-scope business processes designed by the project for use in the Production System.
• Smoke testing of all in-scope business processes to ensure proper operation once the Production Cutover
activities to build the Production System are completed.
• Production System defect investigation.
• Corrections/bug fix application after testing in the Development and Quality Systems.
• Import of transports for any new functionality introduced.
• Role assignment to users.
• Authorization tracing to investigate any authorization issues.
Production System: What is this system used for after Go-Live?
- 14. 14
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Authorization Concepts are dependent upon the following:
Who needs the authorization?
For what System do they need authorization?
What Activities do they need to perform in a particular SAP System?
How long do they need the authorization in a particular SAP System?
System Authorization Considerations
- 15. 15
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
These Development System guidelines are for the Project Team and Production Support Teams.
In the Development System, during a project, the authorization concept used is to give each Project
Team and Production Support Team Member as much access as possible.
Follow these Development System Authorization guidelines:
#1: Limit a user’s access where their actions would cause significant problems such as damage
requiring a system restoration or which would result in unnecessary additional costs.
▫ Example 1: Configurator would have display access only and would not be given change access to the SAP Switch
Framework to activate enterprise extensions because some of these extensions are irreversible and if activated by a
user, a system restore from backup would be required to correct the issue resulting in lost project time and additional
project costs.
▫ Example 2: Configurator would not have a developer’s license as that license is an additional cost and the configurator
does not have the responsibility to write custom code.
#2: Limit a user’s access where there is a separation of duty requirement.
▫ Example 1: The configurator and developer will not have authorization to release their own transports as the company
has made the decision that they want a separation of duty in this area to control the transports released to the Quality
Assurance system.
▫ Example 2: Roles administration and Basis administration need to be separated. Developer.
▫ Example 3: Configurator
System Authorization Guidelines: Development System
- 16. 16
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
In the Quality System, during a project, the authorization concept used is a combination of the
Development System and Production System Authorization Concepts.
Follow these Quality System Authorization guidelines:
#1: Limit a Project Team and Production Support Team User’s access where their actions would
cause significant problems such as damage requiring a system restoration or which would result in
unnecessary additional costs.
• Project Team and Production Support Team Members should continue to have broad access in the Quality System
#2: Limit a Project Team/Production Support Team User’s access where there is a separation of
duty requirement.
#3: Limit a Business User to the same authorization they have in their Production System.
#4: Limit a Test User to the same authorization for the position for which they were created.
System Authorization Guidelines: Quality System
- 17. 17
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
In the Production System, the Authorization Concept used is dependent upon the state of the
Production System. For the purpose of this document, the three states are:
1. Before Production Go-Live
The Project Team will execute Mock Cutovers and validate the results of those Mock Cutovers.
The Business Users will execute Smoke Tests to validate that the business processes are working as
expected after a Mock Cutover is completed.
2. During Cutover for Production Go-Live
The Project Team will execute the Production Go-Live Cutover and validate the results.
The Business Users will execute Smoke Tests to validate that the business processes are working as
expected.
3. After Production Go-Live
The Production Support Team will investigate Production Defects.
The Business Users will execute the in scope business processes.
System Authorization Guidelines: Production System
- 18. 18
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Before Production Go-Live
Project Team members: should have the access needed to execute the Mock Cutover Activities that
they are responsible for.
Business Users: should have authorization equivalent to their Production System access in order to
execute Smoke Tests.
Production Support Team members: should have access to the various firefighter user ids and use
them to troubleshoot any issues identified during Mock Cutover where Production System access
beyond a normal Business User is required.
Follow these Production System (Before Production Go-Live) Authorization guidelines:
#1: Limit the Project Team Users’ access to only those needed for them to execute their Mock Cutover
Activities.
#2: Limit the Business Users’ access to their Production System access.
#3: Limit the Production Support Team Users’ access to only those firefighter roles created for
troubleshooting issues.
System Authorization Guidelines: Production System
- 19. 19
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
During Cutover for Production Go-Live
Project Team members: should have the access needed to execute and validate that the
Production Go-Live Cutover Activities that they are responsible for have been properly performed.
Business Users : should have authorization equivalent to their Production System access in order
to execute Smoke Tests to confirm that the system is functioning properly after the Project Team
has validated that the Cutover Activities supporting the Business Process are successfully
completed.
Production Support Team members: should confirm that the firefighter user ids provide the
designed access for troubleshooting in the Production System.
Follow these Production System (During Cutover for Production Go-Live) Authorization guidelines:
#1: Limit a Project Team User’s access to only those needed for them to execute and validate their
Production Go-Live Cutover Activities.
#2: Limit a Business Users access to their Production System access.
#3: Temporarily allow the Production Support Team members to use their various firefighter user ids to
confirm that they provide the desired access for troubleshooting.
System Authorization Guidelines: Production System
- 20. 20
CUSTOMER
© 2020 SAP SE or an SAP affiliate company. All rights reserved. ǀ
After Production Go-Live
Project Team members: should not have any project related access to the Production System.
Business Users: should have their normal Production System access in order to execute any in-
scope business processes for which they are responsible.
Production Support Team members: should not have any project related access to the Production
System but would be able to utilize the firefighter user ids for limited periods of time in order to
troubleshoot issues identified by Business Users in the Production System.
Follow these Production System (After Production Go-Live) Authorization guidelines:
#1: Remove a Project Team User’s access related to any project specific activities.
#2: Provide the Business User with their normal Production System access.
#3: Temporarily allow the Production Support Team members to use their various firefighter user ids only
when an issue is identified in the Production System by the Business Users that needs investigated in that
System.
System Authorization Guidelines: Production System
- 22. © 2020 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
www.sap.com/contactsap
Follow us
- 23. www.sap.com/germany/contactsap
© 2020 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer,
ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.
In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP SE oder deren
Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte
können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich
zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler
oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und
Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich
geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer
zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu
veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte
und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit
und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine
Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche
vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von
den Erwartungen abweichen können. Dem Leser wird empfohlen, diesen vorausschauenden Aussagen kein übertriebenes Vertrauen
zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken
oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen
Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.
Zusätzliche Informationen zur Marke und Vermerke finden Sie auf der Seite www.sap.com/corporate/de/legal/copyright.html.
SAP folgen auf