skip to Main Content

SAP GRC Access Control in SAP Fiori®: Meeting the GRC Challenge

SAP Fiori has revolutionized the way organizations and end users interact with SAP®. Companies have been able to move from the complex menu-dragging of SAP GUI to a sleek, consumer-grade interface, optimized for ease of use, standardization, and productivity. Tasks that used to require a keyboard and mouse can now be done from any device, often in less than half the time, with a standardized layout that makes it easy for employees to learn new roles. An extensive library of apps accommodate a wide range of user roles, allowing end users to complete most common tasks without SAP GUI.

However, SAP Fiori isn’t just a tool that chunks SAP processes together and slaps a nice interface on top — it has a fundamentally different architecture than SAP GUI. Those differences can cause false negatives in your Segregation of Duties analysis, where your GRC software fails to recognize and report risks.

Traditional SAP GUI Uses Transactions

SAP GUI works via transactions. To perform an action such as creating a purchase order, a user can manually select the purchase order transaction from the menu, or else enter the transaction code. SAP GUI then checks the transaction start authorization to see if you’re authorized to perform that particular transaction. Most SAP GRC access control solutions verify compliance by checking transaction authorizations against a set of SoD rules. If a given user is allowed to use multiple, incompatible transactions — for example, creating and paying the same purchase order — the GRC tool flags it as an SoD conflict.

SAP Fiori works differently. In Fiori, you don’t interact directly with transactions. Instead, your Fiori applications connect to SAP through a NetWeaver Gateway and run a sequence of commands from a simplified interface. That’s what allows Fiori to be so user-friendly. You don’t need to know your way around the SAP menus or what individual transactions are occurring — you just need to know what tasks you need to perform.

The problem is, Fiori also handles authorizations differently. Instead of asking the system “Is this user authorized to run this transaction?” it asks, “Is this user authorized to run this service?” That change requires different SoD functionality, and most businesses aren’t ready.

Free GRC Buyer’s Guide. Get It Now!

SAP Fiori Apps and GRC Access Control

On the level of the SAP software, things are the same. Fiori is just giving users a more intuitive interface. The problem is, SAP users and GRC providers are only setup for the way SAP GUI grants access, not the way Fiori does. Even if you have good SoD controls around transactions, you can still have the same sorts of conflicts go undetected when users perform the same task using SAP Fiori apps. This problem is complicated somewhat by the fact that Fiori hasn’t totally replaced SAP GUI. SAP is working on it and creating more Fiori apps all the time, but for the foreseeable future, there will still be some tasks that require SAP GUI. That means you need a solution that provides both SAP GUI and SAP Fiori access control.

You Can’t Do SAP Fiori GRC By Hand

Even with just SAP transactions to worry about, companies already struggle with SAP SoD remediation. Many organizations treat security as an afterthought, and lack any sort of systematic approach to SoD compliance. Without a modern SAP GRC solution, it’s incredibly difficult to keep track of the SAP security model, let alone effectively maintaining controls, and spotting and remediating new conflicts. The best you can do is tack on new controls when your auditors force the issue, and try to stay above water.

Suddenly these organizations have to add on a second set of SAP segregation of duties controls for your SAP Fiori apps. It’s not just a matter of duplicating controls — you need to maintain consistency across your security model, to ensure no user can use gaps in Fiori to violate SAP GUI controls, or vice versa.

SAP Fiori GRC Even for organizations using modern SAP GRC controls, the situation is far from ideal. The GRC market really hasn’t addressed the issue of Fiori SoD in a systematic way. It’s possible to make an ad-hoc set of controls in house if you have the resources, but it will be time consuming and costly. And it likely won’t tie in to your existing GRC solution, meaning there can still be problems with visibility and usability. Your admins may be able to use it to remedy certain SoD conflicts, but it probably won’t give your executives or auditors output they can easily use and understand.

GRC Access Control For SAP Fiori Apps: What You Need

SAP GRC software isn’t just a set of controls to remediate current conflicts — it’s a system to enable continuous compliance and ongoing risk remediation throughout the organization. Companies need to be able to self-assess using a GRC tool that can detect SoD conflicts in SAP Fiori apps as well as SAP GUI transactions. You need output that provides remediation options, capable of quickly remediating current issues, and providing ongoing monitoring and control.

You need the ability to maintain SoD, monitor user behavior and privileges, and to detect new problems immediately. If you have a user working with SAP GUI, and you assign them a conflicting role in an SAP Fiori app, you shouldn’t have to wait to find out. Your GRC solution needs to be able to spot it, propose solutions and mitigating controls, and remediate it before it causes unacceptable risks. And it needs to do it with an automated solution that hooks into your entire SAP landscape, allowing you to catch and mitigate SoD risks from a centralized console.

Segregation of Duties Risk Analysis For SAP Fiori and GUI

ControlPanelGRC® provides a comprehensive SAP GRC solution, helping companies stop struggling with their audits and start meeting tough compliance regimes like SOX, HIPAA and 21 CFR Part 11, every time. Our SAP SoD Risk Analyzer has been updated to provide the industry’s first complete compliance solution for SAP Fiori and SAP GUI. The Risk Analyzer integrates Fiori Services into existing transaction-based rules, allowing it to check Fiori access and automatically eliminate false negatives. That means it can effectively spot and remedy conflicts, no matter which interface your user roles require.
Risk Analyzer includes a powerful, customizable rulebook, where built-in SoD rules can be combined with company-specific controls and auditor requirements. Real-time monitoring automatically informs your team of executed risks, allowing managers to review and mitigate incidents as they happen — not in 6 months when you run your next audit. Risk Analyzer even helps you avoid future risks, by conducting “what-if” analysis when you assign new roles or give new privileges to existing users.

The Risk Analyzer module works in concert with the rest of the ControlPanelGRC SAP Access Control Suite, providing an automated compliance solution for your whole landscape. It has the power to help with with everything, from routine user and role provisioning, to audit management, to tackling the unique challenges of emergency access “firecall” sessions and the heightened data control and security requirements of HR.

Stop Struggling With SAP Fiori Apps and GRC Access Control

SAP GRC is much too complex of a problem for ad-hoc solutions. It’s not enough to refine your current security model or put in a few compensating controls — you need a proven GRC solution that can keep your landscape safe and your audits, successful, year after year. ControlPanelGRC Access Control provides the only true solution for compliance, across SAP Fiori Apps and SAP GUI transactions.

Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.