SAP Fiori Client Available for iOS Devices
The SAP Fiori Client is now available for download from the Apple App Store. Here’s a link to the product page. The application is a free download; there is no demo mode, you must point the SAP Fiori Client to an existing SAP Fiori instance.
Hi John,
thanks for the update.
This is one of my practical security worries with Fiori 'apps' and Users being able to download these clients at their own discretion.
Moving forward, companies are going to have to make sure their Users roles are locked down much more than they ever had to in the past.
It is common knowledge, that companies use Portal and ITS based UI's because these UI's enable them to lock down accessibility to functionality quicker and more directly than in the SAP Gui, and one of the benefits of Portal Iviews and ITS Transactions has always been, giving Users less access to functionality than their same roles would allow them through the SAP Gui.
But Portal and ITS are controlled centrally, and Users are provided with access to Portal and ITS.
And now, Users can download their own clients to their SmartPhones, consequently, what if they have roles which enable them to use these Fiori apps, when infact it wasn't intended that these Users would have such access ?
Companies are going to have to be very careful with Fiori and making sure, that Roles Users have don't enable them to download Fiori and do more than they were intended to do. There will need to be thorough testing and more diligence from the Security and Authorisations Teams.
A similar case example is MDM, if you authenticate MDM using the corporate LDAP, then it will be possible for Users who were only intended to use the Syndicator, or MDM Console to download at their discretion the MDM DataManager and modify data assuming their Roles are stong enough. The point being, if Users couldn't self service download these tools there would not be the risk and the same is for self service installation of Fiori client creating access to Fiori apps.
Andy.
Hi Andy,
what you're saying - to put it bluntly - is you want SAP to only provide software that helps protect your broken security concept.
Of course that's hyperbole, but I guess it helps make the point.
Additionally, users do not need the Fiori client to consume Fiori apps, they can simply use _any_ browser on their mobile or their desktop.
The same exact thing is true for any other ITS services that you make available and your security concept relies on users not finding out about them.
I would suggest you rethink that concept...
Hi Frank,
agree or not, this is the reality and risk for a lot of customers.
And therefore, as part of any Fiori roll out, I recommend all customer SAP Security Teams to take a close look at the existing User's roles and what exactly their roles enable them to do, and fix.
Andy.
That is what customers need to be doing regardless of Fiori.
Security by obscurity has not been overly successful.
yes Frank,
hence the reminder - if a company is implementing Fiori, check the Roles.
In the ideal world where everything works like clockwork, this would not be necessary, in the real world, there is a risk, hence the comments and advice.
Andy.
I would phrase it differently - if you know your roles aren't right, fix them. I don't see how Fiori changes things. Broken roles are broken roles.
Don't tell your auditors you're hoping your users don't notice...
Steve.
thanks Steve,
let me try to phrase it better...
If a customer decides to implement a new UI to SAP then do a regression test of the roles/profiles/authorisations using the new UI to ensure that the new UI does not expose any previously unforeseen security vulnerabilities.
No matter how this is expressed, the message and risk are the same.
No matter how proud a customer is of their SAP Security concept, new UI's introduce new risks and vulnerabilities which must be measured and mitigated.
If anybody can say, without doing any surface testing that a new UI presents no risks then they are braver than me.
And let's not even go into penetration testing.
Andy.
I'm brave. I'm happy to say I know exactly how solid my ERP security model is, where the holes are, and how those holes are managed and mitigated. I wouldn't have it any other way.
Of course new UI layers have new security requirements, but a new UI shouldn't expose previously unknown security issues in the backend system. And expecting others to control access to software to protect you from any such potential holes isn't realistic. A publicly available Fiori client isn't what you should be concerned about!
Steve.
the word shouldn't is precisely the point.
And that's why depending upon a customer's appetite for risk, and the high level risk assessments and classifications of the concerned SAP systems, action should be taken to confirm a new UI does not expose any previously unforeseen vulnerabilites.
Andy.
Lets stifle accessibility of new technology just because some customers have non existent security implementations, and depend on the ignorance of end users....
Hi Joao,
too many people are in denial regarding security.
I suggest, a few end to end penetration tests across the application and underlying infrastructure wouldn't go amiss and may reveal some surprising findings.
Only today we have discovered that Internet Explorer has a significant vulnerability.
This month we all became aware of Heartbleed.
So let's not make any assumptions anywhere regarding security, and let's all keep open minded and vigil.
Best regards,
Andy.
Maybe, but SAP shouldn't stop innovating just because of some incompetent IT administrators don't manage their security.
