IBM Consulting

Pfizer Innovation Day

SAP Security/FIORI Additional Topics

Peter Bodunrin CDPSE, Executive Consultant

Subbu Iyer CISSP, Senior Managing Consultant
Hari Kantipudi, Senior Managing Consultant
Broad Outline/Agenda
Discussion
1.Brief Introductions
2.Rapid Discovery (Lite) – Answering specific questions
on each of the Domains. - Joint
3.Review of the SOS/Earlywatch/HANA Impact
Assessments – To Be Provided by Pfizer.
4.Address and Specific Pain Points outside those during
follow up meetings - Discussion
5.Response to Specific Questions - Discussion
6.Provide Points of View on Questions asked. -
Discussion
7.Align of Report out from Rapid Discovery –
Summarize response from Questions answered in 2
(at a later date, send report back)
8.New Technologies, BTP, FIORI technology
(Spaces/Pages) - Discussion
9.Talks Enterprise Security./ Interaction with Process
teams. -Discussion
Roles & Authorizations
 S/4HANA Security Strategy
 Business Roles

 Fiori Catalogs

 Custom Development Review

 SU24 Maintenance
 Role-Based Design Principle of SAP Fiori states “SAP Fiori is designed for your business, your needs, and

Business Roles how you work. It draws from our broad insights on the multifaceted roles of today’s workforce. SAP Fiori
provides the right information at the right time and reflects the way you actually work.”

• SAP is encouraging its customers to adopt a business role perspective in its security design for SAP
S/4HANA.
• In simple terms a business role represents a collection of tasks a user is required to perform as part of his
job.
• The business role in S/4HANA thus becomes a collection of task roles.
• Business roles should be aligned to the business processes defined by the design team and should group
the tasks performed by the role into task roles.
• SAP Fiori design takes this concept to another level. Through spaces and pages we can also make it easier
to navigate between the tasks.
• In a well defined project organization, the requirement for a new business role should be first validated by
the OCM before security can work on the build.
IBM recommends to follow a 4-Tier methodology while
building business roles
• Tier 1: Generic access to non-critical, non-sensitive apps such as My Inbox
or SBWP assigned to all users.
• Tier 2 : non-sensitive display access into one task role per process area
that is re-used across the business roles.
• Tier 3: Functional roles with access to apps defined by the process flows
mapped to the business roles.
• Tier 4: Role for sensitive or restricted display apps
 Fiori Catalogs
- It is highly recommended that the Fiori catalogs design and build is owned by the Security
Team.
- Catalogs are now the foundation of your security design.
- Similar to the functional task roles, you have the option to either create catalogs based on
tasks or create one catalog per business role.
- While the former helps reduce redundancy in the apps but is a challenge to upkeep during
sustainment phase.
- It is important to define a proper naming convention for the catalogs similar to the roles.

If you are following a top down approach, then the

Business Process Procedures (BPPs) would provide you
the roles performing the tasks at each step of the
process or the Business Process Hierarchy (BPH) will
provide the processes L1 to L4 where L4 is mapped to
the Fiori App or Tcode used. Using these documents as
your input for catalog design. You have to split these
apps into a group of activities or tasks. It can also be
the L3 Process.
Custom Development Review
–All custom code should be analyzed for security flaws using Code Vulnerability Analyzer (CVA) or
similar tool by the development team.
–The developer lead should approve the code to be moved to upstream after reviewing the CVA
results.
–Security team review should also be made mandatory for all custom developments
–Some of the items to be checked during the review are:
•Check if the tcode is an executable program.
•If yes, check if a transaction code been created for it.
•Check if an appropriate authorization group been assigned to it.
•Run trace to check if the program has sufficient embedded authorization checks.
•If not, identify the appropriate authorization object and ask the developer to include an
authorization check.
•Check if there are specific requirements for security restrictions pertaining to the development.
•Review the functionality of the program and check if the tcode should be added to the GRC
ruleset. Consult the internal controls and the design team where necessary.
•Update the SU24 of the custom transaction.
•Identify the business role and technical role to be updated.
–The transaction should be added to the role only after successful completion of the security review.
SU24 Maintenance
SU24 maintenance is a good practice. It is a recommended practice because it has several advantages.

• It helps reduce maintenance of the roles, especially when you transition from project to operations there is a
knowledge gap and if the project team has been maintaining SU24 properly then it helps the operations team
during role maintenance for the same transactions.
• It should be properly maintained for all customer transactions.
• It helps in maintaining the permissions for actions in the GRC ruleset.
• It helps in avoiding manually added authorizations in roles.
GRC Access Control

• GRC SOD Ruleset for S/4HANA

• GRC Ruleset Recommendation

• Fire Fighter for HANA DB

GRC SOD Ruleset for S/4HANA

• The current Pfizer GRC ruleset should be compared with the standard SAP
S/4HANA ruleset which is delivered as a BC-SET. Pfizer can then choose the
changes they want to adopt.
– The standard SAP S/4HANA ruleset has the Fiori apps included in the GRC functions as
Odata services and/or Fiori apps. These can become redundant, so if both are available for
the same app then it is better to choose the one with the Odata service.
–The reason is that the Odata services are part of the role menu in PFCG and the
authorization objects are linked to these services in SU24.
–Keep a check on obsolete and replacement transactions and modify the function actions
accordingly.
GRC Ruleset Recommendations

