A Functional Consultant is currently engaged in a migration project from SAP ECC to S/4 HANA for SAP security area. This article provides an overview of the project and outlines the key responsibilities.
1. Overview of the S/4 HANA Migration Project
The project aims to solve the problem of a high number of authorization roles used across different business domains, and of the need to recreate roles each time of organizational change. These two issues of our client should be solved based on the best practice and additionally, the following points should be addressed prior to the migration to S/4 HANA.
- Design a more flexible role structure, with which the client can respond to future organizational changes
- Define the most optimized role model
2. About Fiori: One of the New Features in the S/4 HANA Security Concept
As part of SAP’s best practices and utilizing the latest features of the S/4 HANA system, SAP Fiori has been selected as the standard user interface.
Compared to the traditional ECC interface, SAP Fiori significantly improves user experience. Instead of entering transaction codes to retrieve data, business users can search for necessary applications by name/text and access intuitive tiles. In other words, with Fiori, SAP can be used much like a smartphone app, in more accessible and user-friendly ways for everyday business operations.
Fiori layouts are made up of catalogs and spaces (groups), and if you link each setting to an authority role, you can control the Fiori screens simply by assigning roles to users.
By associating the created catalogs and spaces with specific roles, it is possible to define which transactions users are allowed to execute and which applications they can view or launch on the Fiori interface.
Fiori has improved usability, which led to additional configuration tasks. In the traditional ECC environment, authorization roles controls user actions such as executing and/or viewing, as well as GUI menu settings. Fiori requires, on the contrary, catalogs and spaces to be created separately, and it takes longer than standard authorization role implementation. It is essential to determine whether to use the standard Fiori configurations or to implement fully customized settings by designing flexible solutions and/or making appropriate decisions in accordance with our client expectations.
3. Security/ Functional Consultant Roles in the Project
In this part, you will find what is required of an SAP Security Consultant and the tasks expected in the project. The following three points are essential considerations while the consultant is assigned to the project:
- Design roles to be highly maintainable, focus on governance, risk and compliance.
- Create visually intuitive and user-friendly screen layouts to get the most out of the SAP Fiori user interface.
- Design security role to enable users to perform their tasks effectively while ensuring alignment with J-SOX (Japan Sarbanes-Oxley) and SoD (Segregation of Duties) standards.
Based on the three key pillars above, here are the tasks and responsibilities of the security consultants with functional knowledge:
- Defining requirements for authorization roles
- Creating design documents
- Preparing Fiori-related design specifications necessary for role configuration
- Implementing roles
- Handling incident responses
- Creating deliverables
The implementation consists of the following three main steps:
- Defining the layout of the Fiori interface and determining the role design based on business requirements
- Implementing the roles and Fiori-related settings within the security team, and assigning roles to users
- Requesting functional verification from consultants and business users in each team
Tasks and work are shared and carried out by specialized consultants in each area. At the beginning of the project, we gather and analyze the client’s requirements to determine the most suitable role structure, and we prepare proposal materials based on our findings. In addition, we are also responsible for creating design documents and other deliverables related to the implemented roles. These deliverables play an important role in the post-project operation (hyper-care) and maintenance phases, where business users rely on them as a reference. Therefore, as an SAP Security Consultant, it is vital to ensure that the documentation is comprehensible and can be readily maintained over the long term.
4. Why SAP Security Consultants Are Essential Across the Project Lifecycle
If we look at the role of a security consultant in terms of phases, SAP security consultants provide comprehensive support at every stage of a project lifecycle, from the initial definition of requirements to the coordination of tests and the creation of deliverables used in the post-live operational and maintenance phase (also known as hyper-care).
Looking at the role of security consultants in terms of their work, it involves considering the best solutions for the client from a broad perspective, such as addressing cross-module issues and reviewing and proposing legal and regulatory rules. For this reason, it is extremely important to work with consultants from each module.
While there is an ideal authorization design for the client’s business, there are restrictions on access authorization due to risk management and regulation, so the ability to respond both flexibly and rigorously at times is essential for this project. To achieve this, it is important to have technical knowledge as SAP security consultant, but equally critical is functional knowledge to ensure that the design is fully aligned with and integrated into the client’s business processes.
