The SAP authorization concept is a documented set of rules and guidelines defining how user access (roles and user assignments) is handled in an SAP System. This concept is developed by authorization experts for each company using SAP. It is reviewed regularly and adjusted when needed, for example when requirements change or when the system is developed and upgraded with new functionalities.
Usually when a technical upgrade is performed, the task in authorizations is to add the upgraded content to roles – and through them deliver it to users. However, the change to S/4HANA is more than a version upgrade or an extension to the existing system: it is a totally new product. So how does the move to S/4HANA affect the existing SAP authorization concept?
Wanted: business process owner input
When SAP S/4HANA is implemented, some transactions are deleted or replaced by new transactions and SAP Fiori apps. SAP provides a list (the SAP Simplification List) of these changes similar to upgrade notes, but the task for every S/4 HANA project authorizations expert is to go through the existing roles in the SAP system, to analyze them, and to modify them to include these changes.
These type of changes in role transaction content typically mean more than just a technical change performed by the project consultant in the system. They also require involvement from business process owners (“Who performs this new task in the new system?”), end-user communication, testing and training.
These tasks are not something that can be done overnight at the end of the project. They need to be considered and included in your S/4HANA Project strategy form early on to ensure that there are no delays and no security gaps that could eventually lead to business risks. (For example: if a transaction no longer exists in the new system, but no user has access to the replacing transaction either.)
Green or Brown?
The starting point to the migration of the authorization concept is to choose your approach. The “Greenfield approach” is that you design a completely new authorization concept to fully make use of the process simplifications and new functionalities of S/4 HANA. The Brownfield approach is that you examine and modify your exiting concept. There are pros and cons to both options, so it is wise to carefully consider them in the light of your project and your company.
The Greenfield approach is time and resource consuming. If you already have a solid concept, it can feel a bit like reinventing the wheel. But if a review into your roles and security processes is long overdue and you keep getting comments from the IT audit, the Greenfield method provides a great opportunity to create a fresh and healthy concept with easier maintenance and better security in the future.
The Brownfield approach can be carried out more as a purely technical task. Good questions to ask yourself are: which transactions are deleted, which new transactions are arriving, and which transactions change? If you have a strong concept and security processes up and running with a regular ‘OK’ from the IT audit, this approach is a valid choice and can typically be done more quickly.
You are not alone!
The scale of a S/4HANA implementation can feel overwhelming, but the good thing is that there are experts in each field to assist and the biggest projects are always broken down to manageable tasks.
For authorizations, keep in mind the following:
- Include authorization in your S/4HANA project plan from early on
- Carefully consider the status of your current concept and make an informed choice on the best approach for your company
- Get recommendations and best practices from an SAP authorizations expert
About the author
Emilia Korhonen is an SAP authorization and GRC expert with the SAP Transformations team at Sofigate. Emilia has more than 10 years of experience in SAP security manager and authorization concept owner roles, in SAP GRC implementation projects, and in SOD role remediation and re-design projects, in security upgrade projects, and AIMS for several clients and industries.