XP Session 2022 S4HANA Authorizations Final

S/4HANA Authorizations
05/05/2022
Implementing
Authorizations on
SAP S/4HANA
Much more than a
technical exercise
Christophe Decamps
Chris Walravens
2
Agenda
Introduction
Conceptual Build
Migration Options
Implementation Approach
Role Ownership
Specific Topics
• Spaces, Pages & Sections

• CDS Views Authorizations
• App Support
• S/4HANA and the Cloud
• HANA Authorizations XSC- XSA
Wrap-up
3
Introduction
4
Our S/4HANA Implementations
5
SAP GRC References
6
Conceptual Build
7
Terminology
Term/Acronym Definition
Tiles Grant access to Fiori apps and to S/4HANA functionality. Tiles are the way the SAP
functionality is presented and made accessible to the end user through the SAP Fiori user
interface. Technically, tiles are calling the SAP S/4HANA transaction codes, webdynpro’s and
UI5 applications.
Catalogs Container of the technical definition of tiles. The content of a catalog defines what
functionality an end user has access to through the Fiori user interface.
Spaces, Pages, Sections Container of tiles. The content of spaces, pages and sections defines what the end user sees
on the screen when he/she logs on. Spaces, pages and sections are purely used for
structuring the presentation of tiles to end users.
8
Terminology
Term/Acronym Definition
Single roles Container of transaction codes, webdynpro’s, Fiori catalogs and services, etc. and the related
authorizations to execute these transaction codes, webdynpro’s, tiles etc.
Derived roles Grant access to the same functionality as the single role they are derived from, but derived
roles contain restrictions on organizational values (like company code, plant, sales
organization,…).
Composite roles Container of single and/or derived roles. Composite roles are a collection of single and
derived roles, allowing a user to execute all tasks he/she needs to perform his/her daily job.
9
Conceptual Overview (as from SAP S/4HANA 2020)

S/4HANA
PFCG Content Manager / Manage Spaces & Pages apps Functionality
Catalog Transaction Codes

C_S4H_A_SDTR_SLSORD
Single Role
S4H_S_A_SDTR_SLSORD WebDynpro Apps
Tile Target Mapping
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C010_P010
Spaces Pages Sections

ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS
Composite Role
S4H_C_C010_P010_SLS_MANAGER
Tile
10
SAP S/4HANA
Authorizations Migration
Options
11
Impact on Authorizations when migrating to SAP S/4HANA

Option 1 – Keep existing authorizations Concept
Scenario: Keep existing
The bare minimum: (only) upgrade your existing authorizations concept authorizations concept
Assumptions
Minimum steps to be performed
• Keep on using (good old) SAP GUI
• Perform SU25 to update your USOBX_C / USOBT_C
• No use of SAP Fiori tables (core PFCG tables)
• Post-maintain your existing PFCG roles & regenerate the
profiles
As with every SAP upgrade / release change:
• Test all the roles in the new S/4HANA environment
• New functionality
• New authorization objects
• New authority checks
• Etc
12

Option 2 - The minimal Fiori Use
The extent of use of SAP Fiori
Some functionality in S4/HANA is only available through Fiori determines needed effort for Fiori
• Bank Master Data roles
• Commodity Codes
• Etc.
For these functionalities Fiori roles need to be built

• Build tiles, catalogs, spaces, pages & sections
• Build PFCG roles
• Test the new roles
• Assign the new roles
13

Option 3 – Full SAP Fiori optimized authorizations
All functionalities / business processes need to be translated into Fiori roles
• Build tiles The extent of use of SAP
• Update / build Catalogs & Spaces / Pages / Sections Fiori determines needed
effort for Fiori roles
• Update / build PFCG roles
• Test the updated / new roles
• Assign the new roles (if any)
14
Prepare for SAP S/4HANA

S/4HANA
O Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes
l Single Role
d S4H_S_A_SDTR_SLSORD
Tile Target WebDynpro
- Mapping Apps
C
Derived Role UI5 Apps
o S4H_D_A_SDTR_SLSORD_C01
n 0_P010
c Spaces Pages Sections

ZSC_SD_DOCS
e Composite Role ZSP_SLS_MNGR ZPG_SALES
S4H_C_C010_P010_SLS_MAN
p AGER Tile
t
15
Implement / Upgrade to SAP S/4HANA

