Andrew Noone – Senior SAP Controls Technical Consultant

Over the past 3 months, I have taken some time out to refresh the mind and think about the next 10 years of my career. On one of my many dog walks, I couldn’t help thinking, that while the SAP resource marketplace is as busy as I’ve ever seen it, there were hardly any opportunities in my area of focus.

I started to wonder, is it timing and the logical phase at which projects maybe at (restarting after COVID), or is it more a case of people are either:

1. not interested in dedicated Security and Controls resource


2. they have simply overlooked it.

I recently read a proposal from a major professional services company for an SAP implementation. Across two, very nicely presented proposals, there wasn’t a single mention of Security, GRC or Controls, surely this cant be a simple omission, it had to be intentional.

Maybe, some implementers are giving up on this area and allowing the smaller niche players to come in and provide the required solution. I’m not sure, is my take on things now, but if that is the case, there will be lots of opportunities for the companies I am working with.

I’ve been working in SAP for 25+ years and whilst I would consider myself knowledgeable in my chosen subject, I’ve never had the urge to share my experiences as I’ve seen too many sales driven articles over the years that didn’t really help me.

So, with that in mind, here’s something to think about:

Application, User and Data Security within SAP has, in my opinion been viewed with varying degrees of importance and relevance rather than a strategic enabler for the past 25 years or so; from the implementations based on SAP_ALL and roles put together two weeks before a go live, which provide extensive access full of segregation of duties issues, to organisations just wanting to ‘replicate’ their old legacy system access into their shiny new integrated platform.

I would like to think that the implementations I have led, have delivered a best practice solution from the start, and delivered real benefit to my clients. However, some projects I get involved in, are already ‘in-flight’ and as such, my work becomes a bit of a rescue mission and an attempt to deliver solid foundations against a continually moving platform – something I thrive on.

Often, I am challenged by implementers and clients with the statement “We don’t need tight security roles as we have configured controls in SAP for that”. At this point, I either laugh or cry as the users would enjoy extensive access in production systems that simply override the perceived controls. As we see more fixed price implementations being delivered, this trend will only continue.

So, what’s the point of a good security model?

I am a strong advocate that by getting security right, it not only delivers better controls and audit compliance, but it enables significant, strategic change that can deliver real, tangible benefits, for example:

  • Centralisation of key business activities.
  • Adherence to corporate strategies, procedures, and policies.
  • Greater control to reduce unauthorised spend and payments.
  • Increased commercial leverage in contract negotiations if business users all buy the same products from the same suppliers.
  • Supply chain rationalisation.

The benefits list is extensive, but the message is the same – Design Access Controls as an enabler, not a preventative control in isolation.

This links to my next point in relation to how Security can be an enabler – User Experience.

We are now at key point in the evolution of SAP Security – Fiori based user access. Whilst SAP S4 HANA and Fiori security are nothing new; the fact that SAP are getting their house in order and delivering some useful Fiori content, more and more clients are now realising the benefit (and the necessity) to move to S4 and Fiori, in my opinion, we are approaching a point of major change:

With this statement comes my first prediction – The demise of the SAP transaction as we know it.

I for one, am a huge fan of Fiori and actively push this product due to the user experience benefits of the integrated launchpad.

If Fiori is activated as part of a technology solution, there is simply no longer a business case for end users requiring GUI transaction access direct into an S4 system. Some specific aspects of IT support functions may still require this type of access, but they are becoming less and less with each release of S4 HANA.

I for one, will no longer promote any kind of GUI based, transaction end user access security model in S4 HANA if the client has implemented Fiori. I just cannot see the benefit of maintaining two security solutions – it’s like implementing structural authorisations and direct role access allocation at the same time – completely pointless!

To provide an example: The screen below contains a mixture of UI5 Fiori Apps, Fiori apps that are GUI based and Custom ‘Tiles’ that merely render a GUI transaction in the Fiori Launchpad. Can you tell the difference? …..Nope didn’t think so.

My thoughts are clear – This is the future; the days of the transaction are numbered. Why would you want to log into a Launchpad, then must log into a backend system to perform other elements of your day-to-day work? You wouldn’t….

As SAP says “Run Simple”

Whilst Fiori Security is far from simple to implement, the delivery of a vastly improved user experience is worth the effort, but only if business see security as an enabler.

In summary, a comprehensive security model delivers a lot more than user access and audit compliance!

If you want to chat more on this or any other related subject, please drop me a line.