Securing S/4HANA

November 29th, 2018

Christophe Decamps / Bert Vanstechelman / Chris Walravens

 What we will cover

• Introduction

• Fiori Security

• HANA Security

• S/4HANA Back-end Authorizations

• How it all ties together

• Appendix: Technical Security

|2
Securing S/4HANA Book

Christophe Decamps

Bert Vanstechelman

Chris Walravens
 What we will cover

• Introduction

• Fiori Security

• HANA Security

• S/4HANA Back-end Authorizations

• How it all ties together

• Appendix: Technical Security

|4
 Fiori Security

Christophe Decamps
 What we will cover

• SAP Fiori Introduction

• SAP Fiori Catalogs
• SAP Fiori Groups
• SAP Fiori Security: Front-End ABAP Roles

|6
SAP Next-Generation Landscape

• Fiori as front end coupled with SAP S/4HANA & SAP HANA as back ends

S/4HANA

SAP
Gateway
SAP
HANA
Data (views)

➢ Apply same security rules consistently over the landscape

SAP Fiori Authorizations

Gateway
- Fiori Catalogs
- Fiori Groups

Single
SAP Roles
Gateway
Composite
Roles
SAP Fiori Launchpad

• Single point of entry for business applications & analytics across platforms and devices
Role-based
Personalized
Real time
Contextual aggregation

• Available functionalities in the form of tiles

• Authorizations:
Group & configure tiles into Catalogs & Groups via SAP Fiori Launchpad Designer tool
Grant access to Catalog & Groups to users via Gateway ABAP roles
 What we will cover

• SAP Fiori Introduction

• SAP Fiori Catalogs
• SAP Fiori Groups
• SAP Fiori Security: Front-End ABAP Roles

|10
SAP Fiori Catalogs Definition

Fiori Catalogs
Gives access to tiles
User can browse through all Catalogs they’re assigned to

Logical collection of tiles

Decide which tiles to be grouped together
Like grouping of transaction in PFCG roles on back-end system
Important criteria:
• Long-term sustainability

• Transparency

• Consistency
Criteria for designing Catalogs highly depends on back-end roles design
SAP Fiori Catalogs Configuration

Create Fiori Catalogs

Create an empty workbench transport request in the Gateway
Use the SAP Fiori Launchpad Designer (Gateway tcode /UI2/FLPD_CUST or via SPRO)
Create the new Catalog
Can copy and adapt predefined Catalogs, if required
Groups tiles logically in Catalogs
SAP Fiori Catalogs Configuration

Add tiles to Catalog

Fiori Apps Library
With reference
Advantage is that if SAP updates the tiles, your referenced tile will also be updated
Or manually
Chose type of tile:
• Dynamic

• News

• Static

Configure the relevant application

parameters (target mapping)
 What we will cover

• SAP Fiori Introduction

• SAP Fiori Catalogs
• SAP Fiori Groups
• SAP Fiori Security: Front-End ABAP Roles

|14
SAP Fiori Groups Definition

Fiori Groups
Are like favourites
Contain tiles visible per default on user’s Fiori launchpad entry page
Other tiles are still accessible
Via search function

Important considerations:
Screen layout
Define default tiles
SAP Fiori Groups Configuration

• Create an empty workbench transport request in the Gateway

• Create Fiori Group via the SAP Fiori Launchpad Designer
Groups’ names are displayed on user’s launchpad

• Add tiles to Group

Browse into the Catalogs and choose the tiles to add
 What we will cover

• SAP Fiori Introduction

• SAP Fiori Catalogs
• SAP Fiori Groups
• SAP Fiori Security: Front-End ABAP Roles

|17
SAP Fiori Gateway ABAP Single Roles

• Assign Fiori Catalogs and Groups to users via Gateway ABAP roles
• Managed via role maintenance transaction PFCG

• Add required SAP Fiori Catalogs and Groups to the single role menu
SAP Fiori Gateway ABAP Single Roles

• Assigned Fiori Catalogs and Groups through ABAP roles are visible on the user’s
Fiori Launchpad
SAP Fiori Gateway ABAP Single Roles - services

• Some services are required for the app to work properly

• Sometimes, services are automatically added with Catalog is added
• If not / still missing ones, add required Gateway services manually within the Gateway tile role
SAP Fiori Gateway ABAP Composite Roles

• Group single roles into composite roles

• Apply the 2-layers model

Function: ABAP composite role:

Accountant

Tasks: ABAP tile role: ABAP tile role:

