Fiori and S/4 authorizations: "What are the biggest challenges, and where do the risks lie?"
-------------------------------------------------------------------------------------Many SAP customers are currently planning to implement SAP S/4HANA or are already making the transition. Besides the extensive new architectural aspects involved, implementing S/4HANA and Fiori also changes quite a few longstanding rules in the area of SAP authorizations.
A number of transactions - some of which veteran SAP ERP users have come to hold dear - have either been integrated into other transactions, replaced by Fiori apps, or simply eliminated. Meanwhile, the consistent use of OData services in the context of Fiori has resulted in a variety of ramifications with regard to security design in both the front and back end.
------------------------------------------------------------------------------------- Für Informationen auf Deutsch, sprechen Sie uns gerne an: sast@akquinet.de
2. S/4HANA and Fiori: Which areas of the SAP security architecture are affected?
Effects on the authorization concept - revision or redesign?
Pitfalls during implementation
Effects on the SOD rules and regulations. What needs to be modernized to stay safe?
Experiences from accompanied projects
How can akquinet's expertise and solutions help you to implement a S/4HANA security concept
efficiently, quickly and cost-effectively?
Main topics
- 2 -
3. Fiori and S/4HANA Authorizations
- 3 -
Technologie
GRC Rule SetProject
Authorization
System
People/
User
TechnologyTechnologie
GRC Rule SetProject
Authorization
System
People/
User
Technology
Often the connections are screwed together ...
5. The embedded deployment of the frontend server practically serves as a starting point for getting to know the
Fiori gateway architecture or for small deployment scenarios.
For productive operation, SAP recommends the "Central Hub Deployment" option.
S/4HANA / Fiori: Frontend Server (FES)
Recommended Architecture
- 5 -
Advantages of a dedicated Frontend Server:
Only one frontend server needs to be installed and maintained.
The software lifecycle of the frontend server is decoupled from the backend server. (Patching)
The implementation of innovations in the areas of SAP Fiori UIs and UI can be carried out
independently of the backend server.
Security requirements cannot be implemented more than once. (System Hardening)
A dedicated frontend server is easier to integrate into network zones (e.g. DMZ).
Greater complexity and investment in scale-up of multiple Fiori FES.
6. Fiori and S/4HANA Authorizations
Often the connections are screwed together ...
- 6 -
Technologie
GRC Rule SetProject
Authorization
System
People/
User
Technology
7. SAP ECC vs. S/4HANA: Access Levels
Users need permissions on up to three access levels.
- 7 -
8. What are the changes for S/4HANA Authorizations?
Changes on application level*
- 8 -
*KennzahlenbasierenaufS/4HANA1709
Obsolete transaction codes 4.147
Replaced transaction codes Replaced SAPGui TC 318
SAPGui TC with Fiori-only replacement 18
Examples TC BP replaces 54 TC in the areas of
debitor and creditor master data
TC CJ20N replaces 31 TC in the area of
project management
13. Revise
Brownfield Approach by system conversion
Current authorization and role concept has
high quality and is "unobstructed
Minimal use of Fiori
(e.g. compulsory Fiori App bank management)
Consequences for the authorization concept
Revise or redesign?
Redesign
Greenfield Approach
Brownfield Approach, if:
Comprehensive use of Fiori
Current authorization and role concept
ist due for re-design
- 13 -
No plug-and-play!!
15. SAP S/4HANA – important new authorization objects
- 15 -
16. Fiori and S/4HANA Authorizations
Often the connections are screwed together ...
- 16 -
Technologie
GRC Rule SetProject
Authorization
System
People/
User
Technology
17. S/4HANA is not ERP!
Many known transaction codes have changed in content and perform additional or different
authorization checks.
Compared to SAP ECC, 16,000 transaction codes have been added.
Well-known transactions were often either transferred to other transactions or Fiori apps or
deleted completely. (Keywords: Business Partner, Bank Account Management, Credit
Management)
In addition to traditional transactions, the OData services on which the Fiori apps are based
must also be included in SOD processes. Attention: the hash values of the TADIR services may
change from release to release.
Due to the SAP recommendation for hub implementation of the SAP Gateway, SOD analyses will
generally be cross-system in the future.
Effects on the SOD rule set
What needs to be modernised? In a nutshell: almost everything
General
- 17 -
18. Hundreds of new critical basic transactions (including namespace /UI2/) are not taken into account in
conventional SOD sets of rules.
S_TABU_DIS, S_TABU_CLI, etc. are no longer sufficient to protect against unauthorized access. To
protect access to CDS views (Core Data Services), you may need to create your own authorization
objects and include them in the SOD set of rules.
Effects on the SOD rule set
What needs to be modernised?
Sensitive Access (single critical authorizations)
- 18 -
19. Effects on the SOD rule set
What needs to be modernised?
Segregation of Duties
The changed business processes of S/4HANA must be taken into account in the SOD set of
rules.
The numerous discontinued / transferred transactions must be updated in the set of rules.
OData services behind Fiori Apps must be mapped to SOD processes.
- 19 -
20. 1. Identify the Fiori apps in-scope of your application architecture
2. Assign the Fiori apps to transaction codes.
3. Assign the Fiori apps to processes (business functions).
4. Identify the processes of your SOD set of rules that are to be created/changed.
5. Identify relevant services for Fiori apps
6. Check and update SU24 values for the services
7. Update your rules and regulations
Defining a S/4HANA authorization check rule set
- 20 -
21. Fiori and S/4HANA Authorizations
Often the connections are screwed together ...
- 21 -
Technologie
GRC Rule SetProject
Authorization
System
People/
User
Technology
22. How can we support you?
Our experience = Your Gain!
Benefit from our comprehensive knowledge in the areas of ECC and S/4HANA authorization.
With SAST Safe Go-Live Management, we have created an innovative solution to make the
authorization structures behind Fiori Apps (OData) transparent both through user tracing
and through code inspection.
- 22 -
Benefit from our new "painkiller" for authorization design and SOD rule creation.!
23. Take Home Messages
- 23 -
1. Gain Fiori experience as early as possible before implementing S/4HANA.
Learning the design and handling of the SAP frontend (gateway) is a key to success.
2. Implement a sandbox system to "test drive" for IT and users.
3. Involve those affected by the project as participants at an early stage.
4. Your departments need a strong, leading hand in technology selection.
Make your users think. Avoid “wishing well" situations.
5. Think early about the target image of your SAP S/4HANA architecture and
the effects on the first steps.
6. Create your S/4HANA SOD matrix before creating the first role!
Without defined SoD requirements, your new authorization roles will be risky again.
7. Be careful with catalogs and groups! Align Fiori catalogs, groups and roles with each other.
24. Note…
„The implementation of S/4HANA
and Fiori without intensive planning
and preparation to the dark side
leads.
Beware of the hatred of
administrators and users you must,
young Jedi.“
- 24 -
Copyright:WaltDisneyMotionPicturesGroup,Inc.