SAP S/4 HANA implementation involve massive business process reengineering and introduces a new user interfaces (SAP Fiori) with a shift from monolithic solutions to activity-based apps which means many changes to the Technical and Business users. This raises a question whether the previous authorisation concept still support the security requirements of SAP S/4HANA?
SAP S/4HANA uses the same security model as traditional ABAP applications. End users in S/4HANA Application are associated with NetWeaver security functions. SAP S/4HANA Authorisations are based on “classical” ABAP like PFCG / SU01 / SU22 but there are many topics impact authorisation handling.
S/4HANA authorisations are mainly impacted by
There are two options to adopt SAP Fiori experience while implementing SAP S/4HANA on-premise / SAP S/4HANA Cloud, private edition
The recommended setup is embedded SAP Fiori front-end server, It allows to simplify the activation of SAP Fiori apps for S/4HANA and automate the setup of SAP Fiori launchpad.
Alternatively, an SAP S/4HANA system with a dedicated standalone SAP Fiori front-end server (for each SAP S/4HANA system) might be an option for certain use cases.
SAP back-end GUI transactions are called using the role menu, the PFCG role contains the start authorisation and data access authorisation in the role menu.
The SAP Fiori UI entities define which Fiori apps are displayed to the user. The apps are organised through catalogs and groups. Authorisations are required to use Fiori launchpad and to start Fiori apps and also to use the business logic and data of the apps.
PFCG roles are used to assign the UI entities and authorisations to the users in front-end and back-end server
By adding the catalogs to the role menu, the apps are included in the catalog that is available to the users. By adding groups, SAP Fiori launchpad entry page is defined.
For start the apps, users require the start authorisations for the model provider of the activated OData services, to get these start authorisations add OData services to the PFCG role menu.
The OData services that the SAP Fiori apps use are implemented on the Back-end System, therefore the users need to have start authorisation for the OData service’s data provider, and all the business authorisations for accessing the business data that is displayed in the app.
OData services carry the authorisation defaults for the business authorisations as suggested by SAP.
To get the authorisations OData services are added to the PFCG role menu with this start authorisations and the authorisation defaults to the business authorisations of the applications are added to the role.
If available, it is recommended to add the catalog to the role menu to automatically determine the OData services that are included in the catalog with that update of authorisations when the catalog changes are organised. In the figure above, the dotted arrow pointing from the menu of the PFCG role on the back-end to the catalog on the front-end illustrates this recommendation.
In SAP HANA it is more efficient to bring the code to the data, meaning to push down calculations from the ABAP application server in SAP HANA and only transfer the results back.
With SAP S/4HANA, the ABAP Repository was extended with Core Data Services (CDS) views. CDS Views are deployed as HANA views in the SAP HANA Database.
ABAP Core Data Services (CDS) has its own authorisation concept based on a data control language (DCL). The authorisation concept of ABAP CDS uses the underlying data model to check the authorisations of users.
The CDS authorisation concept coexists with the classical authorisation concept of SAP NetWeaver Application Server for ABAP. The CDS authorisation concept can be used together or independently of another.
The classical authorisation concept is based on authorisation objects. The authorisation of a user occurs either implicitly while calling a transaction or explicitly with the statement AUTHORITY-CHECK. The CDS authorisation concept is based on implicit authorisation checks that occur during access attempts to CDS entities over service adaptation definition language (SADL).
The CDS authorisation concept is "declarative approach" instead of coded (implicit authorisation checks that occur during access attempts to CDS entities) based on CDS modelling objects and therefore part of the data-model. Authorisations are also pushed down to Database by extending the Open SQL SELECT statement.
It is advisable to continue to use classic authorisation checks for start authorisations (used to check whether a user can start an application in the first place). CDS access control can be used within an application to perform instance-based authorisation checks (used to check the authorisation of a user as defined by the data model and the data in question).
Security-related features, such as authentication, authorisation, encryption, and auditing, are located and enforced primarily in the application server layer in SAP S/4HANA 3-tier Architecture.
SAP HANA is used as a data store only, applications connect to the database using a technical user and direct access to the database is only possible for database administrators. End users do not have direct access to either the database itself or the database server on which it is running.
The migration to S/4HANA is an opportunity to introduce new processes and to simplify existing processes with a role-based access into the new UI(SAP Fiori). It is the right time to think and redesign the existing authorisation concept.
– Brought to you by the S/4HANA RIG –
SAP S/4HANA On-premise/ SAP S/4HANA Cloud, private edition – Security Model
SAP S/4HANA uses the same security model as traditional ABAP applications. End users in S/4HANA Application are associated with NetWeaver security functions. SAP S/4HANA Authorisations are based on “classical” ABAP like PFCG / SU01 / SU22 but there are many topics impact authorisation handling.
S/4HANA authorisations are mainly impacted by
- SAP Fiori (Role based apps, SOA paradigm)
- ABAP Core Data Services (to protect data exposed to various consumers)
- SAP HANA (SAP HANA security functions manages access to data models)
Deployment Options of SAP Fiori for SAP S/4HANA On Premise / SAP S/4HANA Cloud, private edition
There are two options to adopt SAP Fiori experience while implementing SAP S/4HANA on-premise / SAP S/4HANA Cloud, private edition
The recommended setup is embedded SAP Fiori front-end server, It allows to simplify the activation of SAP Fiori apps for S/4HANA and automate the setup of SAP Fiori launchpad.
