In the second part of our conversation with the authors of the SAP Press book “Authorizations in SAP S/4HANA and SAP Fiori,” Alessandro Banzer, CEO of Xiting Americas, and Alexander Sambill, a senior SAP security consultant and certified SAP trainer at Xiting, we discuss analyst tools available to customers along with the importance of access governance.
This is an edited transcript of our conversation.
Q: In the seventh chapter, you all wrote about some of the authorization analyst tools available to customers. Can you walk us through some noteworthy, particularly useful tools?
Alessandro: With SAP authorizations, at the end of the day, we're always fighting against a moving target. There are always changes that are happening that have an impact on the authorizations. That's because businesses evolve, we acquire, we merge, we sell off, and we do different things. And business processes change. New tools coming into the picture, and new solutions come into play. All that needs to be authorized. Therefore when it comes to authorizing end users, it's very tricky to sometimes understand what is it that users need? What is it that is failing? What is it that it's missing at the end of the day? We need tools that help us analyze and find those missing pieces to maintain the authorizations the way they're supposed to be.
There are different trace and analysis tools available. Historically, we use the system trace and transaction ST01 that allowed us to do short version authorization traces. Then over the years, SAP enhanced that system trace with a transaction called STAUTHTRACE, which is the system trace that does the authorization trace. But it's still a short-term trace that we can use to monitor or trace particular users in the system for a short period. Now in the recent releases, SAP introduced new traces that are very interesting. Some of them are in the area of tracing user authorizations for end users and RFC users.
There's the STUSERTRACE, there's the STRFCTRACE, which are long-term traces, so those we can activate for an extended period to trace user authorizations. Then there are also traces available like the STUSOBTRACE, which is an object trace where it allows us to trace authorizations in the context of an application. Also, that trace, the STUSOBTRACE, is a long-term trace that allows us to trace authorizations in the context of an application over an extended period of time. The different traces have different use cases on how we can use them at the end of the day. User traces, obviously more for building end user authorizations, to understand and monitor and trace what a user's doing over an extended period. With the object trace, we can use more for the default values that allow us to bring authorizations and authorization proposals back into the authorization default in transactions. This ultimately allows us to build a more sustainable and more maintainable authorization concept at the end of the day.
Q: From an authorizations perspective, what are some of the complications SAP Fiori users have to keep in mind when creating proper authorizations?
Alessandro: SAP Fiori is not entirely new. It's been around for a few years already. SAP Fiori is available for other applications than just SAP S/4HANA. But with SAP S/4HANA, SAP Fiori becomes more important primarily because SAP Fiori is a unique updated user experience that allows you to have a unique user experience across different endpoints. Whether I'm logging in from my laptop, computer, mobile phone, or iPad, the look and feel is always the same. That's a user advantage for our end users. We only have to train them on the UI once.
With SAP S/4HANA, SAP Fiori becomes very important. A lot of function moves or gets enhanced in SAP Fiori. With SAP S/4HANA, to some extent, SAP Fiori is mandatory. Certain applications and functionality, are only available in SAP Fiori. If a customer moves to SAP S/4HANA, they have to talk about SAP Fiori. Then the question is just how much do we move into SAP Fiori? Some customers just use the bare minimum but keep the majority of our end users on the SAP GUI. Other customers decide to move all the end users onto SAP Fiori.
In either scenario, we have to do certain work. With SAP Fiori, there come new components that are new if you haven't dealt with SAP Fiori in the past. We have to build the SAP Fiori components so there are applications that need to be authorized. The authorizations or the concept for SAP Fiori applications is slightly different from traditional ABAP applications. We have to build SAP Fiori components like catalogs. From a user display perspective, we have to build groups or spaces and pages to show those applications on the SAP Fiori launchpad.
All that needs to be built and authorized. With SAP Fiori, we have the complexity with front-end and back-end authorizations. The good news here for security administrators is that the tools that they're using, like PFCG and SU24, and all those traces I mentioned before, are still available.
What is certainly new is the entire SAP Fiori component, such as building the catalogs, groups, spaces, and pages. That's something new that needs to be learned. At the end of the day, we have to understand how do we authorize it and how do we integrate SAP Fiori into our authorization concept? That's what we cover in the book. We talk about the basics and foundations of how did we build the different components, along with integrating SAP Fiori into the authorization concept.
Q: Can you tell me a little about the utility of access governance with SAP Access Control and SAP cloud identity access governance?
Alessandro: SAP Access Control is primarily for the on-premise world. We can monitor and handle user-life-cycle processes, run risk analyses, and provide firefighting or privilege access capabilities. The cloud portion that's now becoming more important, the entire world is talking about cloud and adopting cloud solutions. A lot of SAP customers are also integrating cloud solutions like SAP SuccessFactors, SAP Ariba, SAP Analytics Cloud, and SAP S/4HANA Cloud.
Cloud environments need to be controlled from a risk perspective. We have to provide solutions to analyze access risk for segregation of duty conflicts and critical access. We also have to have solutions for the user and these life cycles when it comes to creating users, maintaining users, and assigning authorizations to those users--not only in the on premise world-- but also in the cloud. That's why SAP now has a new solution called SAP Cloud Identity Access Governance (IAG). IAG governs the entire access management process for on-premise applications, as well as cloud applications. Now, there are some limitations. For example, with SAP Access Control we can only monitor the on-premise world except for SAP SuccessFactors. What SAP Cloud Identity Access Governance does is provides all the access governance and compliance features that customers need also for the cloud.
Q: What do you hope readers get out of your book?
Alexander: Since SAP security—and roles and authorizations in particular—is such a broad topic, this book’s self-conception is to be like a how-to guide for implementing an entire authorization concept in an easy-to-understand way, for basic up to advanced level. We hope our book will enable the reader to implement a sustainable, secure, transparent, and maintainable authorization concept based on many best practice hints and tons of years of project experience. It’s for all people who are interested in SAP authorizations, especially when migrating from SAP ERP (ECC) to SAP S/4HANA with SAP Fiori (please note the customers have to use SAP Fiori in SAP S/4HANA because its mandatory for many business functions now). It also covers the Xiting authorizations management suite (XAMS) with its extensive features and functions to show up an easy, time-saving tool-driven authorization administration and migration approach.