Professional Documents
Culture Documents
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2018 Wellesley Information Services. All rights reserved.
In This Session
• Design and generation of Segregation of Duties (SoD) risk analysis reports in SAP
S/4HANA and SAP Fiori is not straightforward especially if SAP Fiori apps are in scope
• In this session:
Get tips and tricks to build the ruleset for SAP S/4HANA and SAP Fiori
Understand how to generate risk analysis reports using SAP S/4HANA and SAP Fiori
Learn how to analyze and interpret the complex results out of risk analysis reporting
for SAP S/4HANA and SAP Fiori by using management-level reports or detailed
technical reports
1
What We’ll Cover
2
SAP S/4HANA and SAP Fiori
architecture
3
SAP S/4HANA and SAP Fiori Architecture
Browser (Fiori Launchpad)
SAPUI5 (User Interface HTML5)
4
Security model for SAP S/4HANA
5
Some Definitions Before We Start
• Catalog: Set of apps you want to make available for one role
Depending on the role and the catalog assigned to the role, the user can browse
through the catalog, choose apps from this catalog, and add them to the entry page
of the SAP Fiori Launchpad
• Group: Subset of catalog that contains the apps visible on the SAP Fiori Launchpad
entry page
Which tiles are displayed on a user’s entry page depends on the group assigned to the
user’s role
In addition, the user can personalize the entry page by adding or removing apps to
6
Security Model for SAP Fiori and SAP S/4HANA
7
SAP Fiori and SAP S/4HANA Authorization Concept
Catalog
Fiori Gateway
PFCG Role
Group
Services
S/4HANA
PFCG Role Authorizations
Business
Content
9
Common Challenges in Evaluating Access Risks in SAP S/4HANA
with SAP Fiori
10
Approach to build SAP GRC ruleset
for SAP S/4HANA
11
Approach to Build SAP GRC Ruleset for SAP S/4HANA
6
5 Update SAP GRC ruleset
Review and update SU24 values
4
Identify relevant services for SAP Fiori apps
3
Identify SAP GRC functions to be created/updated
2
Map SAP Fiori apps to transaction codes
1 Identify in-scope SAP Fiori apps
12
Scope SAP Fiori Apps
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6
13
Determine SAP Fiori Apps in Scope
Manage Supplier Master Data
14
Map Transaction Codes
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6
• Work with functional team to identify equivalent SAP S/4HANA back-end transaction
codes for in-scope SAP Fiori apps
• Exclude SAP Fiori apps and transaction codes that may not pose a risk (e.g., display
transactions)
15
Map SAP S/4HANA Transaction Codes
16
New SAP S/4HANA Transaction Codes
• Below is sample of new transaction codes introduced in SAP S/4HANA which can be
added to GRC ruleset based on the scope of SAP implementation
Controlling Old Transaction Code New Transaction Code
Add Base Planning Object KKE1 CKUC
Compare Base Object – Unit Cost Est KKEC CKUC
PCA Line Item Browser KE5Z KE5ZH
Cost Centers: Actual Line Items KSB1 KSB1N
17
Identify GRC Functions
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6
18
Identify GRC Functions (cont.)
F0001 Manage Supplier Master Data XK01, XK02, XK99, etc. PR01 – Vendor Master Maintenance
F0002 Manage Purchase Orders ME21N, ME22N, ME23N, ME21, etc. PR02 – Maintain Purchase Order
19
Obtain SAP Fiori Services
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6
• An SAP Fiori app ties to either OData service or Web Dynpro based on whether it is a
transactional app or Web Dynpro-based app
• Identify the OData service or Web Dynpro application name for in-scope SAP Fiori Apps
20
Identify Services for SAP Fiori Apps
• Access SAP Fiori library portal to identify the OData service or Web Dynpro application
for the Fiori apps
https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/#
21
Identify Services for SAP Fiori Apps (cont.)
22
Identify Services for SAP Fiori Apps (cont.)
OData Service:
MD_SUPPLIER_MASTER_SRV
OData Service:
MM_PUR_PO_MAINTAIN
Development team can help provide OData service name for custom SAP Fiori apps
23
Review SU24 Values
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6
24
Gather Authorization Data for Fiori Services
• Obtain the list of authorization objects and values that should be maintained in GRC
ruleset from SU24 or USOBT_C table
25
Update GRC Ruleset
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6
26
Identify Hash Code for SAP Fiori Services
• From table “USOBHASH,” identify hash code value of SAP Fiori app service
• Hash code is unique to each SAP Fiori app service
27
Create/Update GRC Functions
• Create/update GRC function for SAP Fiori app (F0001 – MANAGE SUPPLIER MASTER
DATA)
28
Create/Update GRC Functions (cont.)
• Create/update GRC function for SAP Fiori app (F0002 – MANAGE PURCHASE ORDERS)
29
Create/Update GRC Access Risk
30
Generate and analyze risk analysis
reports
31
Generate Access Risk Analysis Report
• Test role “ZTEST01” was created in SAP S/4HANA with access to SAP Fiori apps
“Manage Purchase Orders & Manage Supplier Master Data”
32
Perform Access Risk Analysis
• Risk analysis criteria
Risk analysis report has to be executed at permission level
33
Perform Access Risk Analysis (cont.)
• Risk analysis report executed for test role – Summary level
34
Perform Access Risk Analysis (cont.)
• Risk analysis report executed for test role – Detail level
35
Wrap-up
36
Where to Find More Information
37
Key Points to Take Home
38
Your Turn!
Sujan Kumar
Thank You
Any Questions?
sujankumar@deloitte.com
Please remember to complete
t your session evaluation
39
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each
of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a
detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services
may not be available to attest clients under the rules and regulations of public accounting.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional
advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person
who relies on this presentation.
This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.
40
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2018 Wellesley Information Services. All rights reserved.