Professional Documents
Culture Documents
Pfizer SAP Innovation Security Final 03.28.2023
Pfizer SAP Innovation Security Final 03.28.2023
Fiori Catalogs
SU24 Maintenance
Role-Based Design Principle of SAP Fiori states “SAP Fiori is designed for your business, your needs, and
Business Roles how you work. It draws from our broad insights on the multifaceted roles of today’s workforce. SAP Fiori
provides the right information at the right time and reflects the way you actually work.”
• SAP is encouraging its customers to adopt a business role perspective in its security design for SAP
S/4HANA.
• In simple terms a business role represents a collection of tasks a user is required to perform as part of his
job.
• The business role in S/4HANA thus becomes a collection of task roles.
• Business roles should be aligned to the business processes defined by the design team and should group
the tasks performed by the role into task roles.
• SAP Fiori design takes this concept to another level. Through spaces and pages we can also make it easier
to navigate between the tasks.
• In a well defined project organization, the requirement for a new business role should be first validated by
the OCM before security can work on the build.
IBM recommends to follow a 4-Tier methodology while
building business roles
• Tier 1: Generic access to non-critical, non-sensitive apps such as My Inbox
or SBWP assigned to all users.
• Tier 2 : non-sensitive display access into one task role per process area
that is re-used across the business roles.
• Tier 3: Functional roles with access to apps defined by the process flows
mapped to the business roles.
• Tier 4: Role for sensitive or restricted display apps
Fiori Catalogs
- It is highly recommended that the Fiori catalogs design and build is owned by the Security
Team.
- Catalogs are now the foundation of your security design.
- Similar to the functional task roles, you have the option to either create catalogs based on
tasks or create one catalog per business role.
- While the former helps reduce redundancy in the apps but is a challenge to upkeep during
sustainment phase.
- It is important to define a proper naming convention for the catalogs similar to the roles.
• It helps reduce maintenance of the roles, especially when you transition from project to operations there is a
knowledge gap and if the project team has been maintaining SU24 properly then it helps the operations team
during role maintenance for the same transactions.
• It should be properly maintained for all customer transactions.
• It helps in maintaining the permissions for actions in the GRC ruleset.
• It helps in avoiding manually added authorizations in roles.
GRC Access Control
• The current Pfizer GRC ruleset should be compared with the standard SAP
S/4HANA ruleset which is delivered as a BC-SET. Pfizer can then choose the
changes they want to adopt.
– The standard SAP S/4HANA ruleset has the Fiori apps included in the GRC functions as
Odata services and/or Fiori apps. These can become redundant, so if both are available for
the same app then it is better to choose the one with the Odata service.
–The reason is that the Odata services are part of the role menu in PFCG and the
authorization objects are linked to these services in SU24.
–Keep a check on obsolete and replacement transactions and modify the function actions
accordingly.
GRC Ruleset Recommendations
You should keep the GRC ruleset up to date with all updates released by SAP on a regular basis.
Unless needed to restrict sensitive transactions, you should remove display activities from the
function permissions to eliminate false positives.
Keep a check on obsolete and replacement transactions and modify the function actions
accordingly.
Optimize your connectors mapped to the connector group by removing un-necessary connectors.
These have an impact on the performance for ruleset generation.
Maintain a ruleset change tracker for documenting any changes made to the ruleset as the
change history may not always give you a complete picture.
Document all the mitigating controls that are created with details including the monitoring
activities and the Mitigation Owner and Approver.
Custom transactions should be reviewed for functionality and updated in the ruleset if
applicable.
GRC Fire Fighter for HANA DB Use
• Fire Fighter is available for use with
the HANA DB from Release GRC
12.x
meaningful sections, you can define in are the “Groups” which are assigned to the
business. Groups are still available but may be
deprecated in near future.