S4 Hana SoD Security Migration, Architecture, HANA Modeling

SAP tcode lists by module and sub modules

AC – Accounting – General
AP – Application Platform
BC – Basis Components
BW – SAP Business Information Warehouse
CA – Cross-Application Basis Components
CO – Controlling
CRM – Customer Relationship Management
CS – Customer Service
EC – Enterprise Controlling
EHS – Environment, Health and Safety
EP – Enterprise Portal
FI – Financial Accounting
FIN – Financials
FS – Financial Services
GRC – Governance, Risk and Compliance
ICM – Incentive and Commission Management (ICM)
IM – Investment Management
IS
KM – Knowledge Management
LE – Logistics Execution
LO – Logistics – General
MDM – SAP NetWeaver Master Data Management
MM – Materials Management
PA – Personnel Management
PE – Training and Event Management
PLM – Product Lifecycle Management
PM – Plant Maintenance
PP – Production Planning and Control
PPM – Portfolio and Project Management
PS – Project System
PSM – Public Sector Management
PT – Personnel Time Management
PY – Payroll
QM – Quality Management
RE – Real Estate Management
SCM – Supply Chain Management
SD – Sales and Distribution
SRM – Supplier Relationship Management
SV – Service
TR – Treasury
WEC – Web Channel
WP – Obsolete Product: mySAP.com Workplace
PLAN BUILD DATA AND APPLICATION SECURITY
S4HANA PHASESProject Foundationproject preparationBlueprintBlueprintReviewFinal Process Org/OVERALL DATA MODELData PreparationValidationTest UT/UAT/QAQuality
DATADefine SoD Policies RulesDesign Initial Role /UserBuild Role Assign UserRole/User Access Risk AnalysisSoD Remediation/ResConflictsBPML Costeffective compliant Security ArchMaster data OwnerMaster data objectSecurity Testing/GoLive Preparation
DATA CLEANSING1Fiori UILevel 2HANA DB level 3S4HANA App level
Master Data
Supplier Master
Material Master
Customer Master
BPML
WORKSTREAMS
STP
ETP
OMF
AFS
AFS
R2R
ME
L
QM
DATA SOURCES
APPL APIS
DATABASE/STORAGE
TARGET ARCH
JOURNEY MGT
PMO
ROLE TEMPLATE FOR S4HANA CLOUD_INITIAL ROLE AND USER DESIGN
Role Name /Initial TemplateTransaction CodeTransaction Code description
Billing VF-01-31Create/Cancel  Billing Docs 
Blocked Billing RoleVF02 V.23
SD Customer Master ViewVD01-VD04Create Customer Sales/Changes
SAP Master Roles  All CompanyCodes P&C Centers
SAP Derived Roles Business Unit A Company Code 
Key Components of SoD management Framework
DefinitionExample
All planned SAP Systems Modules Apps in target ArchitectureSAP AP, SRM, AR….
All planned Non-SAP Systems Modules Apps in target ArchitectureNon SAP  AP MM AR..
Compliance to SAP Best Practices; SoD Policies Rules Security Control MonitoringSources of Threat; internal and external misuse conduct
Deviation from SAP Best Practices; Definition of misuse in case access grantedRestrict Authorizations Check and Monitor in real time
Sensitive Job Functions Scopes Roles to be controlled monitored in real timeAccess to create and change transactions for procure to pay, and master data maintenance
Tasks Access Rights assigned to a specific UserCreate a vendor master account, post payments etc..
SAP non _SAP Transactions and respective Authorization Objects related to conflicting sensitive Job functionsChange Vendor master (XK02) vs execute payment run (F110)
New Considerations in Designing new SoD RulesetBusiness IntegrityEnterprise Ris management/ VC-Business impactAUDIT management
Introduction of New S4HANA Security layersSAP Fiori as new GUI Presentation layer, DB Layer HANA, new Apps, GRC, MM…incorporated in S4HANA
Changes in system and Arch level (new Connectors Configuration)
200 new TransactionsConsolidation and replacement of old transactions
Simplifications and Checks Simplified Finance logistics BP CVI Integration
Workflow Changes  
Access Control Tool 
Fiori
HANA database
Previlege based Role design  to secure data in S4HANA    for direct access to critical data(admins, data modelers, developers, support staff etc..)
Restrict access to critical data
Security and GDPR Compliance
IMPORTANT SENSITIVE DATA STREAMS 
Product
Manufacturing
Supplier
Customer
AFS
Quality Management
Finance
Contracts
Prices
HCM SF
CRM SF
GDPR SAP ILM
S4HANA Cloud  deployment
Anomaly detection and compliance checks
Alert investigation
Risk identification using predictive analytics
Exception detection and compliance checks
Business partner screeningAvoid doing business with high-risk or sanctioned parties by screening against lists from government agencies, international organizations, and private content providers.
Security and ComplianceSafeguard your business-critical data
 important security topics, including network and communication security, application security, and data protection. 
S4HANA GDPR ILM Upgrade SAP Note
https://launchpad.support.sap.com/#/notes/2590321/E
Read the security guide
SAP Risk Management
SAP Process Control
SAP Audit Management
SAP Access Control
https://launchpad.support.sap.com/#/notes/2555403
This SAP Note contains required objects to support the handling of personal data according to data protection requirements and the corresponding regulations, for example: EU General Data Protection Regulation (GDPR).
2555267 – Product Compliance Archiving and EoP check – Foundation PartCorrection Note High priority
2590321 – Upgrade recommendations to support GDPR compliance
2538715 – ACM S4HANA: Data Protection and Privacy 1709 FPS00
2680159 – SAP_IT_GDPR Additional Standard Condition Field Needed for PP_WKCCorrection Note High priority
Role ClassificationsSAP Role build and User Assignment process 
Job based vs Task basedInitial Role Templates, Grouped Integrated Roles BP CVI integration, All Company Codes, All Cost centers
SoD RISK ASSESSMT AT ROLE LEVEL against SOD Risk Assessment at User level
Single vs Composite Roles
Custom vs pre delivered SAP Roles
HR or Position based Design vs Functional design
3 Tier Architecture of SAP HANA Client Apps Database
Security Measures via Authorizations

