This blog post is part of our series about how to audit SAP S/4HANA Cloud public edition.
Role Concept: Business Catalogs vs. PFCG Roles
SAP S/4HANA Cloud simplifies the role assignment by introducing business catalogs as the smallest assignable entity. Those business catalogs represent the building blocks for maintaining business roles. Important for auditing purposes: those business catalogs are fixed and cannot be changed by the customer – which also means that critical roles pertaining to technical security risk can not be assigned by the customer. Business catalogs hold the functionality needed to perform a specific business process and also define those fields which can use for restricting business process, for example limit it to a specific organization.
Business roles are then essentially a bundle of different business catalogs that are assigned to a user. SAP is delivering business role templates, which represent typical roles or personas. However, those templates should not be used in a productive environment: while the business catalogs are aligned with ISAE 3000, business roles should be tailored to the specific processes of each customer.
Business roles are maintained by the authorization administrator, who defines both the scope of the business catalog bundle as well as the restriction fields. From a technical perspective, PFCG-roles are generated upon activation of the business role in the background – but this process is locked to the customer.
Business Partner Concept
A business partner (BP) is a new object to manage master data for partners, e.g. customers, vendors, employees, landlords, employees. It can be linked to one or multiple roles such as customer/vendor. For customers and vendors, the usage of the BP-functionality is technically obligatory. It is possible to set up two Business Partner with only one role instead of one BP with two roles. The Customer/Vendor Integration (CVI) component ensures the synchronization between the Business Partner object and the customer/ vendor objects.
All data are saved and managed in the BP master data and can therefore be shared across different roles. This ensures a high quality of data (avoiding inconsistency, redundancy & lack of traceability).
Furthermore, the BP-functionality provides the possibility to include timely dependent information such as timely restricted shipping addresses is given.
Note: Before setting up the new business partners in S/4HANA, it is important to clean the existing data of partners. SAP customers should discuss the data governance of the business partners and related consequences.
User Interface: Transactions vs. Fiori Apps
SAP ERP ECC systems used the SAP Graphical User Interface (SAP GUI) to access functions or programs. Within SAP GUI, different options of navigating to the required program/function existed. Most commonly, transaction codes were used. The transaction code is entered by the user in the command field at the top of any SAP GUI screen. As an alternative the user can use the SAP menu to navigate to the functions or programs needed. Each function in the SAP system has a transaction code associated with it.
SAP Fiori is the new user experience (UX) used in the SAP S/4HANA system, replacing SAP GUI It applies modern design principles for a completely reimagined user experience. SAP Fiori UX represents a personalized, responsive and simple user experience across devices and deployment options. In the S/4HANA Cloud, the user interface is based on Fiori Apps, which are provided in the SAP Fiori Launchpad. SAP Fiori Launchpad is therefore the new application entry-point. The Launchpad includes more than 500 apps, enabling users to use the same SAP application and processes on their mobile device as on their computer in an easier-to-use way. Fiori app assignment is controlled via roles.
Users are granted access to “what they can do” via SAP S/4HANA and “what they can view” through SAP Fiori Gateway. Although the underlying authorization objects remain relevant, users may have access to specific functions without the use of transaction codes.
For long term SAP GUI users, there is an easy way to map SAP GUI transaction with Fiori Apps in the SAP S/4HANA Cloud:
- Enter the SAP Fiori Apps Library > Under “Categories” (on the left hand side) choose “All Apps for SAP S/4HANA” > by Line of Business. The result will be an overview of all business lines and the number of Apps per Line of Business.
- Select a business line and then click on “List view” to change the display mode.
- On top of the right hand side of the screen, click on the star wheel. This will enable the IT auditor to adjust the column display settings.
- Choose the field “transaction” to display a one on one mapping of Fiori Apps on the left and the corresponding transaction on the right.
Example: SAP GUI interface (Read Security Audit Log)
Example: Fiori App “Display Security Audit Log” in SAP S/4HANA Cloud, public edition.
Engage with us
In case you are interested in our upcoming blogposts, please follow us here: How to audit SAP S/4HANA Cloud | SAP Blogs
Or contact us on LinkedIn.
Your feedback
Feel free to share your feedback and thoughts in the comment section below