SAP S/4HANA Security has become increasingly important as business structures become more complex. I see S/4HANA security in three main layers for my SAP customers; application, database and user interface. All three are important and require attention. This first blog will cover S/4HANA application security features, loopholes and benefits. I will discuss database and user interface security in two upcoming blogs.
S/4HANA Security Components
First, what is S/4HANA and why is security different now than back in the days of R3? S/4HANA is SAP’s next-generation business suite representing the biggest innovation since R/3. The S/4HANA architecture is broken down into application, database and user interface, which is the S/4HANA Application, SAP HANA Database and SAP Fiori.
There are many challenges in terms of balancing security and managing day-to-day business. Companies have complex networks, security in the cloud, and other challenges to face. SAP released its flagship product S/4HANA in 2015 with a goal of using a simplified model, brand new user experience, advanced processing and a strong database with SAP HANA.
From a technical perspective, SAP S/4HANA application can be directly accessed via SAP GUI or the end-user can process and procure information from SAP Fiori using a browser supporting HTML5 through an ABAP front-end server interfacing the S/4HANA application as shown in the below diagram.
Security Risks in S/4HANA
This complexity in architecture has yielded several benefits as well as opened new areas of risk and vulnerabilities within the overall architecture of SAP S/4HANA. Besides the new user interface in S/4HANA using SAP Fiori, SAP S/4HANA uses a simplified data model with new table structures in order to simplify the transaction data structures in the database.
There are several new transaction codes being introduced, new authorization objects added to create a new enhanced S/4HANA security design. As a result of new functionalities, many transaction codes in SAP ECC are no longer available in SAP as the previous Suite on HANA functions.
How to Address These Risks
Although SAP has over 100,000 transaction codes, it is imperative to understand the new set of transaction codes for the specific revision of S/4HANA. Using the help of the Functional Experts, you can identify the new set of transaction codes required for a company. Technically, there are transactions and reports which are no longer compliant with certain country specific requirements. SAP Notes 2227963 can address this information. Also, the following notes; 2227963, 2270355 and 2029012, are some of the notes that can be useful in researching the new and obsolete transactions and reports in S/4 HANA system.
In the next blog post we will venture deep into the database security of S/4HANA, which is the next layer of discussion from a security perspective. itelligence has built a unique solution around SAP HANA Security called “SecureS/4HANA.it”. It is a package that delivers preconfigured SAP HANA application and database Security, including SOX ready, Segregation of Duties compliant, design time HANA Roles, Risk and Control Matrix and several spreadsheet templates for Security Assessment, Role Build and SOD violation within the S/4HANA system.