https://discover.sap.com/gdpr/en-us/index.html

Related Blog Posts

Related Questions

The General Data Protection Regulation (GDPR) was developed to protect privacy rights of EU citizens. It was first conceived in 2012, but won’t officially be implemented until May 2018. Despite the attention the new regulations have drawn, many organizations still don’t understand the changes these laws are bringing. It is important to research them and understand the role that SAP will play in meeting compliance goals.

SAP Security and Governance: Segregation of Duties (SoD)

There are many areas which should be monitored to ensure your SAP Security model is both controlled and maintained.

One such area is to design a robust Segregation of Duties (SoD) Management Process to support the organisation’s internal controls methodology. This provides the assurance that no one individual has the physical and system access to control end-to-end phases of a business process or transaction by effectively reducing the associated risk of fraud and error. For example;

  • Creating invoices and adjusting
  • Creating vendor and initiate payment
  • Processing inventory with posting payment authorisation

For companies registered on the U.S. stock exchange, it is a legal requirement to be compliant with the Sarbanes–Oxley Act (SOX).

The act passed in 2002 by U.S. Congress protects investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud. The requirement for Segregation of Duties can be found within SOX control 404 – Assessment of internal control.

Possessing strong SoD controls is also applicable to U.K. based companies to ensure both Internal Controls and External Auditors are equally satisfied.

Below is a high-level overview of a manual approach to identifying risks and conflicts which may be present within business processes. However, it is recommended to implement a dedicated solution, such as SAP Governance, Risk, and Compliance commonly referred to as SAP GRC.

Identifying Risks

The first phase is to ascertain a list of applicable SoD conflicts which can either permit fraud or can generate significant risks. This can be achieved by identifying the objective of the organisation together with the hierarchy and nature of the organisation. Liaise with the Business and understand business processes and who performs the roles within the organisation. The desired result for your business is to determine potential risks and categorise as either high, medium or low. The risk can then be managed by implementing remediation and mitigating processes.

(simple example of a risk)

SAP Security and Governance: An example of a risk

Rule Set/Transaction Matrix Creation

Build a technical rule set or Transaction Matrix against user and/or role assignments based on the risks identified.

Risk Analysis

Analyse the risks against the rule set to identify conflicts. Any conflicts should be highlighted and recommendations escalated to the appropriate department, such as Internal Controls/Finance. This may require further interaction with the Business to identify a suitable solution to eliminate risk.

Remediation

Pursue a solution within the organisation structure to identify ways of performing segregation of duties to the Business process within the department. If this can be achieved, then a review of the SAP Security Model should be undertaken to implement the required change to either a conflicting role or role assignment.