Display Assets Display XYZ

Fiori Catalog: Fiori Group: Fiori Catalog: Fiori Group:

Assets Assets Reporting XYZ XYZ Reporting
SAP Fiori Gateway ABAP Roles Design Considerations

• Front-end ABAP roles important considerations:

Consistency between front end and back end
Ease of maintenance on front end
Conceptual transparency
Strong naming convention
 What we will cover

• Introduction

• Fiori Security

• HANA Security

• S/4HANA Back-end Authorizations

• How it all ties together

• Appendix: Technical Security

|23
 HANA Security

Christophe Decamps
 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|25
SAP HANA Authorizations

Gateway
- Fiori Catalogs
- Fiori Groups S/4HANA

Single HANA
SAP Roles
Gateway
Composite SAP - Privileges
Roles HANA
Data (views)
Roles
Why HANA access management?

Why is HANA access management important ?

• HANA Database holds all your tables => all your data
• From HANA, a direct read & write access to the data is possible
• Default roles/privileges very broad access

➢ Secure HANA to protect & ensure the accuracy of your data !

SAP HANA
Client Client
HANA
Studio

• SAP HANA is an in-memory database Application

server
which contains all business data and
logic as well as all its security functions
Application

• Authorizations: XS Engine
Give access to the data/content via
HANA Privileges Authentication Encryption
Identity
Group privileges into roles using the SAP
Store
HANA Studio or the Web-based workbench
application Authorization Audit Logging

SAP HANA
Authorizations approach

ECC
- Tcodes BW
- Auth. objects
- InfoProv. HANA
- BW Analysis
Authorizations
SR
- Privileges
SR
CR / BR
Roles
CR / BR

Consistency
Maintainability
Transparency
SAP HANA Security Administration

• SAP HANA Studio • XS Web-based Workbench Interface

Installation required No installation required
Download from SAP Service Marketplace http://<hostname>:80<InstNo>/sap/hana/
xs/ide/
SAP HANA
Studio Web
Interface
Admin

Application

XS Engine

SAP HANA
 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|31
Entities relations

granted
Role
to

Privilege Role Role

Role Privilege
Best practice :
Entities relations

owns
Object

Object grant to

_SYS_REPO
Attention
• Action “grant” is also considered as an object !

➢ “grant” is owned by his creator

 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|34
 SAP HANA Privileges
Client

Application
SAP HANA • Application privilege
XS Engine
• Catalog

• Schemas, tables, …
• Package • Object privilege
privilege • Package
• Views
• Row level
• Analytic privilege
access

• System privilege
SAP HANA Functional Restriction: System Privileges

• Control some general system activities, mainly for administrative purposes

• Are system-wide
• Cannot be modified

• System privileges can be divided in five types:

Users and roles
Catalog and schema management
Auditing
System management
Data import and export
SAP HANA Functional Restriction: Application Privileges

• Grant access to XS-based applications

E.g.:
Access to the Web-based workbench application (sap.hana.xs.ide)
Access to Analysis for Office (sap.bc.ina.service.v2::Execute)

• Granularity to authorize the access to different functions and screens of an application

is possible

• Build your application privileges with some granularity!

E.g.:
1 privilege for Landing Page then different ones for further application sections
SAP HANA Functional Restriction: Package Privileges

• Packages contains objects such as:

Views
Procedures
Roles
…

• Define access and use of packages in the repository

• Hierarchical access to packages and corresponding sub-packages

• Build your packages with some granularity!

SAP HANA Functional Restriction: Object Privileges

• Are linked to an object (e.g., table, view, procedure, …) and allows to restrict access on it

• Possible actions depend on object type:

Select
Update/create
Execute
Delete
…
SAP HANA Organizational Restriction: Analytic Privileges
• Control row access to data models (views)
• Gives different output based on same view

1 view “Sales”
Region Sales
Value
Germany 1000
Region Sales Region Sales
Value Belgium 5000 Value
Germany 1000 Spain 2000 Belgium 5000
Spain 2000

User 1
Manager in Germany User 2
Manager in Belgium &
Spain
SAP HANA Organizational Restriction: Analytic Privileges

• Consists of several dimensions restrictions

Cube restriction
Activity restriction
Validity restriction
Attribute restrictions (e.g., Company Code, Plant, …)

• Use SQL Analytic Privileges (Classical Analytic Privileges will be decommissioned)

