Scribd
Upload
284 views5 pages

Integration Access Control With Fiori Apps For S4HANA On-Premise

This document discusses integrating SAP Access Control with Fiori apps for SAP S/4HANA on-premise systems. It provides details on BC sets, rule changes, and new approaches for risk analysis that allow SAP Access Control to identify violations for SAP S/4HANA Fiori apps. The integration enables enhancing the SAP Access Control separation of duties rule set with BC sets.

Uploaded by

Hasbleidy Celis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
284 views5 pages

Integration Access Control With Fiori Apps For S4HANA On-Premise

This document discusses integrating SAP Access Control with Fiori apps for SAP S/4HANA on-premise systems. It provides details on BC sets, rule changes, and new approaches for risk analysis that allow SAP Access Control to identify violations for SAP S/4HANA Fiori apps. The integration enables enhancing the SAP Access Control separation of duties rule set with BC sets.

Uploaded by

Hasbleidy Celis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

3/5/2020

Integration: Access Control with Fiori


Apps for S/4HANA On-Premise
Generated on: 2020-03-05

SAP Access Control | 12.0 SP06

PUBLIC

Original content: https://help.sap.com/viewer/0868c418230e43299792685fe230f2c7/12.0.06/en-US

Warning

This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.

For more information, please visit the https://help.sap.com/viewer/disclaimer.

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22280466&topics=6d98ef6de9e144a3802248a5ea60… 1/5
3/5/2020

SAP Access Control with Fiori Apps for SAP


S/4HANA On-Premise
The following information is for customers whose landscape includes SAP Fiori apps on SAP S/4HANA on-premise systems and
SAP Access Control. This integration enables BC Sets to enhance the SAP Access Control SoD rule set. The enhancement allows
SAP Access Control Risk Analysis to include and identify violations for SAP S/4HANA Fiori apps.

BC Sets
Depending on your landscape, you may have both SAP S/4HANA and SAP Fiori apps installed on the same system, or on separate
systems. The following BC Set covers both scenarios.

GRAC_RA_RULESET_S4HANA_ALL

The rule set for the single system approach includes the following:

Standard SAP ERP

Fiori applications

Odata services

 Note
For a SAP S/4 HANA Connector, the Fiori connector must be listed under Subsequent Connector. Since Fiori apps are case-
sensitive, the SAP S/4HANA connectors must be maintained in the con guration parameters 1022 and 1046.

BC Set Updates – Rule Changes in SAP Access Control 10.1 SP22 & SAP Access Control 12.0 SP03.

GRAC_RA_RULESET_COMMON – All Fiori functions with *FAP endings that were introduced in SAP Access Control 10.1
SP19 have been discontinued.

GRAC_RA_RULESET_S4HANA_CORE – BC Set has been deleted as it is no longer required.

GRAC_RA_RULESET_S4HANA_FIORI – BC Set has been deleted as it is no longer required.

GRAC_RA_RULESET_S4HANA_ALL – has been updated with new content.

 Note
For more information on the changes, refer to 2678236 and 2704494 .

Availability
The BC Sets are available for SAP Access Control 12.0 SP03 or higher.

New Approach for Risk Analysis


SAP offers three options for implementing Risk Analysis and strongly recommends the rst two.

1. Recommended Option

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22280466&topics=6d98ef6de9e144a3802248a5ea60… 2/5
3/5/2020
a. Upgrade your landscape to GRCFND_A V1100 SP22 [SP08 of V8000] (SAP Access Control 10.1 SP 22 [SAP S/4
HANA SP08 ] or 12.0 SP03).

b. Activate the BC Set GRAC_RA_RULESET_S4HANA_ALL. For more information refer to 2678236 . After
activating the BC set, the SAP_S4A_LG connector group will have the latest content for rules.

c. To download the content, open Customizing, go to GRC Access Control Access Risk Analysis SOD
Rules Download SOD Rules .

You can upload it against your SAP S/4HANA connector or Custom Connector Group. Before uploading the rules
against them, ensure that both the connectors are placed under the con guration parameters 1022 & 1046.

If you would like to use the standard SAP_S4A_LG connector group in your landscape, follow the steps given below:

a. Maintain the SAP_S4A_LG connector group under the parameters 1022 & 1046.

b. Download the rules les for the SAP_S4A_LG connector group and upload them again for the same connector
group.

 Note
If you are using option 2 (SAP S/4HANA & FIORI on different systems), you can also refer to the 2678234 to
delete the content of the obsolete BC Set and then activate the BC Set GRAC_RA_RULESET_S4HANA_ALL.

