Beruflich Dokumente
Kultur Dokumente
• Introduction
• Fiori Security
• HANA Security
Christophe Decamps
Bert Vanstechelman
Chris Walravens
What we will cover
• Introduction
• Fiori Security
• HANA Security
Christophe Decamps
What we will cover
|6
SAP Next-Generation Landscape
• Fiori as front end coupled with SAP S/4HANA & SAP HANA as back ends
S/4HANA
SAP
Gateway
SAP
HANA
Data (views)
Gateway
- Fiori Catalogs
- Fiori Groups
Single
SAP Roles
Gateway
Composite
Roles
SAP Fiori Launchpad
• Single point of entry for business applications & analytics across platforms and devices
Role-based
Personalized
Real time
Contextual aggregation
• Authorizations:
Group & configure tiles into Catalogs & Groups via SAP Fiori Launchpad Designer tool
Grant access to Catalog & Groups to users via Gateway ABAP roles
What we will cover
|10
SAP Fiori Catalogs Definition
Fiori Catalogs
Gives access to tiles
User can browse through all Catalogs they’re assigned to
• Transparency
• Consistency
Criteria for designing Catalogs highly depends on back-end roles design
SAP Fiori Catalogs Configuration
• News
• Static
|14
SAP Fiori Groups Definition
Fiori Groups
Are like favourites
Contain tiles visible per default on user’s Fiori launchpad entry page
Other tiles are still accessible
Via search function
Important considerations:
Screen layout
Define default tiles
SAP Fiori Groups Configuration
|17
SAP Fiori Gateway ABAP Single Roles
• Assign Fiori Catalogs and Groups to users via Gateway ABAP roles
• Managed via role maintenance transaction PFCG
• Add required SAP Fiori Catalogs and Groups to the single role menu
SAP Fiori Gateway ABAP Single Roles
• Assigned Fiori Catalogs and Groups through ABAP roles are visible on the user’s
Fiori Launchpad
SAP Fiori Gateway ABAP Single Roles - services
• Introduction
• Fiori Security
• HANA Security
Christophe Decamps
What we will cover
|25
SAP HANA Authorizations
Gateway
- Fiori Catalogs
- Fiori Groups S/4HANA
Single HANA
SAP Roles
Gateway
Composite SAP - Privileges
Roles HANA
Data (views)
Roles
Why HANA access management?
• HANA Database holds all your tables => all your data
• From HANA, a direct read & write access to the data is possible
• Default roles/privileges very broad access
• Authorizations: XS Engine
Give access to the data/content via
HANA Privileges Authentication Encryption
Identity
Group privileges into roles using the SAP
Store
HANA Studio or the Web-based workbench
application Authorization Audit Logging
SAP HANA
Authorizations approach
ECC
- Tcodes BW
- Auth. objects
- InfoProv. HANA
- BW Analysis
Authorizations
SR
- Privileges
SR
CR / BR
Roles
CR / BR
Consistency
Maintainability
Transparency
SAP HANA Security Administration
Application
XS Engine
SAP HANA
What we will cover
|31
Entities relations
granted
Role
to
Role Privilege
Best practice :
Entities relations
owns
Object
Object grant to
_SYS_REPO
Attention
• Action “grant” is also considered as an object !
|34
SAP HANA Privileges
Client
Application
SAP HANA • Application privilege
XS Engine
• Catalog
• Schemas, tables, …
• Package • Object privilege
privilege • Package
• Views
• Row level
• Analytic privilege
access
• System privilege
SAP HANA Functional Restriction: System Privileges
• Are linked to an object (e.g., table, view, procedure, …) and allows to restrict access on it
1 view “Sales”
Region Sales
Value
Germany 1000
Region Sales Region Sales
Value Belgium 5000 Value
Germany 1000 Spain 2000 Belgium 5000
Spain 2000
User 1
Manager in Germany User 2
Manager in Belgium &
Spain
SAP HANA Organizational Restriction: Analytic Privileges
user 2 restrictions
user 2
View Table “User -_Region” :
user 3 restrictions
dynamic
privilege User_Name Region Position
user 3
User1 America Manager
• Advantages:
➢ Same analytic privilege can be applied to multiple users with
different authorization requirements
➢ ease of maintenance
➢ filter obtained from a stored procedure with a complex logic
• Disadvantages:
➢ Difficulties for maintenance
➢ Difficulties for reporting
➢ Difficulties to audit
Privileges: business access summary
➢ 1 displayed view = object priv (access to the table/view) + analytic priv (filters for that table)
SAP HANA Functions vs. Required Privilege Types
IT Business
• System admin • Business functions
• Security officer
• Modelers
• …
|46
SAP HANA Grouping Privileges into Roles
Function: Role:
Accountant
• Transportable
Best practice Not recommended !
What we will cover
|51
Securing HANA views
Securing views:
• Only exposed view should be secured with AP’s. All below views must be AP free
• AP security is defined by the modeler in the view’s properties
Exposed to end
Exposed Exposed Exposed users.
Level 2 view 1 AP view 2 AP view 3 AP
➢ Secured
with AP
Level 1
View 1 View 2 View 2
AP AP AP Not exposed
to end users.
Level 0 ➢ AP free
tables
What we will cover
|54
Packages structure & modelling
expertum
models (per functional stream)
underlying objects (dimensions)
fi
sub fi folder
unexposed
exposed
sales
..
sandbox
What we will cover
|56
Schemas & modelling
Entities relations
• All objects created by a user are owned by that user
• If the user is deleted, the object is deleted !