You should keep the GRC ruleset up to date with all updates released by SAP on a regular basis.
Unless needed to restrict sensitive transactions, you should remove display activities from the
function permissions to eliminate false positives.
Keep a check on obsolete and replacement transactions and modify the function actions
accordingly.
Optimize your connectors mapped to the connector group by removing un-necessary connectors.
These have an impact on the performance for ruleset generation.
Maintain a ruleset change tracker for documenting any changes made to the ruleset as the
change history may not always give you a complete picture.
Document all the mitigating controls that are created with details including the monitoring
activities and the Mitigation Owner and Approver.
Custom transactions should be reviewed for functionality and updated in the ruleset if
applicable.
GRC Fire Fighter for HANA DB Use
• Fire Fighter is available for use with
the HANA DB from Release GRC
12.x

– SAP Note: 2735438

– The note provides the detailed
information required for the setup.
https://launchpad.support.sap.com/#/notes/2735438
GRC Ruleset Best Practices
• You should keep the GRC ruleset up to date with all updates released by SAP on a regular basis.
• Unless needed to restrict sensitive transactions, you should remove display activities from the function
permissions to eliminate false positives.
• Keep a check on obsolete and replacement transactions and modify the function actions accordingly.
• Optimize your connectors mapped to the connector group by removing un-necessary connectors. These have an
impact on the performance for ruleset generation.
• Maintain a ruleset change tracker for documenting any changes made to the ruleset as the change history may
not always give you a complete picture.
• Document all the mitigating controls that are created with details including the monitoring activities and the
Mitigation Owner and Approver.
• Custom transactions should be reviewed for functionality and updated in the ruleset if applicable.
GRC Fire Fighter
• You should keep the GRC ruleset up to date with all updates released by SAP on a regular basis.
• Unless needed to restrict sensitive transactions, you should remove display activities from the function
permissions to eliminate false positives.
• Keep a check on obsolete and replacement transactions and modify the function actions accordingly.
• Optimize your connectors mapped to the connector group by removing un-necessary connectors. These have an
impact on the performance for ruleset generation.
• Maintain a ruleset change tracker for documenting any changes made to the ruleset as the change history may
not always give you a complete picture.
• Document all the mitigating controls that are created with details including the monitoring activities and the
Mitigation Owner and Approver.
• Custom transactions should be reviewed for functionality and updated in the ruleset if applicable.
FIORI Strategy & Approach

• Embedded vs Hub Model

• Fiori Tools and Support
• Launchpad Spaces / Pages or Groups
• Advantages of Spaces/Pages
S/4HANA Embedded vs Hub Model

• All new S/4HANA implementations will be an embedded deployment only.

• Reference SAP Note: 2590653

https://launchpad.support.sap.com/#/notes/2590653
SAP Fiori Security Tools and Support
• Transaction SU24N: https://blogs.sap.com/2022/08/11/getting-back-to-standard-
proposals-with-su24-authorisation-variants/
• Transaction STUSERTRACE: SAP Note 2220030
• Transaction STSIMAUTHCHECK: SAP Note 2442227
• Launchpad Content Designer: https://blogs.sap.com/2020/09/11/sap-fiori-for-sap-s-
4hana-overview-of-tools-for-maintaining-custom-launchpad-content-and-layout/
• Launchpad Content Manager:
https://microlearning.opensap.com/media/Refining%20Business%20Roles%20with%20SA
P%20Fiori%20Launchpad%20Content%20Manager%20-
%20SAP%20S_4HANA%20User%20Experience/1_41t9c846
• Launchpad App Manager: https://blogs.sap.com/2020/10/16/sap-fiori-launchpad-app-
manager-tool-available-for-sap-s-4hana-2020/
• Security Troubleshooting: https://www.sap.com/documents/2017/11/9abe236d-df7c-
0010-82c7-eda71af511fa.html
• Fiori App Support: https://blogs.sap.com/2021/02/08/app-support-for-the-sap-fiori-
launchpad/
Additional References

• SAP HANA Security Guide

https://help.sap.com/doc/eec734dbb0fd1014a61590fcb5411390/2.0.03/en-

SAP HANA Administration Guide

https://help.sap.com/doc/eb75509ab0fd1014a2c6ba9b6d252832/2.0.03/en-

SAP HANA Security Checklists and Recommendations

https://help.sap.com/doc/3cffa43c8e3843cdae23f9abfe47355e/2.0.03/en-
 Launchpad Spaces / Pages or Groups
- The content layout of the Fiori
Launchpad is managed through Spaces /
Pages since SAP S/4HANA 2020.
- Previously Groups were used for
organizing the content and are still
available. However, they may get
deprecated in near future. From S/4HANA 2020 SAP provides another option

- IBM recommends Pfizer starts the

to organize the launchpad layout using “Spaces and
Pages”. Here the tabs are the ”business roles”
assigned to the user.

transition to use Launchpad Spaces and

Pages to organize the launchpad Until S/4HANA 1909 Launchpad content is
displayed and organized using ”Groups”. The tabs

content. are the “Groups” which are assigned to the

business. Groups are still available but may be
deprecated in near future.

- During the design time, you may not

have detailed information on the pages
and sections to be created to organize
the apps.
- You may need to work with business key
users to help you define the layout.
 Advantages of Spaces / Pages
- The spaces mode was developed to offer
more flexibility to influence the
launchpad layout for specific user
groups. Pages are assigned to users via
spaces that are assigned to business
roles. The business role defines which
users see a specific space. If you enable From S/4HANA 2020 SAP provides another option

spaces for your users and define specific

to organize the launchpad layout using “Spaces and
Pages”. Here the tabs are the ”business roles”
assigned to the user.

spaces and pages for them, you can

reach a better fit. By defining pages with Until S/4HANA 1909 Launchpad content is
displayed and organized using ”Groups”. The tabs

meaningful sections, you can define in are the “Groups” which are assigned to the
business. Groups are still available but may be
deprecated in near future.

which order the apps are sorted on the

page.
Next Steps & Path Forward