I really don't get your point. Yes, vulnerabilites are out there but those are out of our control. What is under our control is not giving SAP_ALL to everyone. That is clearly under our control, and SAP shouldn't make their product line under the assumption that some IT administrator will give SAP_ALL to everyone and just "hide" the transaction codes.
Hi Joao,
hope you had a good break yesterday.
The SAP_ALLs are reported as an alert in the EWA Report.
The devil as ever, is in the detail.
As Steve said, if a SAP Customer is 100% confident that for every User
the Roles and Profiles and Authorisations are 100% finely tuned precisely
to what that particular User needs, only to complete their duties, then
it could be argued that there's nothing to think about.
On the other hand, if there is any healthy doubt, then do some testing.
It is healthy to employ a certain level of paranoia when it comes to security in today's world.
That's the only point here.
Best regards,
Andy.
Hi Andy,
Good points above. I just finished configuring the Fiori launchpad for a custom SAPUI5 app we're working on. I just added this as a tile in my launchpad and also tried out the Fiori Client.
To your point about user security, it looks like the Fiori Launchpad has a fairly significant amount of options with what can be displayed per user. A combination of Launchpad designer, plus backend security roles allow you to get really specific: Using Launchpad Designer - User Interface Add-On for SAP NetWeaver - SAP Library
You can create unique catalogs for different user groups and assign via ABAP roles in PFCG (i.e. Shopping Cart Approvers, Procurement, etc). Of course the Launchpad only specifies the display, your backend Gateway authorization objects are what will need to be used to tightly control your data for specific user groups.
One feature I would really like to see in this client is a configuration setting for this app for the launch URL, as well as an ability to pick the Portal as an authentication URL for use with Active Directory credentials.
Hi Gavin.
thanks for the feedback, in our Fiori pilot we are also testing the security for vulnerabilities.
Regarding what you'd like to see in the client and the authentication, why don't you write a blog on that and bring the question out in the open for discussion 🙂
Best regards,
Andy.
Hey John,
I've installed the app on an Ipad2 running iOS 5.0.1.
After entering the Fiori URL, the app shows the standard Netweaver login web page with read-only fields issuing that the browser is not supported.
REgards Wolfgang
Wolfgang, iOS 5 is not a supported platform. SAP Fiori Client only supports iOS 6 and 7, that's clearly documented in the user guide and requirements.
John, unfortunately on my iPhone 4s running iOS 7.0.4. the error message is the same.
Regards
Wolfgang
Then you have a problem with your configuration because the Fiori Client should only render the Fiori logon. Fiori Client isn't the browser, it won't automatically install certificates for example, so it only works with Fiori logon/SSO.
Hello John,
thanks for your reply, the cause was an error in the URL entered in the Fiori app configuration. Now it works fine, even on the Ipad2 running iOS5...
Regards
Wolfgang
Hi John,
Thanks for this great update. I have been eagerly waiting for this app but disappointed to find SAP NetWeaver 7.40 SP04 (SAP_UI) as one of the prerequisite. Does it mean that SAP doesn't want people to use this app for the transactional apps available on ECC and other system running on lower version of NW. In my opinion this app should be available for all the Fiori apps.
Appreciate if you can share the roadmap for this app.
Regards,
Nilay
No, that's not what it means. The minimum landscape requirements exist because there was a feature added that enables the cache management capabilities of the SAP Fiori Client. Without that particular feature, the Fiori Client cannot manage the SAP Fiori cache correctly and determine when Fiori has been updated.
Hello,
I installed it both for iPad(iOS) & Nexus5(android), should have been good if there is a demo within the app for brief look & feel.
After going though the security oriented concern discussion here, I remember a statement read somewhere, which goes like:
"Security is a practise not a product"
Regards,
Suvonkar
Hi John,
any news regarding Fiori client for Windows phone and Blackberry devices?
Regards
Wolfgang
I'm planning a blog post on this topic, hope to have it published soon. Short answer is that for Windows Phone, there are currently technical limitations we're working through with Microsoft's help. On Windows the Web View is sandboxed, so we can't do some of the things we want to do (right now). Windows 10, of course, removes many of those limitations.
BlackBerry support for Fiori Client is not currently on the roadmap.
Hi John,
we would like to be able to open SAP Fiori Clietn from within our iOS app (available on iTunes SAP Fiori Notifier). Could you please tell me whether SAP Fiori Client is URL schema enabled, and if so, would you be so kind and provide the key to us please?
Alternatively would you direct me to the relevant person?
Thanks in advance!
Regards
Peter Hrebik from Rocket Consulting Ltd
It is not. No current plans to do so. You could do this by making your own Fiori Client app using the SMP SDK.