Alternatively, an SAP S/4HANA system with a dedicated standalone SAP Fiori front-end server (for each SAP S/4HANA system) might be an option for certain use cases.
SAP S/4HANA Authorisations and Authorisations derived from UI assignments
SAP back-end GUI transactions are called using the role menu, the PFCG role contains the start authorisation and data access authorisation in the role menu.
The SAP Fiori UI entities define which Fiori apps are displayed to the user. The apps are organised through catalogs and groups. Authorisations are required to use Fiori launchpad and to start Fiori apps and also to use the business logic and data of the apps.
SAP Fiori-PFCG integration to SAP S/4HANA on-premise / SAP S/4HANA Cloud, private edition
PFCG roles are used to assign the UI entities and authorisations to the users in front-end and back-end server
PFCG roles on the front-end server
By adding the catalogs to the role menu, the apps are included in the catalog that is available to the users. By adding groups, SAP Fiori launchpad entry page is defined.
For start the apps, users require the start authorisations for the model provider of the activated OData services, to get these start authorisations add OData services to the PFCG role menu.
PFCG roles on the back-end server
The OData services that the SAP Fiori apps use are implemented on the Back-end System, therefore the users need to have start authorisation for the OData service’s data provider, and all the business authorisations for accessing the business data that is displayed in the app.
OData services carry the authorisation defaults for the business authorisations as suggested by SAP.
To get the authorisations OData services are added to the PFCG role menu with this start authorisations and the authorisation defaults to the business authorisations of the applications are added to the role.
If available, it is recommended to add the catalog to the role menu to automatically determine the OData services that are included in the catalog with that update of authorisations when the catalog changes are organised. In the figure above, the dotted arrow pointing from the menu of the PFCG role on the back-end to the catalog on the front-end illustrates this recommendation.
Authorisation Concept for ABAP Core Data Services
In SAP HANA it is more efficient to bring the code to the data, meaning to push down calculations from the ABAP application server in SAP HANA and only transfer the results back.
With SAP S/4HANA, the ABAP Repository was extended with Core Data Services (CDS) views. CDS Views are deployed as HANA views in the SAP HANA Database.
ABAP Core Data Services (CDS) has its own authorisation concept based on a data control language (DCL). The authorisation concept of ABAP CDS uses the underlying data model to check the authorisations of users.
The CDS authorisation concept coexists with the classical authorisation concept of SAP NetWeaver Application Server for ABAP. The CDS authorisation concept can be used together or independently of another.
The classical authorisation concept is based on authorisation objects. The authorisation of a user occurs either implicitly while calling a transaction or explicitly with the statement AUTHORITY-CHECK. The CDS authorisation concept is based on implicit authorisation checks that occur during access attempts to CDS entities over service adaptation definition language (SADL).
Declarative approach
The CDS authorisation concept is "declarative approach" instead of coded (implicit authorisation checks that occur during access attempts to CDS entities) based on CDS modelling objects and therefore part of the data-model. Authorisations are also pushed down to Database by extending the Open SQL SELECT statement.
It is advisable to continue to use classic authorisation checks for start authorisations (used to check whether a user can start an application in the first place). CDS access control can be used within an application to perform instance-based authorisation checks (used to check the authorisation of a user as defined by the data model and the data in question).
SAP HANA Security Functions
Security-related features, such as authentication, authorisation, encryption, and auditing, are located and enforced primarily in the application server layer in SAP S/4HANA 3-tier Architecture.
SAP HANA is used as a data store only, applications connect to the database using a technical user and direct access to the database is only possible for database administrators. End users do not have direct access to either the database itself or the database server on which it is running.
Summary
The migration to S/4HANA is an opportunity to introduce new processes and to simplify existing processes with a role-based access into the new UI(SAP Fiori). It is the right time to think and redesign the existing authorisation concept.
Additional details on S/4HANA security
- 2926224 - Collection Note: New security settings for S/4HANA using SL Toolset and SUM
- 2714839 - New security settings for S/4HANA 1909 (and later) installations and system copies using SL Toolset 1.0
- 2713544 - New security settings during conversion to S/4HANA 1909 (and later) with SUM 2.0 SP6 (and later)
- 2975959 - Security settings during upgrade to S/4HANA 2020 with SUM 2.0 SP10 (and later)
- 2919392 - Determining missing authorisations for Access Controlled CDS Entities
- https://blogs.sap.com/2019/10/02/secure-by-default-ways-to-harden-your-systems-at-almost-no-cost/
- https://blogs.sap.com/2020/10/07/secure-by-default-for-s-4hana-2020/
- https://blogs.sap.com/2017/12/15/considerations-and-recommendations-for-internet-facing-fiori-apps/c...
– Brought to you by the S/4HANA RIG –
- SAP Managed Tags:
1 Comment
