The Impact of SAP S/4HANA Migration on SAP Security, Roles, and Authorizations

The Impact of SAP S/4HANA Migration on SAP Security, Roles, and Authorizations

With the SAP-imposed deadline of 2027 looming, many of SAP’s customers are currently considering migrating their legacy SAP ERP system to SAP S/4HANA. However, what many project managers tasked with leading these migrations don’t understand is the impact it will have on the existing role design and end-user authorizations. That’s because, with SAP S/4HANA, SAP has made significant changes to the business suite’s data model, resulting in thousands of changes to authorization objects, transactions, applications, and modules.

Just to give you a simple example, the transaction code FD03 — which your accountants might use to display customer data — no longer exists on SAP S/4HANA. Instead, you have to use BP — the Business Partner transaction — to perform the same task.

As a result, all existing roles on SAP ECC that contain transaction FD03 will have to be updated before they’ll work on SAP S/4HANA. 

The replacement of FD03 with BP is just one of the countless examples of where SAP has made changes that directly impact your security design. Overall, SAP has changed over 5,500 objects that might impact your authorizations, and these changes will likely trigger at least a partial role redesign as part of your journey towards SAP S/4HANA.

SAP S/4HANA Overview

SAP S/4HANA is an entirely new product line that will be the center of your future data world — as long as you stick with SAP, that is. SAP has made numerous changes to the underlying platform’s data model in an attempt to consolidate and remove redundant capabilities and processes. For example, while you could register a vendor invoice in either SAP Materials Management (MM) or Finance (FI) on ERP, the same task is only available via invoice management in SAP S/4HANA.

The result of this consolidation is that SAP S/4HANA offers only one solution for each requirement. That’s great news because it leads to fewer training efforts and more streamlined operations and business processes. On the flip side, that consolidation has led to the removal of countless transaction codes, which in turn has a direct impact on user authorizations. Therefore, it’s important to understand that the path to SAP S/4HANA is not a direct upgrade regardless of whether your organization plans on pursuing a greenfield or brownfield implementation (also known as system conversion).

Impact on System Architecture

Aside from the aforementioned changes to individual transaction codes, a migration might also impact your overall system architecture. That’s because the consolidation of previously redundant functionality isn’t limited to transactions — it spans entire modules.

For example, under SAP S/4HANA the legacy modules SAP MM, SAP Supplier Lifecycle Management (SLC), and SAP Supplier Relationship Management (SRM) have been consolidated under SAP S/4HANA Sourcing and Procurement.

In addition, SAP S/4HANA requires the SAP HANA database which comes with a new security concept, as well as a strengthened focus on SAP Fiori for end-user applications.

Impact on Security

One of the areas with the most impact on security, roles, and authorizations is the mandatory customer and vendor integration via the Business Partner (BP) concept. Because of that enforced integration, any roles that contain authorizations for customer data, vendor data, or other master data will have to be updated and redesigned.

Additionally, security and roles administrators will have to take new transactions and authorization objects into account when updating existing roles and designing new ones. Introducing new user interface types (such as SAP Fiori apps) further increases the effort involved in updating the security roles due to the reliance of SAP Fiori apps on OData services and the need to properly authorize such services.

SAP S/4HANA Security Model

While most of what we’ve discussed so far sounds pretty grim because of all the extra work and risk involved in migrating an existing security concept to SAP S/4HANA, the silver lining is that role admins can continue using the same tools to maintain roles and user data that they’re used to from ECC, at least with the on-premise version of SAP S/4HANA, which is the focus of this article.

Note: Customers of SAP’s public cloud-hosted version of SAP S/4HANA will not have access to PFCG roles or transactions such as SU01 to maintain user data because SAP S/4HANA is an ABAP-based technology stack that happens to leverage SAP HANA as the underlying database. As a result, the security model in SAP S/4HANA has remained largely unchanged.

For example, you can use the same SU01 transaction to maintain user data, the profile generator (PFCG) to maintain roles and authorizations, and ST03N to analyze historical usage data. Additionally, the application server still communicates with the database instance using a technical user account and, in most cases, end-users do not get direct database access.

If you have a use case for direct DB access — such as giving business users access to certain key performance indicator (KPI) reports — you’ll have to authorize those users by leveraging what’s called database privileges (instead of traditional security roles). However, due to the significant changes to the underlying data model in SAP S/4HANA, organizations will have to plan for at least a partial role redesign before or as part of the overall migration project. 

As far as custom code is concerned, it’s also worth mentioning that with SAP S/4HANA, customers will not have access to “object keys.” As a result, role admins and ABAP developers will have to consider using only the authorization object S_DEVELOP to protect their data. See OSS note 2309060 for more information about the soon-to-be-obsolete SSCR license key procedure.

SAP Simplification List

To help its customers understand all the changes that might impact them on an organizational and technical level, SAP has released a “Simplification List” for each SAP S/4HANA release and support package.

Among other things, the Simplification List outlines, for example, that “only SAP Business Suite customers with C/V integration in place can move to SAP S/4HANA, on-premise.”

Practically, that means that all 54 transactions that were previously available to maintain customer or vendor data are no longer available on SAP S/4HANA. Instead, SAP has replaced them with the transaction BP. As we previously learned, this is merely one of many examples of how SAP S/4HANA is incompatible with legacy security roles that you might use on the legacy SAP Business Suite today.