SAP HANA Organizational restriction: Analytic privileges

Dynamic analytic privilege

• E.g. check user’s region from a table

user 1 user 1 restrictions

user 2 restrictions
user 2
View Table “User -_Region” :
user 3 restrictions
dynamic
privilege User_Name Region Position
user 3
User1 America Manager

User2 Asia Employee

User3 Europe Manager

SAP HANA Organizational restriction: Analytic privileges

Dynamic analytic privilege

• Dynamic analytic privilege can be created
➢ The filtering conditions are obtained at run-time when querying a
specific table or view

• Advantages:
➢ Same analytic privilege can be applied to multiple users with
different authorization requirements
➢ ease of maintenance
➢ filter obtained from a stored procedure with a complex logic

• Disadvantages:
➢ Difficulties for maintenance
➢ Difficulties for reporting
➢ Difficulties to audit
Privileges: business access summary

Access a view via Access a specific column

object privilege via a created view

Access a row via

analytic privilege

➢ 1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
SAP HANA Functions vs. Required Privilege Types
IT Business
• System admin • Business functions
• Security officer
• Modelers
• …

• Typically required type of privileges: • Typically required type of privileges:

System privileges Application privileges
Application privileges Object privileges
data access
Package privileges Analytic privileges (views)
Object privileges
Analytic privileges
 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|46
SAP HANA Grouping Privileges into Roles

• Role hierarchy is possible

Roles in roles in roles in roles … is possible!
2-layers model does not exist in SAP HANA (no composite roles and single roles)

• Role model should be maintainable and transparent

Avoid direct privilege assignment
Avoid multiple (more than 2) role hierarchy
SAP HANA Grouping Privileges into Roles

• Create a design like the 2-layers model to keep it clear

Function: Role:
Accountant

Tasks: Role: Role:

Display Assets Display XYZ

Object Privilege: Analytic Privilege: Object Privilege: Analytic Privilege:

SELECT Assets view Asset view AP SELECT XYZ view XYZ view AP
 SAP HANA Repository Roles vs. Catalog Roles

REPOSITORY (design time) ROLES CATALOG (runtime) ROLES

• Owner: _SYS_REPO • Owner = creator. Delete Owner = delete

role.
• Use “with grant” option for _SYS_REPO
• Only grantor can revoke role
• Grantor can grant/revoke all roles if he can
execute the “Grant/Revoke Activated • If grantor is deleted  privileges are
Role” stored procedure revoked
 SAP HANA Repository Roles vs. Catalog Roles

REPOSITORY (design time) ROLES CATALOG (runtime) ROLES

• No need to have privilege to grant it to • Need to have privilege to grant it to the

the role role

• But _SYS_REPO does! • Privileges are transitive (removed from

grantor  removed from role)
• SOD possible between creation,
ownership, and assignment • Not transportable

• Transportable
Best practice Not recommended !
 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|51
Securing HANA views

Example of view dependencies:

Securing HANA views

Securing views:
• Only exposed view should be secured with AP’s. All below views must be AP free
• AP security is defined by the modeler in the view’s properties

Exposed to end
Exposed Exposed Exposed users.
Level 2 view 1 AP view 2 AP view 3 AP
➢ Secured
with AP

Level 1
View 1 View 2 View 2
AP AP AP Not exposed
to end users.

Level 0 ➢ AP free
tables
 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|54
Packages structure & modelling

Establish a strong package structure

• Use only lower case for your packages' names
• Establish a clear structure & ensure it’s sustainable in the future
• Use the package structure to know which views are exposed and which views are not exposed

➢ Helps the modelers to always know if a view has to be secured or not

expertum
models (per functional stream)
underlying objects (dimensions)
fi
sub fi folder
unexposed
exposed
sales
..
sandbox
 What we will cover

• SAP HANA Introduction

• SAP HANA Entities relations
• SAP HANA Privileges
• SAP HANA Back-End Roles
• SAP HANA Securing views
• SAP HANA repository & modelling
• SAP HANA schemas & modelling

|56
Schemas & modelling

Entities relations
• All objects created by a user are owned by that user
• If the user is deleted, the object is deleted !

➢ Always use a user which will not be deleted to create schemas, tables, procedures etc which
hold info on which views are based !

Schema access
• Per default no one has access to newly created application schemas
• _SYS_REPO gives access to the activated models to the users
• If models are built and activated based on data from a specific schema, _SYS_REPO must therefore be
granted access to the schema
• Only the schema owner can grant access to his schema (including to _SYS_REPO)

➢ Modelers must grant _SYS_REPO the required access to the schema with grant option so it can be
added to roles
 What we will cover

• Introduction

• Fiori Security

• HANA Security

• S/4HANA Back-end Authorizations

• How it all ties together

• Appendix: Technical Security

|58
 S/4HANA Back-end Security

Chris Walravens
• S/4HANA Authorizations: The good new!

