Professional Documents
Culture Documents
XP Session 2022 S4HANA Authorizations Final
XP Session 2022 S4HANA Authorizations Final
05/05/2022
Implementing
Authorizations on
SAP S/4HANA
Much more than a
technical exercise
Christophe Decamps
Chris Walravens
2
S/4HANA Authorizations
Agenda
Introduction
Conceptual Build
Migration Options
Implementation Approach
Role Ownership
Specific Topics
Wrap-up
3
S/4HANA Authorizations
Introduction
4
S/4HANA Authorizations
5
S/4HANA Authorizations
6
S/4HANA Authorizations
Conceptual Build
7
S/4HANA Authorizations
Terminology
Term/Acronym Definition
Tiles Grant access to Fiori apps and to S/4HANA functionality. Tiles are the way the SAP
functionality is presented and made accessible to the end user through the SAP Fiori user
interface. Technically, tiles are calling the SAP S/4HANA transaction codes, webdynpro’s and
UI5 applications.
Catalogs Container of the technical definition of tiles. The content of a catalog defines what
functionality an end user has access to through the Fiori user interface.
Spaces, Pages, Sections Container of tiles. The content of spaces, pages and sections defines what the end user sees
on the screen when he/she logs on. Spaces, pages and sections are purely used for
structuring the presentation of tiles to end users.
8
S/4HANA Authorizations
Terminology
Term/Acronym Definition
Single roles Container of transaction codes, webdynpro’s, Fiori catalogs and services, etc. and the related
authorizations to execute these transaction codes, webdynpro’s, tiles etc.
Derived roles Grant access to the same functionality as the single role they are derived from, but derived
roles contain restrictions on organizational values (like company code, plant, sales
organization,…).
Composite roles Container of single and/or derived roles. Composite roles are a collection of single and
derived roles, allowing a user to execute all tasks he/she needs to perform his/her daily job.
9
S/4HANA Authorizations
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C010_P010
10
S/4HANA Authorizations
SAP S/4HANA
Authorizations Migration
Options
11
S/4HANA Authorizations
Assumptions
Minimum steps to be performed
• Keep on using (good old) SAP GUI
• Perform SU25 to update your USOBX_C / USOBT_C
• No use of SAP Fiori tables (core PFCG tables)
• Post-maintain your existing PFCG roles & regenerate the
profiles
As with every SAP upgrade / release change:
• Test all the roles in the new S/4HANA environment
• New functionality
• New authorization objects
• New authority checks
• Etc
12
S/4HANA Authorizations
• Commodity Codes
• Etc.
13
S/4HANA Authorizations
14
S/4HANA Authorizations
O Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes
l Single Role
d S4H_S_A_SDTR_SLSORD
Tile Target WebDynpro
- Mapping Apps
C
Derived Role UI5 Apps
o S4H_D_A_SDTR_SLSORD_C01
n 0_P010
15
S/4HANA Authorizations
Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes
Single Role
S4H_S_A_SDTR_SLSORD
Tile Target WebDynpro
Mapping Apps
16
S/4HANA Authorizations
Implementation Approach
17
S/4HANA Authorizations
Fiori needs to be set up / activated on the S/4HANA system (STC01, STC02, etc.))
All services need to be executed once before being visible in PFCG (/IWFND/MAINT_SERVICE)
18
S/4HANA Authorizations
Gather functionality
S/4HANA
PFCG Content Manager / Manage Spaces & Pages apps Functionality
Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes
Single Role
S4H_S_A_SDTR_SLSORD
Tile Target WebDynpro
Mapping Apps
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C01
0_P010
Spaces Pages Sections
ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS
Sources of Information
• STAD
• Functional Workshops
19
S/4HANA Authorizations
Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes
Single Role
S4H_S_A_SDTR_SLSORD
Tile Target WebDynpro
Mapping Apps
20
S/4HANA Authorizations
21
S/4HANA Authorizations
22
S/4HANA Authorizations
23
S/4HANA Authorizations
24
S/4HANA Authorizations
Catalog
• Each Space is a menu
Transaction Codes
C_S4H_A_SDTR_SLSORD item
Single Role • Each Page is a drop-
S4H_S_A_SDTR_SLSORD WebDynpro Apps
Tile Target Mapping down-option
UI5 Apps • Each Section is a folder
Derived Role
on a Page
S4H_D_A_SDTR_SLSORD_C010_P01
0
• Decide what tiles are
Spaces Pages Sections shown or not
ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS
• Tile order set in the
Composite Role Tile
S4H_C_C010_P010_SLS_MANAGER Sections
Sources of
Information
• Functional Workshops
25
S/4HANA Authorizations
Catalog Transaction
C_S4H_A_SDTR_SLSORD Codes
Single Role
S4H_S_A_SDTR_SLSORD WebDynpro Apps
Tile Target Mapping
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C010_P0
10
Spaces Pages Sections
ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS
26
S/4HANA Authorizations
Spaces
Catalogs
Groups
27
S/4HANA Authorizations
28
S/4HANA Authorizations
29
S/4HANA Authorizations
Single Role
S4H_S_A_SDTR_SLSORD WebDynpro Apps
Tile Target Mapping
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C010_P010
Tile
Composite Role
S4H_C_C010_P010_SLS_MANAGER
30
S/4HANA Authorizations
31
S/4HANA Authorizations
32
S/4HANA Authorizations
Tile
Sources of Information
Composite Role
S4H_C_C010_P010_SLS_MANAG
ER • Functional Workshops
33
S/4HANA Authorizations
34
S/4HANA Authorizations
Role Ownership
35
S/4HANA Authorizations
PFCG Content Manager / Manage Spaces & Pages apps Functionality • Approve role assignments
for new joiners
Catalog Transaction Codes
C_S4H_A_SDTR_SLSORD
Single Role • Approve additional role
S4H_S_A_SDTR_SLSORD WebDynpro Apps
Tile Target Mapping assignments
UI5 Apps
Derived Role
S4H_D_A_SDTR_SLSORD_C010_P010 • Approve role assignment
changes for movers
Spaces Pages Sections
ZSP_SLS_MNGR ZPG_SALES ZSC_SD_DOCS
Composite Role
S4H_C_C010_P010_SLS_MANAGER
Tile • Are responsible for yearly
user access reviews
36
S/4HANA Authorizations
37
S/4HANA Authorizations
38
S/4HANA Authorizations
39
S/4HANA Authorizations
Sections Pages
40
S/4HANA Authorizations
41
S/4HANA Authorizations
App IDs:
• F4834 - Manage Launchpad Spaces
• F4512 - Manage Launchpad Pages
42
S/4HANA Authorizations
43
S/4HANA Authorizations
44
S/4HANA Authorizations
Principle
• 1 app in 1 space, page and section
• Alternatives exist
45
S/4HANA Authorizations
Functionality Driven
• Design more related to functionality, comparable to the good old SAP standard menu.