S/4HANA
Catalog Transaction
Single Role
S4H_S_A_SDTR_SLSORD
Mapping Apps

S4H_D_A_SDTR_SLSORD_C01
0_P010

Composite Role
AGER Tile
Upgrade Add Fiori Part
16
Implementation Approach
17
Before starting the authorizations work…

Don’t (always) blame the
authorizations person !
Fiori needs to be set up / activated on the S/4HANA system (STC01, STC02, etc.))
• All necessary services need to be active

▪ SICF services (SICF)
▪ OData services (/N/IWFND/MAINT_SERVICE)
System aliases need to set correctly in every service (/N/IWFND/MAINT_SERVICE)
For specific functionality specific RFC aliases need to be configured (/N/IWFND/ROUTING)
All services need to be executed once before being visible in PFCG (/IWFND/MAINT_SERVICE)
18
Gather functionality
S/4HANA
Catalog Transaction
Single Role
S4H_S_A_SDTR_SLSORD
Mapping Apps
UI5 Apps
Derived Role
0_P010
Composite Role Tile

AGER
Obtain flat list of needed apps & tiles
Sources of Information
• STAD
• Functional Workshops
19
Group tiles & target mappings in Fiori Catalogs

S/4HANA
Catalog Transaction
Single Role
S4H_S_A_SDTR_SLSORD
Mapping Apps

0_P010
ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS Apps (tiles + target mappings) need
Composite Role Tile
to be added to catalogs
AGER
Grouping of apps is like grouping

tcodes
• Same (SOD) criteria apply
Expertum already has content for this
20
Fiori Catalogs: Expertum content
Expertum already has

content
• > 2.800 apps already
assigned to catalogs
Principle
• 1 app in 1 catalog
21
Fiori Catalogs: The Content Manager
22
Fiori Catalogs: The Content Manager (2)
23
Fiori Catalogs: Conceptual Choices
Group tiles and target mappings on subprocess level

• Tiles are the new (GUI) technology to access your business processes. Transaction codes are the “old” technology.
• Still, you keep on accessing your business processes!
• In order to build catalogs that are free of Segregation of Duties (SOD) issues, you need to build them on subprocess
level
Tiles and target mappings are only contained in 1 catalog

• For maintenance reasons, it is essential to only include a specific tile / target mapping in only 1 catalog
24
Add tiles to Fiori Spaces: the building of the Launchpad

S/4HANA Spaces, Pages &
Sections define what
PFCG LaunchPad Designer / Content Manager Functionality
you see in Fiori
Catalog
• Each Space is a menu
Transaction Codes
C_S4H_A_SDTR_SLSORD item
Single Role • Each Page is a drop-
Tile Target Mapping down-option
UI5 Apps • Each Section is a folder
Derived Role
on a Page
0
• Decide what tiles are
Spaces Pages Sections shown or not
• Tile order set in the
Composite Role Tile
S4H_C_C010_P010_SLS_MANAGER Sections
Sources of
Information
• Functional Workshops
25
Single roles: Bring catalogs, Spaces and authorizations

together
S/4HANA
Catalog Transaction
Single Role
Tile Target Mapping
UI5 Apps
Derived Role
10
Composite Role Tile

26
Single Roles: Good old Profile Generator
Spaces
Catalogs
Groups
27
Concept Builder: Design & Documentation tool
28
PFCG roles: Upload tool
Expertum has tools

• Role uploads
• Link between role,
catalog(s) and spaces(s)
uploaded
29
Derived roles: The good old ones…

S/4HANA

C_S4H_A_SDTR_SLSORD
Single Role
Tile Target Mapping
UI5 Apps
Derived Role

Tile
Composite Role
30
Authorizations Restriction Grid
31
Single Role Testing

Single Roles need to work on their own:
• When you assign a single role (in a
composite role or a user) you need to be sure
it will work (independent of the other roles /
context)
• When you remove a single role (from a

composite role or a user) you need to be sure
the remaining roles / functionality still works!
A lot of companies struggle with this, f.e.
during remediation activities
• Importance only increases with Fiori
• Chain from Fiori to backend becomes longer
32
Composite roles: The good old ones again…

