Security Best Practices for SAP Fiori on SAP S/4HANA – Part 1

Security Best Practices for SAP Fiori on SAP S/4HANA – Part 1

Customers who are new to SAP/4HANA and implement SAP Fiori often look for some straightforward security best practices to guide their security design. The following security best practices help when planning your security design for SAP Fiori for SAP S/4HANA.

User Experience must be prioritized over a technical role design

User Experience is critical to user adoption and usability. If your users find your system cumbersome to work with or full of restrictive security hurdles, that impacts on their desire to work with the system, and it distracts them from thinking about the work they must do. So, achieving those business outcomes by making sure your solution is easy to adopt and use – is and must always be your priority.

Fiori Business Roles Are Composite Roles

Composite role can assign single roles to control Access to the launchpad and launchpad features, Access to apps and classic UIs, Default layout (space), Access to search objects, Access to data and actions performed on data. SAP uses composite roles to model business roles within an organization. So SAP Business Roles represent the job of users and their related tasks. Examples of business roles include Asset Accountant, Purchaser, Customer Sales Manager, Inventory Manager, Warehouse Clerk, etc.

SAP S/4HANA delivers more than 500 job based templates – known as SAP Business Roles – which are working examples of how composite roles deliver the SAP Fiori user experience for a user who has role specific tasks and responsibilities.

SAP Fiori Security Is Derived Top-down From The Business Role

The single role that contains the business catalog(s), provides the authorization control and permission on application level. The business catalog also provides the logical intents that control the navigation between apps and UIs and the parameters passed. Business catalogs are an independent collection of apps and UIs, that represent the apps/UIs that go together and should be assigned to a role together. The apps and UIs usually relate to the same Line of Business task and process. For example, an Overview Page app and the apps/UIs you navigate to from this app. Usually, the business catalog collects around 2 to 20 related apps and UIs.  Avoid creating large business catalogs as these are harder to reuse. Large business catalogs also increase the risk of creating a segregation of duties violation.

Having the SAP Fiori Foundation User Role

The Fiori Foundation role grants access to the launchpad itself and any common launchpad features for all users. Because this is a global role, you only add the base access you want all users to receive. This means your design includes giving every user a common Foundation User role in addition to one or more specific business roles.

Start By Mapping Your Custom Business Roles To SAP Business Roles

This gives a first cut of authorizations that are likely to be relevant to the job and related tasks that a person needs. There are several ways of deciding on scope. For example, using the SAP Best Practices Explorer process recommendations or the UX Value Goals content in SAP Activate. Within your solution, you can use the Launchpad Content Aggregator tool to audit the content of roles that you have created and any SAP Business Roles that you use as-is.

Creating Custom Business Roles For Specific Needs

You can map your SAP Business Catalogs to your custom business roles. It is very easy to refine custom roles by collecting catalogs. It is generally a good approach to avoid/minimize Segregation of Duties (SoD) issues, although it is wise to double-check the contents of the catalog does not contain any SoD conflicts, where SoD needs to be strictly applied. You can create your own custom business catalogs if you need to refine further.

Using Key User Adaptation To Create App Variants That Limit The Features

Each app is intended as fit for the tasks of a certain business role. The features of the app will reflect the intended task and audience. Before attempting to change the app, make sure you have understood the intended task and intended audience for the app, and confirm that it is a fit for your custom business role. App Variants place a layer over the original app, and can be used to strip out certain features such as remove buttons, sections, etc. You can create multiple App Variants for the same app.

Our experts provide personalized demos after understanding the business needs. Click here to talk to our experts.