• This is the more generic approach. The spaces look the same throughout the organization.
• In this design option, the spaces can be incorporated into the single roles.
46
S/4HANA Authorizations
47
S/4HANA Authorizations
CDS Views
Impact on performance
• Traditional method:
▪ All records are retrieved from DB and then processed
• CDS Views security:
▪ Security roles are processed in a lower level, faster
▪ Only data for which user has access are read by the system
48
S/4HANA Authorizations
49
S/4HANA Authorizations
50
S/4HANA Authorizations
App Support
51
S/4HANA Authorizations
App Support
Download (Excel format) the error logs from the Fiori Launchpad:
• Authorization errors (SU53)
• Gateway Errors (/IWFND/ERROR_LOG)
• Back-end errors (/IWBEP/ERROR_LOG)
• Runtime errors (ST22)
52
S/4HANA Authorizations
➢Download logs to extract the error details in an excel file and send it to the administrators for resolution.
53
S/4HANA Authorizations
54
S/4HANA Authorizations
55
S/4HANA Authorizations
S/4HANA Public Cloud (Essentials Edition) S/4HANA Private Cloud Edition (PE) / S/4HANA Extended
• SaaS - All customers shares the same Cloud • Own S/4 version on own dedicated virtual private Cloud
• Works with standard processes • Full customizing possible
• Low cost, efficient & scalable • Greater cost, flexibility and functionality
• Maintenance, upgrade & patches managed by SAP • Maintenance, upgrade & patches managed by SAP but with
• Accessible only via Fiori customer control
• Limited version of S/4HANA • Accessible via SAP Gui & Fiori
▪ Fewer features • Full version of S/4HANA
▪ Minimal customisation options ▪ All S/4 features
▪ Limited number of languages ▪ Fully customizable
▪ Support for limited range of industries ▪ No languages restrictions
56
S/4HANA Authorizations
57
S/4HANA Authorizations
Roles
58
S/4HANA Authorizations
“SUIM”
59
S/4HANA Authorizations
60
S/4HANA Authorizations
HANA Authorizations
61
S/4HANA Authorizations
As from the moment there are direct access to the HANA db layer !
From HANA, a direct read & write access to the data is possible
62
S/4HANA Authorizations
Application
Authentication Identity Encryption XSC\A Engine
Store
Authentication Identity Encryption
Audit Store
Authorization Logging
Audit
Application Server Authorization Logging
SAP HANA
DB
Traditional HANA
63
S/4HANA Authorizations
Client
Application
SAP HANA • Application privilege (HANA applications)
XSC Engine
• Catalog
• Schemas, tables, …
• Package • Object privilege (access to tables/views)
privilege • Package
• Views
• Row level
access • Analytic privilege (row level access rights)
64
S/4HANA Authorizations
• Catalog
65
S/4HANA Authorizations
“Level 1” Role
Derived
“Level 1” Role
Derived Role
S4_D_A_AMMD_ASSETS_BEXX Object + Derived
Priv. Analytic
Priv.
₋ Object
₋ Restrictions
HN_D_V_AMMD_ASSETS_BEXX
IT
Business Role
C_ACCOUNTANT_BEXX
IT / Business
Wrap-up
67
S/4HANA Authorizations
Even more than on ECC, a conceptual approach to setting up authorizations is a must have
• Each system has its own technical security mechanism
• Importance of naming convention for cross-system consistency
There is a strong relationship between what a user sees in Fiori and what a user is authorized for
• Ensure both front & back-end authorizations are aligned
68
S/4HANA Authorizations
Put security as close to your data as possible, especially for HANA db allowing direct access
• Minimal impact on authorizations in case of additional/new front-end
69
Chris Walravens Christophe Decamps
GRC Community Lead & Partner Senior GRC Consultant
+32 474 47 59 83 +32 473 72 01 25
chris.walravens@expertum.net christophe.decamps@expertum.net