SAP Fiori adoption enabled by Security Role Design
SAP Fiori improves business efficiency, user satisfaction, and decision-making capabilities by delivering a modern, user-centric approach to enterprise applications. Many organizations running on SAP systems such as S/4HANA or SAP Cloud solutions are adopting SAP Fiori and migrating away from SAP GUI as an interface for Business users.
A significant aspect of adopting SAP Fiori in many organizations is the upgrade or transformation of existing SAP Security Role concepts. SAP Fiori introduces a new user interface paradigm, which requires a different approach to managing user access and authorizations compared to the traditional SAP GUI-based applications.
In the SAP GUI environment, access to various transactions and functionalities is typically controlled through transaction codes and complex authorization profiles defined in PFCG security roles. However, SAP Fiori applications follow a more app-centric design, where user access is determined by a combination of PFCG roles, business catalogs, and Fiori Space/page/groups. This means that the traditional SAP security roles and authorizations need to be adapted to accommodate the Fiori app-based landscape.
The process of upgrading SAP Security Roles to be Fiori-ready involves:
- Identifying Fiori Apps and Tiles relevant for the Business tasks
- Creating Business Catalogs
- Creating PFCG roles for Business catalogs & managing data security with granular authorization restrictions. Existing PFCG roles can be leveraged here, to reuse known data security & organizational restrictions.
- Creating Fiori Spaces and Pages or Groups aligned with Business Processes to manage end user visualization and mapping the same to PFCG roles
- Creating Business or Job or Composite roles to group these various elements for ease of User assignment. Existing design concept can be leveraged to accelerate this step.
Key design considerations:
- Fiori Apps and GUI transaction codes do not have a one-to-one replacement relationship in many instances. Relevant application teams and process experts needs to be involved to identify relevant Fiori Apps required to perform business tasks.
- For various business tasks design decisions must be made regarding whether to continue using GUI transaction codes on the Fiori launchpad or migrate to newer versions of Fiori apps by process owners
- Optimal User Experience requires a well-defined Fiori Space, Page, and Section. Fiori pages and sections to be defined, considering business inputs & performance considerations such as,
- Order in which the apps are to be placed in Sections,
- Apps are most used by Business users are shown in Pages and rest are available via search.
- Fiori deployment – Embedded, Central Hub or BTP deployment needs to be considered when designing Fiori elements
Other considerations to support compliance objectives,
- Consider enhancing Risk Ruleset definitions with Fiori App and cleaning up obsolete transaction codes and associated permissions
- Consider enhancing Risk and Control Matrix for Business Process & IT General Controls techniques with relevant Fiori Apps
- Consider review of Fiori apps included in role design from GDPR perspective
- Consider training relevant teams on Fiori concepts as traditional SAP Security skills/knowledge is not enough to design and sustain Fiori based Role design
The upgrade of SAP Security Roles to be Fiori-ready is a crucial step in the successful adoption of SAP Fiori, as it ensures that users have the right level of access to perform their tasks while maintaining the security and integrity of the SAP landscape. Proper planning, collaboration between security, application teams & business teams, and thorough testing are essential for a smooth and secure transition to a Fiori-based environment.