From 2025 (SAP has moved in early 2020 the sap ecc support term date to 2027 instead of 2025) SAP's support for the SAP ECC (ERP Central Component) product will end.
It is therefore important to prepare in time for migration to HANA and S/4HANA.
But what are HANA and S/4HANA and what impacts are there with SAP security?
What is the difference between HANA and SAP S/4HANA?
Often these terms are used as synonyms, in fact they are not.
SAP HANA, is a database developed by SAP, for in-memory data processing. In other words, it replaces or is alternative to other solutions such as Oracle, DB2.
SAP S/4HANA (SAP Business Suite 4 SAP HANA) is the SAP product that replaces ERP in the ERP Central Component (ECC) version. This application unlike the previous one, SAP ECC, can only be installed on SAP HANA databases.
Migrating from Oracle, DB2, or other databases to HANA databases
In this case it is a purely technological step. There are therefore no impacts at the application level. There may be in case the ECC business suite is also updated accordingly as a result of the switch to the HANA database.
In the latter case, however, this would be a normal SAP upgrade. The permit part and the segregation logic would also remain the same.
Migrating from SAP ECC to SAP S/4HANA what changes?
Here, unlike the previous scenario, there may be several situations.
As in the past, where in case of upgrades, we were talking about:
- Technical upgrade
- Functional upgrade
Also in the context of migration to S/4HANA there are two distinct types of migration, which follow the following:
In the case of brownfield, a technical migration actually takes place, without reviewing the processes currently in use and therefore without taking advantage of any new features.
While in the case of greenfield the upgrade process becomes a global reimagining of the processes currently in place. As if it were, in some respects, a newly implemented project.
What are the SAP Security focus points?
Here are the main points of attention for SAP S/4HANA security:
- [UX] Changing the User Interface (UX) in this case via SAP FIORI
- Depending on the type of APP there are different ways of managing permissions
- [ARCHITECTURE] Architecture chosen in the implementation of S/4HANA. In fact, this application takes advantage of the integration with mobile devices. It therefore needs a component, called Front End Server (FES), a gateway, that allows access, even from the outside to the ERP (BES, Back End Server) data. Deciding where the FES should reside becomes important, including for permit aspects. The scenarios are:
- SAP FIORI FES Embedded, i.e. FES and BES on the same machine
- SAP FIORI FES Hub, i.e. FES and BES on separate machines
- SAP FIORI Cloud, the EDF on cloud
- [PERMISSIONS] Use of the new paradigm of app development and authorization control (HANA applications) directly on the database, i.e. CDS Core Data Services
- [CUSTOM] Portability of custom programs to S/4HANA, in the latter case, the impact on the permit part is less but still significant
How does the above impact SAP Security?
Choosing the architecture of FES and BES certainly has an important impact.
Here, in fact, in case there is the SAP FIORI FES Hub it becomes important to use the authorization object S_RFCACL for the management of trusted connections.
It is one of the most critical objects that SAP makes available, in fact it is not present by default even in the SAP_ALL.
The design of catalogs and group flowers like. Access to the APPS is managed by the Front End system. In this system, apps and app groups in catalogs must be defined.
FIORI's catalogue must be seen as a kind of professional figure, which will be coupled, if possible, to the relative professional figure in the backend system (Back End Server), i.e. SAP S/4HANA.
It therefore becomes strategic to already have, if possible, an authorization concept based on professional figures. Where to integrate the features necessary for the connection between the APPS and the data present in S/4.
Beware, don't forget that some S/4 processes replace those defined in ECC. It means that if you have to manage segregation of duties in SAP S/4HANA you have to take these changes into account.
Blog post originally translated from: https://www.aglea.com/blog/migrazione-sap-hana-security-sap-cosa-cambia