The global and independent platform for the SAP community.

Unjustly underestimated: Uniform SAP User Management

Migration to S/4 Hana is on the agenda for everyone who uses SAP ERP. Such a migration is a complex project in which the authorization concept must also be adapted.
Thomas Tiede, IBS
December 6, 2018
It Security
avatar
This text has been automatically translated from German to English.

SAP's strategy is to move away from the use of transactions in the SAP GUI and towards Fiori interfaces (Fiori apps), which are accessed via a web browser. In addition to the Fiori apps (S/4 Hana 1809: approx. 1300 apps), SAP offers a large number of legacy apps in the SAP Fiori App Store (S/4 Hana 1809: approx. 8600 apps), which already correspond to the "look-and-feel" of Fiori and are also authorized with the same systematics. SAP Note 2310438 describes how to run the "SAP Readiness Check for S/4 Hana".

Many of the apps can be used as an alternative to transactions. However, some functions in S/4 Hana are only made available via apps. The ERP transactions are then obsolete.

One example of this is the bank master data. The "old" transactions can still be executed in compatibility mode, but they are being replaced by the Fiori app Manage Banks. There are also a large number of transactions that are no longer supported by S/4 Hana.

These changes are specified in the "Simplification List for SAP S/4 Hana", which is available for each release. An overview of the components that are no longer part of the S/4 Hana standard scope but can still be used until 12/31/2025 is provided in the Compatibility Scope Matrix (SAP Note 2269324).

To secure accesses from a web browser to an S/4 Hana system, the familiar principle of front-end and back-end servers can be used. The back-end server is the S/4 Hana system.

Users do not log on to this system directly. The front-end server is usually a separate SAP system that is connected to the back-end via Trusted RFC. Users log on to the front-end server.

There they also receive the permissions to call Fiori apps. Roles are used to assign tile groups (compilation of Fiori apps; each app is displayed as an individual tile) and tile catalogs (containing, among other things, the start permissions required to run the apps).

If a user runs an app and has the necessary permissions in the front end, this app is run in the back end via the trusted connection. A user account with the same name must exist there.

In the back-end, the user must then also have authorization for the app as well as for the action that is performed with the app (e.g. posting a document or creating a purchase order).

When using apps, the type of authorization also changes. Transactions are authorized by their abbreviation (e.g. FK01, ME21N, SU01). The departments know their transactions, so role requests, for example, are relatively easy to design in this regard.

Apps also have technical identifiers, e.g. FCLM_BAM_FS_BANK_SRV or FAC_FINANCIALS_POSTING_SRV. Apps are installed as a service in the SAP system. These are assigned an individual, 30-digit hash value (e.g. 00015405C7CFB2723B3F7C4340AA24).

This hash value is authorized in the roles. Therefore, it is no longer recognizable from the authorization values in the roles which functions are authorized with it.

The app name is now only displayed in the role menu in the tile catalogs. This represents a major change for the departments in particular, as the role applications must also be adapted accordingly.

The revision of the authorization concept therefore represents an essential part of the S/4 Hana migration. On the one hand, the technology changes, and on the other hand, the concepts and the application procedures change as well.

Furthermore, the departments must be trained with regard to the new authorization system, as they are directly involved in the application process and in recertification processes for authorizations.

avatar
Thomas Tiede, IBS

Thomas Tiede is managing director of IBS Schreiber.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.