2. Recommended Option

If it is not possible to upgrade to GRCFND_A V1100 SP22 [SP08 of V8000] SAP Access Control 10.1 SP22, perform the
following steps:

a. Upgrade one of your sandbox systems to SAP Access Control 10.1 SP22 (GRCFND_A V11A00 [SP08 of V8000]) or
12.0 SP03 or set up a new system with either 10.1 SP22 or 12.0 SP03 out of your landscape.

b. Activate the BC Set GRAC_RA_RULESET_S4HANA_ALL to obtain the latest SAP rule set content.

c. Download the standard rules data les from the above sandbox system using the SAP_S4A_LG connector group.
Use these rules content for your existing landscape. Before uploading the rules, make sure that your custom
Connector Group or SAP S/4HANA connector (against which you are uploading rules) are placed under the
con guration parameters 1022 / 1046. All the delta changes delivered in 2678236 will be available with this
download.

 Note
SP19 of GRCFND_A V1100 [SP05 of V8000] (SAP Access Control 10.1 SP19 [SAP S/4 HANA SP05] is the
minimum SP level required to run the Risk Analysis for SAP S/4HANA & SAP Fiori.

The 2704494 gives all the information for GRCFND_A (GRC system) and GRCPINW (GRC plug-in system)
that must be implemented on top of SP19 of V1100 [SP05 of V8000] (SAP Access Control 10.1 SP19 [SAP S/4
HANA SP05].

If you are using option 2 (SAP S/4HANA & SAP Fiori on different systems), you can also refer to the 2678234 to
delete the content of the obsolete BC Set and then activate the BC SetGRAC_RA_RULESET_S4HANA_ALL.

3. If options 1 and 2 are not possible, implement the following option. Although SAP recommends it, it requires a considerable
amount of manual effort.

a. This step applies only for option 2 where SAP S/4HANA & SAP Fiori are on different systems.

Open all the Risk IDs that have functions ending in *FAP and remove them.

Risk ID Fun 1 Fun 2 Fun 3 Fun 4

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22280466&topics=6d98ef6de9e144a3802248a5ea60… 3/5
3/5/2020

Risk ID Fun 1 Fun 2 Fun 3 Fun 4

F001 GL02 GL01 GL01_FAP GL02_FAP

F002 CC03 CC06 CC03_FAP CC06_FAP

F003 CC03 FI01 CC03_FAP FI01_FAP

F004 CC02 GL01 CC02_FAP GL01_FAP

F005 FI04 AP01 AP01_FAP FI04_FAP

F006 FA01 AP02 FA01_FAP AP02_FAP

F007 FA01 MM05 FA01_FAP MM05_FAP

F008 AR02 FI03 AR02_FAP FI03_FAP

For example: Remove the GL01_FAP & GL02_FAP functions from the Risk IDs – F001 and only keep the GL01 &
GL02 functions.

 Note
If you are using SAP Access Control 10.1 SP21 and have new Risk IDs (ending with *S4), you must delete the
following Risk IDs.

Risk ID Fun 1 Fun 2 Fun 3 Fun 4

F001_S4 GL02 GL01 GL01_FAP GL02_FAP

F002_S4 CC03 CC06 CC03_FAP CC06_FAP

F003_S4 CC03 FI01 CC03_FAP FI01_FAP

F004_S4 CC02 GL01 CC02_FAP GL01_FAP

F005_S4 FI04 AP01 AP04_FAP FI04_FAP

F006_S4 FA01 AP02 FA01_FAP AP02_FAP

F007_S4 FA01 MM05 FA01_FAP MM05_FAP

F008_S4 AR02 FI03 AR02_FAP FI03_FAP

b. Merge contents of *FAP functions with normal functions only for option #2 where SAP S/4HANA & SAP Fiori are on
different systems].

For example: Copy the content of GL01_FAP and merge it into the function GL01 under Action tab against the SAP
S/4HANA Connector or Connector Group against which you have rules.

c. Delete all the functions that end with *FAP.

d. Modify the newly improved contents for Rules according to the instructions given in 2678236. and 2704494 .

e. Regenerate the Rules

Scope of Risk Analysis


Risk Analysis is performed for the following:

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22280466&topics=6d98ef6de9e144a3802248a5ea60… 4/5
3/5/2020
Traditional Tcode/Action & Authorization [SAP/ERP & Portal]

Webdynpro Application

Odata Services

Fiori Application

Fiori Catalog

Systems in Scope Authorization Pre x/Abbreviation Risk Analysis Standard Ruleset


Sync Available

Traditional SAP/ERP, ECC, Yes Traditional Actions Yes Yes


Tcodes/Action & Portal
Authorization

Webdynpro SRM Yes [WDY] Yes Yes


Application

Odata Services S/4, Basis Release Yes [SVC] Yes Yes


731 & above having
Odata Services

Fiori Application Fiori system Yes [FAPP] Yes Yes

Fiori Catalog Fiori system Yes [FCAT] Yes No

 Note
For information on adding Pre x with Action, refer to 2655122

https://help.sap.com/http.svc/dynamicpdfcontentpreview?deliverable_id=22280466&topics=6d98ef6de9e144a3802248a5ea60… 5/5

You might also like