Optimize Your Access Risk Analysis Reports for Sujan Kumar

SAP S/4HANA and SAP Fiori Deloitte & Touche LLP

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2018 Wellesley Information Services. All rights reserved.
In This Session

• Design and generation of Segregation of Duties (SoD) risk analysis reports in SAP
S/4HANA and SAP Fiori is not straightforward especially if SAP Fiori apps are in scope
• In this session:
 Get tips and tricks to build the ruleset for SAP S/4HANA and SAP Fiori

 Understand how to generate risk analysis reports using SAP S/4HANA and SAP Fiori

 Learn how to analyze and interpret the complex results out of risk analysis reporting
for SAP S/4HANA and SAP Fiori by using management-level reports or detailed
technical reports

1
What We’ll Cover

• SAP S/4HANA and SAP Fiori architecture

• Security model for SAP S/4HANA
• Common challenges in evaluating access risks for
SAP S/4HANA
• Approach to build SAP GRC ruleset for SAP S/4HANA
• Generate and analyze risk analysis reports
• Wrap-up

2
 SAP S/4HANA and SAP Fiori
 architecture

3
SAP S/4HANA and SAP Fiori Architecture
Browser (Fiori Launchpad)
SAPUI5 (User Interface HTML5)

Fiori (NW ABAP)

Fiori UI Add-ons SAP NetWeaver® (NW) Central UI Component

SAP Gateway KPI Modeler, Framework, Factsheets

S/4HANA (NW ABAP)

Business Data (Transactional)

HANA Database (Preferred)

Generated Views

4
 Security model for SAP S/4HANA

5
Some Definitions Before We Start

• Catalog: Set of apps you want to make available for one role
 Depending on the role and the catalog assigned to the role, the user can browse
through the catalog, choose apps from this catalog, and add them to the entry page
of the SAP Fiori Launchpad
• Group: Subset of catalog that contains the apps visible on the SAP Fiori Launchpad
entry page
 Which tiles are displayed on a user’s entry page depends on the group assigned to the
user’s role
 In addition, the user can personalize the entry page by adding or removing apps to

pre-delivered groups or self-defined groups

• Roles (PFCG): Contains references to catalogs and groups and provides users with
access to the apps in these groups and catalogs

6
Security Model for SAP Fiori and SAP S/4HANA

• SAP Fiori is a typical SAP presentation layer like

Front-End Server (Fiori)
SAP Enterprise Portal or SAP BC and will not grant
UI Fiori
authorizations to back-end application (SAP S/4HANA)
Roles Catalogs/Groups
• UI roles are assigned to grant access to SAP Fiori
catalogs and groups that allow users to navigate through
SAP Fiori
Back-End Server
(S/4HANA)
Content Services/
• Role access to required transactions and SAP Fiori
Roles Business Content screens is granted in SAP S/4HANA like ERP Central
Component (ECC)

7
SAP Fiori and SAP S/4HANA Authorization Concept

Catalog

Tile Target Mapping Application

Fiori Gateway
PFCG Role

Group

SU01 Authorizations Services

User

Services

S/4HANA
PFCG Role Authorizations
Business
Content

Directly Assigned Indirectly Assigned

8
 Common challenges in evaluating
 access risks for SAP S/4HANA

9
Common Challenges in Evaluating Access Risks in SAP S/4HANA
with SAP Fiori

Not a traditional transaction

code-based system for end users

Fiori apps could be multi-dimensional

and will be difficult to identify/map
relevant transaction codes
Access risk analysis
reports are complex and
difficult to analyze for
Fiori services

Standard GRC ruleset should

be updated to be able to
analyze access risk violations

10
 Approach to build SAP GRC ruleset
 for SAP S/4HANA

11
Approach to Build SAP GRC Ruleset for SAP S/4HANA

6
5 Update SAP GRC ruleset
Review and update SU24 values
4
Identify relevant services for SAP Fiori apps
3
Identify SAP GRC functions to be created/updated
2
Map SAP Fiori apps to transaction codes
1 Identify in-scope SAP Fiori apps