S/4HANA

Determine Composite
Roles
Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes • Determine list
Single Role • Link the list with users
S4H_S_A_SDTR_SLSORD WebDynpro
Tile Target Mapping
Apps • Determine what each
composite role needs to
UI5 Apps
Derived Role contain
S4H_D_A_SDTR_SLSORD_C010_
P010
Tile
Sources of Information
Composite Role
S4H_C_C010_P010_SLS_MANAG
ER • Functional Workshops
33
Composite roles: The implementation steps
Define business roles and validate content

• Define needed business roles per area
• Assign the to-be business roles to the users
• Establish a matrix showing the composite role – single roles combinations (draft proposal)
• Through workshops, review and validate the content
• The validation of the composite role content can be complemented / enhanced by an SOD analysis
34
Role Ownership
35
Role Ownership: Role Assignment Owners

S/4HANA Role Assignment Owner
PFCG Content Manager / Manage Spaces & Pages apps Functionality • Approve role assignments
for new joiners
C_S4H_A_SDTR_SLSORD
Single Role • Approve additional role
Tile Target Mapping assignments
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C010_P010 • Approve role assignment
changes for movers
Composite Role
Tile • Are responsible for yearly
user access reviews
36
Role Ownership: Composite Role Content Owners

S/4HANA Composite Role
Content Owner
• Approve single / derived

C_S4H_A_SDTR_SLSORD role assignments in
Single Role composite roles
Tile Target Mapping
UI5 Apps • This approval is done

Derived Role
S4H_D_A_SDTR_SLSORD_C010_P010 from a composite role
perspective
Composite Role
Tile
37
Role Ownership: Single / Derived Role Owners

S/4HANA Single / Derived Role
Owner
• Approve single / derived

C_S4H_A_SDTR_SLSORD role assignments to
Single Role composite roles. This
Tile Target Mapping approval is done from a
UI5 Apps (sub-)process
Derived Role
perspective

Composite Role ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS • Approve functionality
Tile (tiles, tcodes,…)
contained in the single
roles
• Approve the restriction

grid for derived roles
38
Spaces, Pages & Sections
39
Fiori Spaces, Pages & Sections: How it looks like

Spaces
Sections Pages
40
Spaces, Pages & Sections: Replacing Groups
Both Groups and Spaces still co-exist in S/4HANA 2020
Configure system parameters in transaction codes UI2/FLP_SYS_CONF or /UI2/FLP_CUS_CONF to

activate Spaces:
• SPACES: for all users
• SPACE_ENABLE_USER: to allow users to switch between old and new launchpad
End-users can still switch, if wanted
41
Fiori Spaces, Pages & Sections: The Apps
App IDs:
• F4834 - Manage Launchpad Spaces
• F4512 - Manage Launchpad Pages
42
Fiori Spaces, Pages & Sections: Spaces
43
Fiori Spaces, Pages & Sections: Pages
44
Fiori Spaces, Pages & Sections: Expertum content
Expertum already has content

• Every app in our concept
assigned to a space, page and
section
Principle
• 1 app in 1 space, page and section
• Alternatives exist
45
Fiori Spaces, Pages & Sections: Conceptual Options
Functionality Driven
• Design more related to functionality, comparable to the good old SAP standard menu.
• This is the more generic approach. The spaces look the same throughout the organization.
• In this design option, the spaces can be incorporated into the single roles.
Department / Composite Role driven

• Design more related to how different departments want their Fiori screens to appear, even using department specific
terminology
• Typical in this design, one would create separate spaces per department, making it less generic, but closer to the end
user
• In this design option, the spaces can be incorporated into the composite roles (through specific Fiori single roles)
46
CDS Views Authorizations
47
CDS Views
What are Core Data Services (CDS) views?

