SAP S/4HANA Authorizations
SAP S/4 HANA implementation involve massive business process reengineering and introduces a new user interfaces (SAP Fiori) with a shift from monolithic solutions to activity-based apps which means many changes to the Technical and Business users. This raises a question whether the previous authorization concept still support the security requirements of SAP S/4HANA?
SAP S/4HANA On Premise – Security Model
SAP S/4HANA uses the same security model as traditional ABAP applications. End users in S/4HANA Application are associated with NetWeaver security functions. SAP S/4HANA Authorizations are based on “classical” ABAP like PFCG / SU01 / SU22 but there are many topics impact authorization handling.
S/4HANA authorizations are mainly impacted by
- SAP Fiori (Role based apps, SOA paradigm)
- ABAP Core Data Services (to protect data exposed to various consumers)
- SAP HANA (SAP HANA security functions manages access to data models)
Deployment Options of SAP Fiori for SAP S/4HANA On Premise
There are two options to adopt SAP Fiori experience while implementing SAP S/4HANA on premise
The recommended setup is embedded SAP Fiori front-end server, It allows to simplify the activation of SAP Fiori apps for S/4HANA,and automate the setup of SAP Fiori launchpad.
Alternatively, an SAP S/4HANA system with a dedicated standalone SAP Fiori front-end server (for each SAP S/4HANA system) might be an option for certain use cases.
SAP S/4HANA Authorizations and Authorizations derived from UI assignments
SAP back-end GUI transactions are called using the role menu, the PFCG role contains the start authorization and data access authorization in the role menu.
The SAP Fiori UI entities define which Fiori apps are displayed to the user. The apps are organized through catalogs and groups. Authorizations are required to use Fiori launchpad and to start Fiori apps and also to use the business logic and data of the apps.
SAP Fiori-PFCG integration to SAP S/4HANA on-premise
PFCG roles are used to assign the UI entities and authorizations to the users in front-end and back-end server
PFCG roles on the front-end server
By adding the catalogs to the role menu, the apps are included in the catalog that is available to the users. By adding groups, SAP Fiori launchpad entry page is defined.
For start the apps, users require the start authorizations for the model provider of the activated OData services, to get these start authorizations add OData services to the PFCG role menu.
PFCG roles on the back-end server
The OData services that the SAP Fiori apps use are implemented on the Back-end System, therefore the users need to have start authorization for the OData service’s data provider, and all the business authorizations for accessing the business data that is displayed in the app.
OData services carry the authorization defaults for the business authorizations as suggested by SAP.
To get the authorizations OData services are added to the PFCG role menu with this start authorizations and the authorization defaults to the business authorizations of the applications are added to the role.
If available, it is recommended to add the catalog to the role menu to automatically determine the OData services that are included in the catalog with that update of authorizations when the catalog changes are organized. In the figure above, the dotted arrow pointing from the menu of the PFCG role on the back-end to the catalog on the front-end illustrates this recommendation.
Authorization Concept for ABAP Core Data Services
In SAP HANA it is more efficient to bring the code to the data, meaning to push down calculations from the ABAP application server in SAP HANA and only transfer the results back.
With SAP S/4HANA, the ABAP Repository was extended with Core Data Services (CDS) views. CDS Views are deployed as HANA views in the SAPHANA Database.
ABAP Core Data Services (CDS) has its own authorization concept based on a data control language (DCL). The authorization concept of ABAP CDS uses the underlying data model to check the authorizations of users.
The CDS authorization concept coexists with the classical authorization concept of SAP NetWeaver Application Server for ABAP. The CDS authorization concept can be used together or independently of another.
The classical authorization concept is based on authorization objects. The authorization of a user occurs either implicitly while calling a transaction or explicitly with the statement AUTHORITY-CHECK. The CDS authorization concept is based on implicit authorization checks that occur during access attempts to CDS entities over service adaptation definition language (SADL).
The CDS authorization concept is “declarative approach” instead of coded (implicit authorization checks that occur during access attempts to CDS entities) based on CDS modeling objects and therefore part of the data-model. Authorizations are also pushed down to Database by extending the Open SQL SELECT statement.
It is advisable to continue to use classic authorization checks for start authorizations (used to check whether a user can start an application in the first place). CDS access control can be used within an application to perform instance-based authorization checks (used to check the authorization of a user as defined by the data model and the data in question).
SAP HANA Security Functions
Security-related features, such as authentication, authorization, encryption, and auditing, are located and enforced primarily in the application server layer in SAP S/4HANA 3-tier Architecture.
SAP HANA is used as a data store only, applications connect to the database using a technical user and direct access to the database is only possible for database administrators. End users do not have direct access to either the database itself or the database server on which it is running.
The migration to S/4HANA is an opportunity to introduce new processes and to simplify existing processes with a role-based access into the new UI(SAP Fiori). It is the right time to think and redesign the existing authorization concept.
Additional details on S/4HANA security
- 2926224 – Collection Note: New security settings for S/4HANA using SL Toolset and SUM
- 2714839 – New security settings for S/4HANA 1909 (and later) installations and system copies using SL Toolset 1.0
- 2713544 – New security settings during conversion to S/4HANA 1909 (and later) with SUM 2.0 SP6 (and later)
- 2975959 – Security settings during upgrade to S/4HANA 2020 with SUM 2.0 SP10 (and later)
- 2919392 – Determining missing authorizations for Access Controlled CDS Entities
– Brought to you by the S/4HANA RIG –