12
 Scope SAP Fiori Apps
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6

• Understand business processes in scope for SAP implementation (SAP S/4HANA)

• Understand the security role design
• Identify SAP Fiori applications that are in scope (standard and custom)
• Identify new transaction codes introduced in SAP S/4HANA
• Collaborate with business and functional teams to understand in-scope SAP Fiori apps
and functionality

13
Determine SAP Fiori Apps in Scope
Manage Supplier Master Data

Manage Purchase Orders

14
 Map Transaction Codes

Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6

• Work with functional team to identify equivalent SAP S/4HANA back-end transaction
codes for in-scope SAP Fiori apps
• Exclude SAP Fiori apps and transaction codes that may not pose a risk (e.g., display
transactions)

15
Map SAP S/4HANA Transaction Codes

• Identify SAP Fiori apps and map them to back-end transactions

Fiori App ID App Description Equivalent Back-end Tcode

F0001 Manage Supplier Master Data XK01, XK02, XK99, etc.
F0002 Manage Purchase Orders ME21N, ME22N, ME23N, ME21, etc.

Identifier for SAP Fiori Equivalent transaction

application that will be codes in back-end SAP
used in GRC ruleset S/4HANA

16
New SAP S/4HANA Transaction Codes

• Below is sample of new transaction codes introduced in SAP S/4HANA which can be
added to GRC ruleset based on the scope of SAP implementation
Controlling Old Transaction Code New Transaction Code
Add Base Planning Object KKE1 CKUC
Compare Base Object – Unit Cost Est KKEC CKUC
PCA Line Item Browser KE5Z KE5ZH
Cost Centers: Actual Line Items KSB1 KSB1N

Asset Accounting: Old Transaction Code New Transaction Code

Asset reconciliation ABST ABSTL
Create asset transaction AB01 AB01L
Unplanned Depreciation ABAA ABAAL

Procurement Old Transaction Code New Transaction Code

Vendor line items N/A FBL1H
Sales Old Transaction Code New Transaction Code
Order settlement – HANA optimized VA88 VA88H
Actual Results Analysis: Sales Ordrs –
KKAK KKAKH
HANA optimized

17
 Identify GRC Functions
Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6

• Map equivalent back-end SAP S/4HANA transaction code (identified in step 2) to a

standard GRC function
• Purpose of this step is to identify GRC function where data relating to SAP Fiori apps can
be added

18
Identify GRC Functions (cont.)

• Map equivalent back-end SAP S/4HANA transaction code to a GRC function

Fiori App ID App Description Relevant Back-end Tcode GRC Function

F0001 Manage Supplier Master Data XK01, XK02, XK99, etc. PR01 – Vendor Master Maintenance

F0002 Manage Purchase Orders ME21N, ME22N, ME23N, ME21, etc. PR02 – Maintain Purchase Order

19
 Obtain SAP Fiori Services

Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6

• An SAP Fiori app ties to either OData service or Web Dynpro based on whether it is a
transactional app or Web Dynpro-based app
• Identify the OData service or Web Dynpro application name for in-scope SAP Fiori Apps

20
Identify Services for SAP Fiori Apps
• Access SAP Fiori library portal to identify the OData service or Web Dynpro application
for the Fiori apps
 https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/#

21
Identify Services for SAP Fiori Apps (cont.)

• Navigate to below path for service information

 Fiori apps for SAP S/4HANAAll Apps Search Manage Supplier Master Data 
IMPLEMENTATION INFORMATION  Configuration  OData Services(s)

22
Identify Services for SAP Fiori Apps (cont.)

OData Service:
MD_SUPPLIER_MASTER_SRV

OData Service:
MM_PUR_PO_MAINTAIN

Development team can help provide OData service name for custom SAP Fiori apps

23
 Review SU24 Values

Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6

• Obtain authorization objects (permissions) relating to OData service or Web Dynpro

application from transaction SU24
• Identify authorization objects to be included within the ruleset