• Define and consume data models on the db layer instead of the application layer
• Simplifies & harmonized way of defining & consuming data models, regardless of
SAP technology platform (ABAP or HANA)
Impact on performance
• Traditional method:
▪ All records are retrieved from DB and then processed
• CDS Views security:
▪ Security roles are processed in a lower level, faster
▪ Only data for which user has access are read by the system
48
Authorizations, in short Define if secured within Data Definition Language (DDL)
Define security within Data Control Language (DCL)
On the Cube layer
Can use PFCG auth objects
49
Authorizations, in short (2)

DCL definition is checked against
the user’s PFCG auth (via roles)
50
App Support
51
App Support
SU53 & more within Fiori
Download (Excel format) the error logs from the Fiori Launchpad:
• Authorization errors (SU53)
• Gateway Errors (/IWFND/ERROR_LOG)
• Back-end errors (/IWBEP/ERROR_LOG)
• Runtime errors (ST22)
52
Example – App Support
➢Once the user click on the App Support:
➢Download logs to extract the error details in an excel file and send it to the administrators for resolution.
53
Example – Excel Output
54
S/4HANA and the Cloud
55
S/4HANA and the Cloud
S/4HANA Public Cloud (Essentials Edition) S/4HANA Private Cloud Edition (PE) / S/4HANA Extended
• SaaS - All customers shares the same Cloud • Own S/4 version on own dedicated virtual private Cloud
• Works with standard processes • Full customizing possible
• Low cost, efficient & scalable • Greater cost, flexibility and functionality
• Maintenance, upgrade & patches managed by SAP • Maintenance, upgrade & patches managed by SAP but with
• Accessible only via Fiori customer control
• Limited version of S/4HANA • Accessible via SAP Gui & Fiori
▪ Fewer features • Full version of S/4HANA
▪ Minimal customisation options ▪ All S/4 features
▪ Limited number of languages ▪ Fully customizable
▪ Support for limited range of industries ▪ No languages restrictions
56
Manage Security only via Fiori
Manage users via Maintain Business Users Fiori tile

• Incl. role assignment
Manage authorizations via Maintain Business Role Fiori tile

• create/change/copy/delete roles
• Assign/delete Catalogs to/from roles
• Maintain restrictions within roles
• Add/remove users from a role
57
Roles
Define Leading or Derived BR
Within a role can define:

• Restriction (Read or Write)
• No access to auth objects
• But can define the org values
Maintain Catalog(s) within the role

• Have an overview of app within a Catalog
But cannot maintain the Catalog itself !

▪ Apps per Catalog -> fixed from SAP
58
“SUIM”
There is no SUIM / SE16 !
Use the IAM Information System Fiori tile to search:

• BR - User
• BR - Catalog
• BR - Restrictions
• BR - Application
• BR - BR Template
• BR - Derived BR
59
Risks ruleset for S/4HANA Essentials Edition
SBTP Identity Access Governance (IAG) service ruleset
60
HANA Authorizations
61
When do you need to consider HANA security ?
As from the moment there are direct access to the HANA db layer !
Database meant to be accessed !
HANA db holds all your tables => all your data
From HANA, a direct read & write access to the data is possible
Default roles/privileges very broad access

• E.g. Bank Account data accessible – not tested in maintain…
62
Differences btw traditional & SAP HANA architecture
Client Client HANA Client

Studio
Application
Application server
Application
Authentication Identity Encryption XSC\A Engine
Store
Authentication Identity Encryption
Audit Store
Authorization Logging
Audit
Application Server Authorization Logging
SAP HANA
DB
Traditional HANA
63
SAP HANA Privileges
Client
Application
SAP HANA • Application privilege (HANA applications)
XSC Engine
• Catalog
• Schemas, tables, …
• Package • Object privilege (access to tables/views)
privilege • Package
• Views
• Row level
access • Analytic privilege (row level access rights)
• System privilege (system administrative tasks)
64
Evolution: from HANA XSC to HANA XSA

Client
SAP HANA Application • Role Collection & Application Roles

(HANA XSA applications)
XSA Engine
• HDI Container
• Views • Object privilege (access to tables/views)
• Row level access • Analytic privilege (row level access rights)
• Catalog
• Schemas, tables, … • Object privilege (access to tables/views)
• System privilege (system administrative tasks)
65
Integrated Conceptual Approach
S/4HANA / ECC HANA
PFCG HANA Studio / Web IDE
“Level 1” Role
Single Role Object + Analytic