• Generics steps for building roles

• Impact of your Fiori strategy

• Upgrade, Brownfield, Greenfield?

• Governance considerations

|60
SAP S/4HANA Authorizations

S/4HANA

SAP
Gateway
SAP
HANA
Data (views)
S/4HANA Authorizations: the good news!

Authorization mechanism remains largely identical

Tools: Still SU01, SU24, SU25, PFCG, SUPC, PFUD, STAUTHTRACE, etc.
Concept: Still single roles, derived roles & composite roles

Some new stuff coming in (*)

14.421 new transaction codes
506 new authorization objects

(*) Comparison ECC 6 vs S/4HANA 1610

• S/4HANA Authorizations: The good new!

• Generics steps for building roles

• Impact of your Fiori strategy

• Upgrade, Brownfield, Greenfield?

• Governance considerations

|63
Generic steps for building roles

Grouping of functionality into single roles

Transaction codes
Webdynpro applications
UI5 applications
…
Activity-like restrictions (create, change, display,…)
Functional restrictions (movement types, infotypes,…)

Implementing field restrictions using derived roles

Organizational restrictions (company code, plant,…)
Generic steps for building roles

Grouping roles into composite roles

Facilitating role assignments to users
Standardizing accesses (not user based, but role based)
Supports template based approaches
• S/4HANA Authorizations: The good new!

• Generics steps for building roles

• Impact of your Fiori strategy

• Upgrade, Brownfield, Greenfield?

• Governance considerations

|66
Impact of your Fiori strategy

Possible Fiori strategies

No Fiori, stay with good old SAP GUI / Business Client
• Not realistic: specific functionality is only available through Fiori (e.g. House Banks)

A specific set of Fiori apps, combined with good old SAP GUI / Business Client
• The hybrid model: very realistic, to make the transition to S/4HANA for year-long users more smooth

Full Fiori, without any (further) deployment of SAP GUI / Business Client
• The most innovative

• Realistic for greenfield implementations, especially where SAP was not used before

Main consequences of a full Fiori strategy

Grouping of functionality moves from transaction codes to tiles (apps)
Grouping of functionality moves from the back-end to the front-end
Maintenance of tiles, catalogs and groups belongs with the security team
S/4HANA system: grant services to backend roles

Grant required services in back-end roles

Manually add services to back-end role

Assign catalogs to SAP S/4HANA back-end role

to ensure necessary services are automatically
added in back-end system (Best practice)

Even when coming from tiles and catalogs,

transaction codes can still be authorized
• S/4HANA Authorizations: The good new!

• Generics steps for building roles

• Impact of your Fiori strategy

• Upgrade, Brownfield, Greenfield?

• Governance considerations

|69
Migration to S/4HANA: approaches

Upgrade

Brownfield

Greenfield
Migration to S/4HANA authorizations

Keep the existing backend roles and authorizations  The pure upgrade scenario

Upgrade PFCG (execute SU25) and/or move SU25 entries to greenfield S/4HANA

Download / upload roles to greenfield S/4HANA

Post-maintain roles with upgraded SU25 entries

Test & go-live

Fiori roles will need to be designed and built

SAP HANA authorizations need to be designed and built

Migration to S/4HANA authorizations

Apply some optimizations on the backend roles, where needed  Upgrade + enhancements

Start using SU24: eliminate manual and changed statuses in your roles

Remove inconsistencies between role menu and S_TCODE content

Remove unused transaction codes and add new ones where needed

Still need to design and build Fiori roles and SAP HANA authorizations
Migration to S/4HANA authorizations

Go for an optimized new authorizations concept  the redesign scenario

Tackle the “upgrade” related activities during a redesign project

Get rid of your historical authorizations concept

Design and build backend roles that are conceptually compatible with Fiori and SAP HANA

Design and build Fiori roles in line with back-end roles

Design and build SAP HANA authorizations in line with back-end roles
• S/4HANA Authorizations: The good new!

• Generics steps for building roles

• Impact of your Fiori strategy

• Upgrade, Brownfield, Greenfield?