24
Gather Authorization Data for Fiori Services

• Obtain the list of authorization objects and values that should be maintained in GRC
ruleset from SU24 or USOBT_C table

25
 Update GRC Ruleset

Map Update
Scope Transaction Identify GRC Identify Fiori Review SU24 GRC
Fiori Apps Codes Functions Services Values Ruleset
1 2 3 4 5 6

• Identify hash code for SAP Fiori services

• Create/update GRC Function (from step 3)
• Create dummy transaction code (e.g., ^!XXX) for each SAP Fiori app in function-action
and function-permission tables
• Update authorization objects and values for SAP Fiori services (from step 5)

26
Identify Hash Code for SAP Fiori Services

• From table “USOBHASH,” identify hash code value of SAP Fiori app service
• Hash code is unique to each SAP Fiori app service

Fiori App ID App Description OData Service/Web Dynpro Hash Code

F0001 Manage Supplier Master Data MM_PUR_PO_MAINTAIN 26A709B279BE44A8028D59339C1E2A

F0002 Manage Purchase Orders MD_SUPPLIER_MASTER_SRV 117FE82BB4960CADDC9BCC2BD566B2

27
Create/Update GRC Functions
• Create/update GRC function for SAP Fiori app (F0001 – MANAGE SUPPLIER MASTER
DATA)

Dummy Authorization Hash code value

transaction codes object and values for Fiori app
for Fiori app for Fiori App

28
Create/Update GRC Functions (cont.)

• Create/update GRC function for SAP Fiori app (F0002 – MANAGE PURCHASE ORDERS)

Dummy transaction code for Authorization Hash code value

Fiori app object and for Fiori app
values for Fiori
App

29
Create/Update GRC Access Risk

• Create/update access risk

30
 Generate and analyze risk analysis
 reports

31
Generate Access Risk Analysis Report
• Test role “ZTEST01” was created in SAP S/4HANA with access to SAP Fiori apps
“Manage Purchase Orders & Manage Supplier Master Data”

32
Perform Access Risk Analysis
• Risk analysis criteria
 Risk analysis report has to be executed at permission level

33
Perform Access Risk Analysis (cont.)
• Risk analysis report executed for test role – Summary level

Identify conflicting Fiori apps for remediation or

mitigation

34
Perform Access Risk Analysis (cont.)
• Risk analysis report executed for test role – Detail level

Conflicting Authorization PFCG Role

Fiori apps object values

35
 Wrap-up

36
Where to Find More Information

• SAP Fiori Apps Reference Library

 https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/#

• Setup of Roles via SAP Documentation

 http://help.sap.com/fiori_bs2013/helpdata/en/38/3e8f546185ed57e10000000a423f68/
content.htm

• SAP Note 2539742

 This SAP Note was released on Oct. 20, 2017 and contains SAP delivered SOD rule set
including SAP S/4HANA and SAP Fiori components

37
Key Points to Take Home

 SAP S/4HANA is not a traditional transaction code-based SAP system

 Understand the security model of SAP Fiori and SAP S/4HANA
 Identify SAP Fiori apps to be included in ruleset
 Access to business data is granted through SAP S/4HANA, and SAP Fiori is
a user interface
 Current GRC ruleset should be updated to analyze access risk violation for
SAP S/4HANA
 Follow leading approach to updated GRC ruleset
 Learn to review and analyze access risk reports for SAP S/4HANA in GRC

38
Your Turn!

Sujan Kumar
Thank You
Any Questions?

sujankumar@deloitte.com 
Please remember to complete
t your session evaluation

39
Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each
of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a
detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services
may not be available to attest clients under the rules and regulations of public accounting.

This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional
advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person
who relies on this presentation.

This presentation should not be interpreted as a representation about or endorsement of any third party products, including SAP software.

40
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2018 Wellesley Information Services. All rights reserved.