Are you using or need to implement the SAP FIORI system?
The SAP FIORI interface is also used for S/4HANA. Read here to verify or have verified what the security configurations are!
What are the types of FIORI APPs?
There are 3 types of APPs, each of which has differences in terms of use and technology adopted:
- Transactional Apps
- Available for any Database
- Analytical Apps
- Available only for HANA and S/4HANA databases. Used to provide insights
- Fact Sheet Apps
- Available only for HANA and S/4HANA databases. Serves to provide research results
Want to learn more about what FIORI is? Read more here!
How can SAP FIORI architecture be managed?
The architecture of S/4HANA (SAP Fiori infrastructure), based on SAP FIORI technology can involve several scenarios, as also mentioned in the article migration to S/4HANA:
- Central hub deployment, the FES resides on a separate machine as well as the BES
- Embedded deployment, both the FES and the BES reside on the same machine
- SAP Fiori, cloud edition, in this case the front end server (FES) is deployed in the cloud while the backend server (BES) on-premise
Read more about SAP FIORI's architecture here.
How does the authorization concept work in SAP FIORI?
It depends on how the architecture has been defined. However, the main components are as follows:
- Role Catalog, which is the APPs (SAP FIORI Apps) present in a role
- Role Group, which is a grouping of APPs visible in the launchpad
It is critical for SAP FIORI, to manage the role menu (via PFCG transaction) since the end user will see the FIORI interface based on what is in the menu of the role assigned to him. See also OSS note: 2616973 - Fiori Reference of Business Catalogs versus Technical Catalogs.
The application defined in the front end server (FES), via an OData service will invoke functionalities in the back end server (BES). Therefore, it becomes essential to enable the S_SERVICE authorization object containing the relevant service.
What actions should be taken to increase the security of SAP FIORI?
- Message server e Gateway server Access Control Policy
- The Access Control Lists of the components above must be active. What does this mean. Are you using these instance profiles: ms/acl_info and gw/sec_info?
- Enable only the really essential services, the following are the services, see SICF transaction to activate:
- /default_host/sap/bc/ui2/nwbc
- /default_host/sap/bc/ui2/start_up
- /default_host/sap/bc/ui5_ui5/sap/ar_srvc_launch
- /default_host/sap/bc/ui5_ui5/sap/ar_srvc_news
- /default_host/sap/bc/ui5_ui5/sap/arsrvc_upb_admn
- /default_host/sap/bc/ui5_ui5/ui2/ushell
- /default_host/sap/public/bc/ui2 /default_host/sap/public/bc/ui5_ui5
Check here to see what services need to be activated for SAP Fiori Launchpad check and document whether it is necessary for your organization to have other services active.
- Activate check on multiple logons in services, see OSS 2105302 - Multiple logon check based on security sessions for HTTP/HTTPS login into an ABAP system
- Activate check for ideal time in web part: http/security_session_timeout instance profile see also OSS 1914112 - Plugin session timed out before the time limit defined in rdisp/plugin_auto_logout (HTTP/RFC)
What other checks to do? Contact us for a more in-depth study!
Topics: FIORI Security, SAP Gateway security, sap FIORI