However, since the change to S/4HANA is a totally new product rather than a version upgrade or an extension to the existing system, it is even more important to carefully review your existing authorizations concept and optimize it for security and usability.
SAP S/4HANA uses the same security model as traditional ABAP SAP applications. Users are still assigned PFCG roles in SU01 in the same way, but in addition to this, access to Fiori also needs to be maintained. For your security team, this added layer has the potential to make access maintenance more complex and prone to errors. So even if parts of your existing authorization concept are still valid, adaptation to meet new requirements is needed. A well-functioning and carefully designed authorization concept will not only increase system security and make user and role maintenance easier, but it will also help users to have a positive experience with the new S/4HANA system – and therefore have a positive impact on their attitude towards the change.
For more on Fiori user management and authorization check the SAP Help Portal: User Management and Authorization
The amount of effort needed to make authorization changes will depend on how the new system is designed to be used. If the plan is to continue using GUI (the traditional graphical user interface client in SAP) and only implement minimal Fiori use you will need to do at least the following:
- Review the impacts on existing authorizations based on SAP’s Simplification List of upcoming changes; these impacts can include things like transactions becoming obsolete or being substituted by a new transaction or a Fiori app.
- Set up authorizations in the new system including SU24 (maintenance of authorization defaults).
- Migrate roles and adapt them with new content, or define and build new roles; remember to document all role changes.
- Migrate existing and create new users as needed; this applies to both business and technical users.
- Plan, execute, and support different levels of authorization (role) testing, and plan and execute issue resolution; again, remember to document all testing and issue resolution procedures. Also, remember to include negative testing (testing that users can’t see anything they are not authorized to see or execute any actions they are not authorized to perform).
- Train new users and establish good communications with the whole user base.
- Make sure you have a solid go-live plan including user role assignments and communicate access details to users.
- Create a robust plan for support after go-live and a plan for handover to continuous support.
- Plan rollback scenarios for authorizations and how to provide emergency access (SAP_ALL no longer works for everything).
- If you are using a governance, risk management, and compliance (GRC) tool, adjust the access control ruleset to include S4 and Fiori rules to make sure you do not lose visibility over risks in false Check out SAP’s YouTube channel for more information: SAP GRC solutions and SAP S/4HANA
- Update or create authorization concept documentation
The list above can make the amount of work seem overwhelming considering that authorizations are only one part of the project. The good thing is that there are SAP guidelines to follow and experts available to help you break down even the biggest projects into understandable and manageable tasks.
Below are some essentials to bear in mind:
- Include authorization in your S/4HANA project plan right from the start. If users can’t access the functionality they need or perform their tasks the new system will be useless. On the other hand, if the access given is too wide (the quick and dirty access solution) there is a risk of unintentional misuse, intentional fraud, or at the very least red flags from auditors.
- Put serious effort into testing. Carefully consider who should do it and what needs to be tested. Please note that issue resolution for authorizations is more complex in S/4HANA than in a traditional SAP system. Allow plenty of time for retesting after issues are resolved and for discussion with business experts since authorizations issues are not always just technical but sometimes need business decision making and policy definitions.
- Speak to your SAP authorization expert about recommendations and best practices. There is no need to reinvent the wheel.