➢ Always use a user which will not be deleted to create schemas, tables, procedures etc which
hold info on which views are based !
Schema access
• Per default no one has access to newly created application schemas
• _SYS_REPO gives access to the activated models to the users
• If models are built and activated based on data from a specific schema, _SYS_REPO must therefore be
granted access to the schema
• Only the schema owner can grant access to his schema (including to _SYS_REPO)
➢ Modelers must grant _SYS_REPO the required access to the schema with grant option so it can be
added to roles
What we will cover
• Introduction
• Fiori Security
• HANA Security
Chris Walravens
• S/4HANA Authorizations: The good new!
• Governance considerations
|60
SAP S/4HANA Authorizations
S/4HANA
SAP
Gateway
SAP
HANA
Data (views)
S/4HANA Authorizations: the good news!
• Governance considerations
|63
Generic steps for building roles
• Governance considerations
|66
Impact of your Fiori strategy
A specific set of Fiori apps, combined with good old SAP GUI / Business Client
• The hybrid model: very realistic, to make the transition to S/4HANA for year-long users more smooth
Full Fiori, without any (further) deployment of SAP GUI / Business Client
• The most innovative
• Realistic for greenfield implementations, especially where SAP was not used before
• Governance considerations
|69
Migration to S/4HANA: approaches
Upgrade
Brownfield
Greenfield
Migration to S/4HANA authorizations
Keep the existing backend roles and authorizations The pure upgrade scenario
Upgrade PFCG (execute SU25) and/or move SU25 entries to greenfield S/4HANA
Apply some optimizations on the backend roles, where needed Upgrade + enhancements
Start using SU24: eliminate manual and changed statuses in your roles
Remove unused transaction codes and add new ones where needed
Still need to design and build Fiori roles and SAP HANA authorizations
Migration to S/4HANA authorizations
Design and build backend roles that are conceptually compatible with Fiori and SAP HANA
Design and build SAP HANA authorizations in line with back-end roles
• S/4HANA Authorizations: The good new!
• Governance considerations
|74
Governance considerations
Making roles more maintainable (clearer link between functionality and authorization objects)
Governance considerations
Single roles must allow the protection of the business processes (they don’t exist for their own benefit)
The role concept has to facilitate the assignment of specified business process steps to different people
• Introduction
• Fiori Security
• HANA Security
Chris Walravens
SAP Fiori (Front-End), SAP S/HANA & HANA (Back-End)
Authorizations S/4HANA
- Tcode
Gateway - Auth. objects
- Fiori Catalogs
- Fiori Groups Single
S/4HANA Roles
Single Composite
Roles Roles
SAP
Gateway Composite
HANA
Roles
SAP - Privileges
HANA
Data (views)
Consistency Roles
Fiori Gateway S/4HANA HANA BW/4HANA
LaunchPad Designer PFCG PFCG HANA Studio / Web IDE PFCG
IT
Business Role
C_ACCOUNTANT_BEXX
IT / Business
Bert Vanstechelman
Operating System
S/4HANA System
• Revisions
• Data volume encryption
• Service users • Multi tenants & Isolation
• File systems & directories • Protecting standard users
• SAP Management Console
• Network security
Network
Firewalls, SAP Router, Web Dispatcher
S/4HANA System
Actions
• Client settings
• Avoid empty clients
• Setup security audit logging
• Setup data change logging
• Implement a password strategy, protect standard users
S/4HANA System
Actions
• Message & Gateway
• Restrict access MSMON
• Restrict access, use ACL control lists
• Setup logging
• Internet Connection Framework
• Only enable what you need
• Disable multiple logons
• Disable sensitive error data to be send
• Only use HTTPS
• Setup logging
S/4HANA System
Actions
Get a SSO expert!
S/4HANA System
• Revisions
• Data volume encryption
• Multi tenants & isolation
• Protecting standard users
Actions
• Keep your SAP HANA up to date
• Enable volume & backup encryption
• Separate your tenants on OS
• Protect the SYSTEM user
Operating System
S/4HANA System
• Revisions
• Data volume encryption
• Service users • Multi tenants
• File systems & directories • Protecting standard users
• SAP Management Console
• Network security Actions
• Harden your OS,
• install a virus scanner & OS patches
• Activate the firewall
• Beware of NFS shares
• Protect the SAPMMC
Operating System
S/4HANA System
• Revisions
• Data volume encryption
• Service users • Multi tenants
• File systems & directories • Protecting standard users
• SAP Management Console
• Network security
Network
Firewalls, SAP Router, Web Dispatcher
SAP Web Dispatcher as software firewall, load balancer
Firewall Firewall SAP System SAP System
Gateway PRD
ASCS ASCS
Mobile
Device Get
Gateway PRD
configuration Applicati Applicati
on on
Server Server
HTTPS
Mobile SAP
Device Web Dispatcher
Gateway PRD
Applicati Applicati
on on
Server Server
Encryption
Web
Client
Load Gateway PRD
Applicati Applicati
balancing on on
Server Server
SAP Router
Thanks for listening! Any questions?
+32 473 720 125 +32 474 475 983 +32 475 278 179
christophe.decamps@expertum.net chris.walravens@expertum.net bert.vanstechelman@expertum.net
www.expertum.net
Inspire by Experience.