• Governance considerations

|74
Governance considerations

The internal control criterion

Single roles built on subprocess level

Single and derived roles need to be free of Segregation of Duties violations

The homogeneity criterion

Making roles understandable (transparency)

Making roles more maintainable (clearer link between functionality and authorization objects)
Governance considerations

The business process criterion

Single roles must allow the protection of the business processes (they don’t exist for their own benefit)

The role concept has to facilitate the assignment of specified business process steps to different people

The ownership criterion

Facilitate role ownership on data / business subprocess level

Governance considerations

We are still protecting business data and securing business processes

Regardless the technology changes

Regardless the authorization mechanisms offered through software

Regardless what front-end, back-end and database systems

It’s still all about internal control !!!

 What we will cover

• Introduction

• Fiori Security

• HANA Security

• S/4HANA Back-end Authorizations

• How it all ties together

• Appendix: Technical Security

|78
 How it all ties together

Chris Walravens
SAP Fiori (Front-End), SAP S/HANA & HANA (Back-End)
Authorizations S/4HANA
- Tcode
Gateway - Auth. objects

- Fiori Catalogs
- Fiori Groups Single
S/4HANA Roles

Single Composite
Roles Roles
SAP
Gateway Composite
HANA
Roles

SAP - Privileges
HANA
Data (views)
Consistency Roles
 Fiori Gateway S/4HANA HANA BW/4HANA
LaunchPad Designer PFCG PFCG HANA Studio / Web IDE PFCG

Catalogs Tile Role “Level 1” Role

C_HN_V_ASSETS_YYYY GW_T_HN_V_ASSETS_YYYY
Object Priv. + Analytic Priv.
₋ Object
Groups Tile Role Single Role
G_HN_X_ASSETS_YYYY
₋ Restrictions
GW_T_BW_V_BWRP_YYYY BW_S_V_BWRP_YYYY
HN_S_V_ASSETS_YYYY
Catalogs Tile Role Single Role
C_BW_V_BWRP_YYYY GW_T_S4_A_AMMD_ASSETS S4_S_A_AMMD_ASSETS
Derived
Groups “Level 1” Role
G_BW_BWRP_YYYY
Derived Role
Derived Role Object Priv. + Derived BW_D_V_BWRP_YYYY_BEXX
Catalogs S4_D_A_AMMD_ASSETS_BEXX Analytic Priv.
C_S4_A_AMMD_ASSETS
₋ Object
₋ Restrictions
Groups Analysis Authorization
G_S4_AMMD_ASSETS HN_D_V_ASSETS_BEXX BVYYYYBEXX

Composite Role Composite Role “Level 2” Role Composite Role

GW_C_ACCOUNTANT S4_C_BEXX_ACCOUNTANT HN_C_BEXX_ACCOUNTANT BW_C_BEXX_ACCOUNTANT

IDM / Business Role

C_ACCOUNTANT_BEXX
GRC
(BRM)
User / Identity
 Fiori Gateway S/4HANA HANA BW/4HANA
LaunchPad Designer PFCG PFCG HANA Studio / Web IDE PFCG

Catalogs Tile Role “Level 1” Role

C_HN_V_ASSETS_YYYY GW_T_HN_V_ASSETS_YYYY
Object Priv. + Analytic Priv.
₋ Object
Groups Tile Role Single Role
G_HN_X_ASSETS_YYYY
₋ Restrictions
GW_T_BW_V_BWRP_YYYY BW_S_V_BWRP_YYYY
HN_S_V_ASSETS_YYYY
Catalogs Tile Role Single Role
C_BW_V_BWRP_YYYY GW_T_S4_A_AMMD_ASSETS S4_S_A_AMMD_ASSETS
Derived
Groups “Level 1” Role
G_BW_BWRP_YYYY
Derived Role
Derived Role Object Priv. + Derived BW_D_V_BWRP_YYYY_BEXX
Catalogs S4_D_A_AMMD_ASSETS_BEXX Analytic Priv.
C_S4_A_AMMD_ASSETS
₋ Object
₋ Restrictions
Groups Analysis Authorization
G_S4_AMMD_ASSETS HN_D_V_ASSETS_BEXX BVYYYYBEXX

Composite Role Composite Role “Level 2” Role Composite Role

GW_C_ACCOUNTANT S4_C_BEXX_ACCOUNTANT HN_C_BEXX_ACCOUNTANT BW_C_BEXX_ACCOUNTANT

IT
Business Role
C_ACCOUNTANT_BEXX
IT / Business

Business User / Identity

 Appendix: Technical Security

Bert Vanstechelman
 Operating System

S/4HANA System

Business & Configuration data Application Server

• Client (application & customizing, user master) • Message server
• Cross client customizing • Gateway Process
• Repository objects (DDIC, transactions, programs) • Internet Connection Framework
Authentication
• Basic
• Kerberos
• X.509 Certificates SAP HANA
• Security Assertion Markup Language (SAML)