S4_S_A_AMMD_ASSETS Priv. Priv.
₋ Object
₋ Restrictions
HN_S_V_AMMD_ASSETS
Derived
“Level 1” Role
Derived Role
S4_D_A_AMMD_ASSETS_BEXX Object + Derived
Priv. Analytic
Priv.
₋ Object
₋ Restrictions
HN_D_V_AMMD_ASSETS_BEXX
Composite Role “Level 2” Role

S4_C_BEXX_ACCOUNTANT HN_C_BEXX_ACCOUNTANT
IT
Business Role
C_ACCOUNTANT_BEXX
IT / Business
Business User / Identity

66
Wrap-up
67
Key Points to Take Home
Even more than on ECC, a conceptual approach to setting up authorizations is a must have
• Each system has its own technical security mechanism
• Importance of naming convention for cross-system consistency
SAP_ALL alone doesn’t work anymore

• the Fiori screens need to be defined as well
• HANA does not have SAP_ALL
There is a strong relationship between what a user sees in Fiori and what a user is authorized for
• Ensure both front & back-end authorizations are aligned
68
Key Points to Take Home (2)
Spaces, Pages and Sections are new in S/4HANA 2020
Design your Catalogs to be free of SODs
Put security as close to your data as possible, especially for HANA db allowing direct access
• Minimal impact on authorizations in case of additional/new front-end
69
Chris Walravens Christophe Decamps
GRC Community Lead & Partner Senior GRC Consultant
+32 474 47 59 83 +32 473 72 01 25
chris.walravens@expertum.net christophe.decamps@expertum.net

XP Session 2022 S4HANA Authorizations Final

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

XP Session 2022 S4HANA Authorizations Final

Uploaded by

Copyright:

Available Formats

S/4HANA Authorizations

• Spaces, Pages & Sections

Our S/4HANA Implementations

SAP GRC References

Conceptual Overview (as from SAP S/4HANA 2020)

PFCG Content Manager / Manage Spaces & Pages apps Functionality

Catalog Transaction Codes

Spaces Pages Sections

Impact on Authorizations when migrating to SAP S/4HANA

Impact on Authorizations when migrating to SAP S/4HANA

For these functionalities Fiori roles need to be built

Impact on Authorizations when migrating to SAP S/4HANA

Prepare for SAP S/4HANA

c Spaces Pages Sections

Implement / Upgrade to SAP S/4HANA

Derived Role UI5 Apps

Spaces Pages Sections

Upgrade Add Fiori Part

Before starting the authorizations work…

• All necessary services need to be active

System aliases need to set correctly in every service (/N/IWFND/MAINT_SERVICE)

For specific functionality specific RFC aliases need to be configured (/N/IWFND/ROUTING)

Composite Role Tile

Obtain flat list of needed apps & tiles

Group tiles & target mappings in Fiori Catalogs

Derived Role UI5 Apps

Grouping of apps is like grouping

Expertum already has content for this

Fiori Catalogs: Expertum content

Expertum already has

Fiori Catalogs: The Content Manager

Fiori Catalogs: The Content Manager (2)

Fiori Catalogs: Conceptual Choices

Group tiles and target mappings on subprocess level

Tiles and target mappings are only contained in 1 catalog

Add tiles to Fiori Spaces: the building of the Launchpad

Single roles: Bring catalogs, Spaces and authorizations

PFCG LaunchPad Designer / Content Manager Functionality

Composite Role Tile

Single Roles: Good old Profile Generator

Concept Builder: Design & Documentation tool

PFCG roles: Upload tool

Expertum has tools

Derived roles: The good old ones…

PFCG LaunchPad Designer / Content Manager Functionality

Catalog Transaction Codes

Spaces Pages Sections

Authorizations Restriction Grid

Single Role Testing

• When you remove a single role (from a

• Importance only increases with Fiori

• Chain from Fiori to backend becomes longer

Composite roles: The good old ones again…

PFCG LaunchPad Designer / Content Manager Functionality

Composite roles: The implementation steps

Define business roles and validate content

Role Ownership: Role Assignment Owners

Role Ownership: Composite Role Content Owners

PFCG Content Manager / Manage Spaces & Pages apps Functionality

• Approve single / derived

UI5 Apps • This approval is done

Role Ownership: Single / Derived Role Owners

PFCG Content Manager / Manage Spaces & Pages apps Functionality

• Approve single / derived