Application Security explained in Investigative Case Management for SAP S/4HANA
Investigative Case Management is now available on SAP S/4HANA since 1909 FPS00 release. An overview of the product can be found in the below blog post.
Investigative Case Management (ICM) delivers all the functionalities as apps in SAP Fiori Launchpad (FLP). This harmonized approach includes Fiori-based applications (location and object) and Web-client UI-based harmonized applications. As a result, application access goes through different technology security layers and is subjected to numerous security checks. The following figure provides an overview of the high-level different checkpoints.
A Business Role contains all necessary catalogs (UI) and roles (authorizations) a user needs to perform his job. Business Roles are created by the customer (Key User). SAP delivers Business Role templates to simplify the creation of business role by the customer. ICM delivers a business role called SAP_BR_INVESTIGATOR. Below is the high-level access flow within the business role for ICM.
Authorization object-based checks
ICM supports classic authorization object-based checks during search, read or updating of its entities. The DCL (Data Control Language) allows controlling of data during read operation for Fiori based apps (location and object). The Web client UI based applications performs similar check in the API level. Below is an instance of how complex authorization is achieved in the basic DCL view for Location application.
More details on authorization object for each entity and possible values can be found in the security guide document.
Back end PFCG Role for security profiles
ICM delivers frontend (also referred as gateway system) PFCG role which is functionally also referred to as ‘Business Role’. This contains the catalog with target IDs to launch WCF Apps from Fiori Launchpad along with catalog items which accesses the Fiori applications. This controls only the visibility of the applications in FLP.
A corresponding backend authorization role is needed with catalogs from frontend server to define the backend service access. This role is not delivered by standard and needs to be created by the customer. Standard authorization object proposal for a service along with its default values have been delivered in SU22 proposals.
The backed role is created in the backend system (this is referred to a place where application logic and final data is stored). User can refer to general documentation related to this for more details on how to achieve this in S4HANA systems.
Refer to the below SAP note 2700701 and all its linked related notes for Web client UI setup works in the integration mode.
Special Authorization Rules
Investigative Case Management includes the following authorization business rules out-of-the-box
Security level rule: The security level rule is used to provide a broad level of authorization. The rule grants access rights to users who have a security level for a given Investigative Case Management application entity type that is higher than or equal to the security level of a given instance of the entity type.
Hidden Rule: The hidden rule is a composite rule. This rule revokes access rights from users who typically have access using the security level rule unless the user is assigned as staff and unit.
Note: The hidden flag check is in combination with the security level check. When the hidden flag is set, the security level is ignored.
Anonymization and expunge
To comply with legal regulations, records relating to individuals or organizations have to be anonymized, expunged, or archived after certain dates. The period after which data has to be expunged depends on the type of involvement of the party concerned, for example, as witness, suspect, and so on. ICM provides the Anonymize Persons functionality to anonymize one or more fields for a person or persons.
Expunging is a feature relevant for ICM relationships. Using this feature, customers can set an ‘expunge date’ for a relationship after which the relationship data will be moved from its related entities. Expunging of the relationships can be achieved by scheduling the execution of the report RCRM_ICM_REL_EXPUNGE at regular intervals.
Category based field visibility:
This is a special feature built in ICM Location and ICM Objects alone to control the visibility of a customer extended field based on its category. On the Fiori UI, a field or group of fields appear/disappear just by changing the field value of a category field. This feature is explained with an illustration already in the below blog post.
ICM Relationship authority checks: ICM relationship is an entity which is designed to connect two any other entity types of ICM. An authority check at relationship level is a collective check made of both source at target entity of a relationship.
The relationship must ensure that related elements are authorized before exporting its authorization parameters. Below state progress diagram illustrates the authorization sequence of an authority check for a relation entity.
These checks are done at API level to control the visibility at Web client UI applications as well as in CDS view for Fiori applications.
DPP at ICM
Investigative Case Management complies with DPP laws fully by providing out of the box implementation in different tools. Refer to the security guide for more guidance.
Image Source: All the images used in the above blog post are taken from different official design documents for Investigative Case Management.