SAP S/4HANA Migration — Best Practices

To reduce the chance of your incompatible security and role concept becoming a roadblock in your migration project, to prevent unforeseen issues, and to limit the impact on your business users during test cycles, here are a few things you can do:

  1. Analyze and understand your existing role concept. Before embarking on your journey towards SAP S/4HANA, make sure you perform an assessment of your existing role design to understand if it was designed in accordance with SAP best practices. Understanding the robustness of your existing role concept is important because migrating roles that provide too far-reaching access — and that might be riddled with segregation of duties (SoD) conflicts — will likely make the situation worse rather than better.

If you determine that your existing security concept is in need of a redesign, you have to decide when to attack such a project. You can either do it before you start the migration (recommended in many cases), as part of the migration or after the migration has been completed.

  1. Make sure your security team is part of the discussion. To make the previously mentioned decisions, you have to ensure that your security resources are an integral part of the project team. Only then can they give you a realistic estimate of what it will take to migrate your roles to SAP S/4HANA (or to design new roles from scratch). The latter might be the better approach if you decide to pursue a greenfield implementation of SAP S/4HANA.
  2. Make sure your leadership understands the impact of a migration on your security design. Everybody, including your executive and project leadership, needs to understand that time and resources must be set aside to tackle the security aspect of an SAP S/4HANA migration. The exact amount and time it takes should come from the initial security assessment (see #1, above).
  3. Don’t forget about ancillary technologies. Migration to SAP S/4HANA might impact more than your core ERP system. For example, if you use SAP’s Governance, Risk, and Compliance (GRC) solution, you will have to update your SoD rule set before starting the migration of ERP. That’s because an SAP S/4HANA compatible SoD rule set needs to be available before you can migrate your existing role concept or design new security roles. If GRC is not available at the time of the role design stage, you risk creating roles with inherent SoD conflicts and mitigating those take more time after the fact than designing SoD-free roles from the get-go.
  4. Use automation technology where possible. To significantly reduce the effort involved in migrating, designing, and testing roles, I recommend leveraging automation tools, such as the ones mentioned in SAP OSS 1682316. By using such tools, you can fully or partially automate the following tasks:
  5. Compare your existing roles with SAP’s Simplification List to understand what needs to change
  6. Update the menu of your existing roles by swapping out obsolete ones with new TCODES and other objects
  7. Test the newly designed or migrated roles with minimal impact on testers and business users by leveraging the new SAP_APP role.

Lessons Learned

If you’ve already gone through an SAP S/4HANA migration, I’m sure you learned countless lessons that you can apply to future projects. Here are some that I’ve learned, as they relate to security, roles, and authorizations:

  • SAP’s Simplification List is often incomplete and you’ll likely stumble across “simplifications” you didn’t expect, or that weren’t mentioned in the documentation
  • Certain display roles require TCODES and authorization objects that are no longer available on SAP S/4HANA. Examples may include XK03 and XD03
  • You will need to invest time and resources to design or redesign roles for SAP S/4HANA
  • I highly recommend building roles based on SAP best practices. That includes leveraging SAP’s authorizations proposals database (SU24) and maintaining SU24 properly
  • Leveraging automation tools can significantly speed up migration projects while reducing the risk of issues. 
  • If you make changes to your roles and authorizations, assess the impact of those changes on SAP licensing and compliance with privacy regulations, such as GDPR.

Wrap-Up

SAP S/4HANA is an exciting new platform that comes with many changes and challenges. The new data model introduced in SAP S/4HANA removes numerous redundancies that render legacy roles and authorizations incompatible. As a result, migrating the SAP Business Suite to SAP S/4HANA requires a new role design — a task that you will have to account for as part of your overall project planning.

If you have any questions or concerns about any of the topics mentioned in this article, please don’t hesitate to reach out to me directly.

Narayana Rao Sakinala

SAP GRC AC, S4HANA & Fiori Consultant

5mo

It helped me a lot

Like
Reply
Alok Kumar

👉 I help Upskill your employees in SAP, Workday, Cloud, Data Science, AI, DevOps, SalesForce, CyberSecurity, Oracle | Edtech Expert | Top 40 SAP influencer | CEO & Founder

2y

Alessandro Banzer Great! Thanks for sharing

Fidelis Ikoroje

Cloud | DevOps Engineer | AWS SAA Certified

2y

Good read.

Marissa Shipley GIA(Affiliated)

CEO & Co-Founder | Technology Leader | Business Enabler | Trusted Advisor | Winner of 2024 Women in ICT Awards - Entrepeneur of the Year | 2024 Global CEO Excellence Award | Celebrating Neurodiversity and Women in STEM

2y

Absolutely spot on Alessandro Banzer - couldn't agree more. Thanks for posting.

Shiv Kumar

SAP Security Specialist

2y

Hi Alessandro, Appreciate your effort documenting the key points !!!! Indeed its quite a lot of challenges authorization team has to go through during pre n post migration. I could recall one such example where Variant Config display via VA03 produces an auth error with tcode access to SICF, which cannot be assigned to business roles. We spent lot of time analyzing and when reported to SAP, they provided a pilot note 3037853 for the same issue.

To view or add a comment, sign in

More articles by Alessandro Banzer

Insights from the community

Others also viewed

Explore topics