5 suggestions on SAP S/4HANA Security: S/4HANA Upgrade

Posted by Andrea Mazzolani (translation) on Feb 24, 2023 12:00:00 AM

What are the focus points in SAP S/4HANA projects?

SAP S4HANA SECURITY

 

What is worth doing to prepare? How to approach new things?

1) Greenfield or Brownfield?

We already talked about this topic in this post. But what should you do?

 

Greenfield:upgrade becomes a comprehensive review of the processes currently in place. As if it were, in some respects, a new implementation project. This is an excellent opportunity to revise processes, either by improving parts of them or by taking advantage of new features in the suite.

 

Beware this, however, may involve more time for analysis and complexity. You need to take this into account if you want to go this route. Consequently, the profiling aspects can also become much more challenging than a "technical" or brownfield upgrade.

 

Brownfield: In this case it is a more technical upgrade. That is, all the features (or almost all) of the past continue to work while introducing none or few new features of the new releases.

 

It can be easier than greenfield however in some contexts it is still challenging.

 

Remember that if you have defined a good authorization concept such an upgrade can certainly be less complicated than if you have not defined an authorization concept or have not followed SAP profiling management rules.

Unfortunately, in many cases, because permissions anyway "work" regardless of how you have managed them you discover difficulties only during times of upgrade or release update.

The tools SAP provides will only work if you have adhered to all SAP role construction best practices.

 

Read here why during a release upgrade the SAP authorizations are often forgotten.

 

2) Co-Deployement or Embedded, which S/4HANA architecture?

There are several ways to build the architecture of S/4HANA. Several components are needed for example:

  • The Front End Server (FES)
  • The Back End Server (BES)

 

The first (FES) represents the SAP Gateway where the APPs (Applications) are exposed in the second (BES) the ERP. For the placement of the Gateway there are several ways of deployment.

 

In general from a permissions point of view, the difference is whether the SAP Gateway (FES) is on the same machine where the backend resides or whether it is on a different stand-alone machine.

 

In case it is on a stand-alone machine you will have to define there roles (called Catalogs and Groups) that define the APPs that a user will be able to see in the FIORI interface.

Whereas if the BES and FES coincide it will all happen on the same machine.

 

What are the focus points?

  • Defining groups and catalogs can take time; activate as soon as possible to figure out which APPs should be activated and how they should be grouped
  • Define a naming convention between the BES and FES in case they are different. This can be useful in case you need to make attributions even without having an Identity Management
  • Pay attention to the S_RFCACL object in case BES and FES are two different systems. This must be properly segregated

 

3) Business Partner BP

This represents one of the most important and impactful innovations, including the permitting aspect.

 

A series of transactions related to customer and supplier master records are replaced by a single transaction, already present in SAP, called BP Business Partner.

 

This transaction depending on usage can operate on customers or suppliers. A similar substitution had happened before but for the part related to goods movement, i.e., the MIGO transaction.

 

By the way, do you know what MIGO means?

 

  • M - Materials Management
  • I - Inventory Management
  • GO - Goods Movement

 

There are different versions:

 

  • MIGO_GI: "Goods Issue"
  • MIGO_GO: "Goods Receipt Production Order " (GR for production order) MIGO_GR: "Goods Receipt" (GR from external procurement)
  • MIGO_GS: "Goods Movement Subsequent Adjustment (subsequent adjustment of material provided)
  • MIGO_TR: "Transfer Posting"

 

What to do then?

  • Old transactions can remain in the roles as they are routed to the new BP transaction if used
  • The authorization objects of the XK* FK* or XD* etc. transactions are still the same (with some exceptions). In some cases some segregations may not work, keep this in mind
  • It might be useful to work on the B_BUPA_FDG object in this case via the BP Analyzer, with the BDT_ANALYZER command you can see all the fields that can be segregated (be careful, they are hardwired into the code and cannot be customized)

 

BDT_ANALYZER
  • Be careful because if you have a risk matrix don't forget that it must be updated.

 

3) SAP S/4HANA 1909

In the past, SAP, during releases of new releases, has always decided to limit impacts on the business if possible.

 

That is, in the case of security features, these had to be explicitly activated once the update is complete.

 

Otherwise, they were present in the system but not active. Since release 1909, for some SAP instance profiles, it has been decided to activate them in operational mode. In other words if before the value of these parameters was "conservative", from this release it becomes as restrictive as possible.

 

Here is the list:

 

Parameter

 

Also look at the following note: OSS: 2713544 - New security settings during conversion to S4HANA 1909 with SUM 2.0 SP6

 

4) Activate security functionalities if needed

Some new features are available despite not having S/4HANA, however during this transition it may be important to evaluate them and think about activating them.

 

For example:

 

  • PFCG roles connected to the client, you can finally make it so that role modification is linked to principal openness. Clearly in production systems. Then you will not be able to change the role content in production systems (see OSS Note: 1723881 - Application of client-specific Customizing settings to role maintenance)
  • UCON is an acronym that stands for Unified Connectivity allows you to track all calls to SAP systems, see what and who is being called and subsequently create a whitelist to prevent unwanted calls

 

5) Security Database activate the cryptography before starting

The database security is one of the most important aspects, other than the application security take a look here.

 

Enable HANA database-level encryption before starting and take advantage of all the security features this database of offers.

 

Topics: crittografia SAP, UCON, upgrade

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all