Unjustly underestimated: Uniform SAP User Management

SAP's strategy is to move away from the use of transactions in the SAP GUI and towards Fiori interfaces (Fiori apps), which are accessed via a web browser. In addition to the Fiori apps (S/4 Hana 1809: approx. 1300 apps), SAP offers a large number of legacy apps in the SAP Fiori App Store (S/4 Hana 1809: approx. 8600 apps), which already correspond to the "look-and-feel" of Fiori and are also authorized with the same systematics. SAP Note 2310438 describes how to run the "SAP Readiness Check for S/4 Hana".

Many of the apps can be used as an alternative to transactions. However, some functions in S/4 Hana are only made available via apps. The ERP transactions are then obsolete.

One example of this is the bank master data. The "old" transactions can still be executed in compatibility mode, but they are being replaced by the Fiori app Manage Banks. There are also a large number of transactions that are no longer supported by S/4 Hana.

These changes are specified in the "Simplification List for SAP S/4 Hana", which is available for each release. An overview of the components that are no longer part of the S/4 Hana standard scope but can still be used until 12/31/2025 is provided in the Compatibility Scope Matrix (SAP Note 2269324).

To secure accesses from a web browser to an S/4 Hana system, the familiar principle of front-end and back-end servers can be used. The back-end server is the S/4 Hana system.

Users do not log on to this system directly. The front-end server is usually a separate SAP system that is connected to the back-end via Trusted RFC. Users log on to the front-end server.

There they also receive the permissions to call Fiori apps. Roles are used to assign tile groups (compilation of Fiori apps; each app is displayed as an individual tile) and tile catalogs (containing, among other things, the start permissions required to run the apps).

If a user runs an app and has the necessary permissions in the front end, this app is run in the back end via the trusted connection. A user account with the same name must exist there.

In the back-end, the user must then also have authorization for the app as well as for the action that is performed with the app (e.g. posting a document or creating a purchase order).

When using apps, the type of authorization also changes. Transactions are authorized by their abbreviation (e.g. FK01, ME21N, SU01). The departments know their transactions, so role requests, for example, are relatively easy to design in this regard.

Apps also have technical identifiers, e.g. FCLM_BAM_FS_BANK_SRV or FAC_FINANCIALS_POSTING_SRV. Apps are installed as a service in the SAP system. These are assigned an individual, 30-digit hash value (e.g. 00015405C7CFB2723B3F7C4340AA24).

This hash value is authorized in the roles. Therefore, it is no longer recognizable from the authorization values in the roles which functions are authorized with it.

The app name is now only displayed in the role menu in the tile catalogs. This represents a major change for the departments in particular, as the role applications must also be adapted accordingly.

The revision of the authorization concept therefore represents an essential part of the S/4 Hana migration. On the one hand, the technology changes, and on the other hand, the concepts and the application procedures change as well.

Furthermore, the departments must be trained with regard to the new authorization system, as they are directly involved in the application process and in recertification processes for authorizations.