Modernizing SoD Risk Analysis

The introduction of SAP Fiori has been a game-changer for SAP applications. It delivers a simplified user experience and an enhanced mobile platform, and promises to increase productivity across all lines of business. And with more organizations making the move to SAP S/4HANA, the SAP Fiori interface will continue to see increased adoption. As with any new technology, however, there is bound to be a learning curve. One challenge that results is how to maintain access controls and segregation of duties (SoD) over SAP Fiori applications. 

Companies that leverage SAP Fiori in addition to, or as a replacement for, traditional SAP GUI transactions need to reconsider how they evaluate access controls. Integrating SAP Fiori applications into SoD activities will be essential in managing governance, risk, and compliance (GRC), and companies must rework their SoD risk analysis processes to gain complete visibility across the environment.

Integrating SAP Fiori Applications into SoD Risk Analysis

With this new setup, SoD risk analysis must include checks for a combination of traditional SAP GUI transactions and the services related to SAP Fiori applications. To access SAP Fiori tiles through groups or catalogs, for example, companies need to grant users role-based security in the SAP Gateway front end as well as provide underlying OData service authorizations. This means that traditional transaction authorizations are replaced by service authorizations within SAP Fiori applications. SoD checks must then evolve not only to check underlying authorizations required to consume or process the back-end data, but also the appropriate transaction or service authorizations.

The added complexities to the security model then affect the SoD analysis of that model. Companies that do not have an SAP S/4HANA SoD ruleset, for example, need to extend existing rules to include S_SERVICE hash values so they can avoid triggering false negatives when business users review SoD data. Furthermore, because users are processing business functions without running SAP GUI transactions, this decreases visibility into usage information for SAP Fiori applications within the SAP system, which can make it more difficult to identify possible remediation options.

Companies that have already implemented SAP S/4HANA or are using SAP Fiori applications to process business transactions must update SoD rules to include the corresponding service authorizations. SoD risk analysis data must also be actionable and provide remediation options — whether for systems with traditional SAP GUI transactions, SAP Fiori applications, or a combination of the two.

The key to a successful access control program is allowing business users to self-assess for risk. The SoD analysis data must be easy to understand for non-technical users and provide potential risk remediation options. OData service authorizations, therefore, need to be translated into business functions and mapped to usage data so that reviewers can tell if the SAP Fiori application is in use or if it can be removed to clean up SoD risk.   

Automated Compliance for SAP Fiori Applications

Implementing a third-party solution that complements SAP security models and provides greater visibility into SoD risks can help companies stay in control of their GRC systems. ControlPanel^GRC by Symmetry is a comprehensive compliance automation solution for SAP environments that has developed a simplified concept for including SAP Fiori applications into SoD rules, and has also released an SAP S/4HANA SoD ruleset. This provides an automated discovery process, captures usage of SAP Fiori applications, and pushes SoD analysis data to appropriate business users for review and removal.

To learn more about how ControlPanel^GRC simplifies SoD rules for SAP Fiori applications and provides a more intuitive risk review and remediation path, visit www.symmetrycorp.com.