• Service users
• File systems & directories
• SAP Management Console
• Network security
• Revisions
• Data volume encryption
• Multi tenants & Isolation
• Protecting standard users

Network
Firewalls, SAP Router, Web Dispatcher
 S/4HANA System

Business & Configuration data

• Client (application & customizing, user master)
• Cross client customizing
• Repository objects (DDIC, transactions, programs)

Actions
• Client settings
• Avoid empty clients
• Setup security audit logging
• Setup data change logging
• Implement a password strategy, protect standard users
 S/4HANA System

Business & Configuration data Application Server

• Client (application & customizing, user master) • Message server
• Cross client customizing • Gateway Process
• Repository objects (DDIC, transactions, programs) • Internet Connection Framework

Actions
• Message & Gateway
• Restrict access MSMON
• Restrict access, use ACL control lists
• Setup logging
• Internet Connection Framework
• Only enable what you need
• Disable multiple logons
• Disable sensitive error data to be send
• Only use HTTPS
• Setup logging
 S/4HANA System

Business & Configuration data Application Server

• Client (application & customizing, user master) • Message server
• Cross client customizing • Gateway Process
• Repository objects (DDIC, transactions, programs) • Internet Connection Framework
Authentication
• Basic
• Kerberos
• X.509 Certificates
• Security Assertion Markup Language (SAML)

Actions
Get a SSO expert!
 S/4HANA System

Business & Configuration data Application Server

• Client (application & customizing, user master) • Message server
• Cross client customizing • Gateway Process
• Repository objects (DDIC, transactions, programs) • Internet Connection Framework
Authentication
• Basic
• Kerberos
• X.509 Certificates SAP HANA
• Security Assertion Markup Language (SAML)

• Revisions
• Data volume encryption
• Multi tenants & isolation
• Protecting standard users

Actions
• Keep your SAP HANA up to date
• Enable volume & backup encryption
• Separate your tenants on OS
• Protect the SYSTEM user
 Operating System

S/4HANA System

Business & Configuration data Application Server

• Client (application & customizing, user master) • Message server
• Cross client customizing • Gateway Process
• Repository objects (DDIC, transactions, programs) • Internet Connection Framework
Authentication
• Basic
• Kerberos
• X.509 Certificates SAP HANA
• Security Assertion Markup Language (SAML)

• Service users
• File systems & directories
• SAP Management Console
• Network security
• Revisions
• Data volume encryption
• Multi tenants
• Protecting standard users
Actions
• Harden your OS,
• install a virus scanner & OS patches
• Activate the firewall
• Beware of NFS shares
• Protect the SAPMMC
 Operating System

S/4HANA System

Business & Configuration data Application Server

• Client (application & customizing, user master) • Message server
• Cross client customizing • Gateway Process
• Repository objects (DDIC, transactions, programs) • Internet Connection Framework
Authentication
• Basic
• Kerberos
• X.509 Certificates SAP HANA
• Security Assertion Markup Language (SAML)

• Service users
• File systems & directories
• SAP Management Console
• Network security
• Revisions
• Data volume encryption
• Multi tenants
• Protecting standard users

Network
Firewalls, SAP Router, Web Dispatcher
SAP Web Dispatcher as software firewall, load balancer
Firewall Firewall SAP System SAP System

Gateway PRD

ASCS ASCS
Mobile
Device Get
Gateway PRD
configuration Applicati Applicati
on on
Server Server
HTTPS
Mobile SAP
Device Web Dispatcher
Gateway PRD
Applicati Applicati
on on
Server Server
Encryption
Web
Client
Load Gateway PRD
Applicati Applicati
balancing on on
Server Server
SAP Router
 Thanks for listening! Any questions?

Christophe Decamps Chris Walravens Bert Vanstechelman

Senior Consultant Community Lead & Partner Community Lead & Partner
Governance, Risk & Compliance Governance, Risk & Compliance TECH Team

+32 473 720 125 +32 474 475 983 +32 475 278 179
christophe.decamps@expertum.net chris.walravens@expertum.net bert.vanstechelman@expertum.net

www.expertum.net
Inspire by Experience.