Mitigation

In such cases where it has not been possible to remediate the existing conflicts due to organisational constraints, then consider recommending an appropriate control to mitigate the risk. This would require liaising with the business to identify additional monitoring procedures to compensate the risk.

Continuous Monitoring and Compliance

it’s imperative that a continuous process is in place to review all new access requests and changes to the SAP Security model against the SoD conflict matrix; this should be performed prior to: –

  • Individual access assignment
  • Changes to roles before being promoted to the Production environment
  • New defined processes

Thanks for taking the time to read this, as previously mentioned, this is just a high-level overview. The Edenhouse SAP Security & Governance team are able to assist with any SoD issues or concerns then please contact us. 

Search

Log On

  •  
    •  

Approach to Move to S/4HANA/SOH
 Landscape Assessments
 Business Process Transformation
 Business Process Optimization
 Cloud Deployment Advisory
 Organizational Change Management
Services
 Technical Code Assessments and
Optimizations
Upgrade / Migrate to SOH/S/4HANA
 Landscape Assessments
 Landscape Consolidations
 OS Upgrade / Migration
 Database Migrations
 Testing Capabilities
 Remove ABAP Code Redundancies
by Code Optimizations
 Identify Reporting to be Moved on
SOH/S/4HANA
 Performance Optimizations
S/4HANA Implementation
 Implementing S/4HANA
 BPC for S/4HANA
 Implementing FIORI services for
Simplified User Experience
 ABAP Code Optimizations

  •  

Read about it https://www.sap.com/documents/2016/09/e26b67aa-8c7c-0010-82c7-
eda71af511fa.html#

  •  System Conversion

Fix Custom Code

  1. Migrate to SoH ( 30 hr downtime)
  2. Convert to S/4 in sandbox
  3. Correct data in SoH QA and PRD
  4. Convert to S/4 in DEV and QA
  5. Convert to S/4 in PRD (24 hr downtime
    for 11 years data ( 300 mill ACDOCA
    records)
    See Conversion Guide for SAP S/4HANA
  •  

System Conversion: Hurdles
• Business partner https://launchpad.support.sap.com/#/notes/2265093 (CVI activation in BS)

Custom Code must be adapted
• Data Volume Is downtime Sat-Sun enough?
– Archive data before
– NearZeroDownTimeOption
– Alternatively a 2 or 3 step approach
• BS SoH S/4 1605 S/4 18xx

https://blogs.sap.com/2017/03/30/simplify-your-sap-s4hana-implementation-with-sap-best-practices-explorer/
S4HANA on Premis 1809 Software Appliance


Sven Denecken

Sven Denecken 

March 30, 2017 3 minute read

Simplify your SAP #S4HANA implementation with SAP Best Practices Explorer

DATA Provisioning & Replication in SAP HANA

What is DATA Provisioning?

DATA Provisioning is a process of creating, preparing, and enabling a network to provide data to its user. Data needs to be loaded to SAP HANA before data reaches to the user via a front-end tool.

All these processes are referred as ETL (Extract, Transform, and Load), and detail is as below-

  • Extract – This is first and sometimes most difficult part of ETL, in which data are extracted from the different source system.
  • Transform – In the Transformation Part, series of rules or functions is defined for the data extracted from the source system, for loading data into the target system.
  • Load – TheLoad phase loads the data in the target system.

Replication in SAP HANA

SAP HANA supports two type of Provisioning tool –

  1. SAP HANA Built-In Provisioning Tool
    1. Flat File
    1. Smart Data Streaming
    1. Smart Data Access (SDA)
    1. Enterprise Information Management(EIM)
    1. Remote data
  2. External tool supported by SAP HANA
    1. SAP Landscape Transformation
    1. SAP Business Objects Data Services
    1. SAP Direct Extractor Connection
    1. Sybase Replication Server

At present, there are main methods of data provisioning for SAP HANA, these are –

Methods of Data Provisioning Description
SLT SLT (“SAP Landscape Transformation Replication Server”) running on the SAP Net Weaver Platform. SLT is an ideal solution for Real-Time and Schedule time replication for SAP and non-SAP source system.
SAP DATA Services SAP DATA Services is a platform for designing of ETL processes with a graphical user interface.
DXC DXC stand for Direct Extractor Connect is a batch driven ETL tool.
Flat File Upload This option used to Upload data (.csv, .xls, .xlsx) to SAP HANA.

SAP HANA SLT Road Map is as below – DATA Provisioning through SLT require RFC/DB connection to SAP/Non-SAP Source System and a DB connection for SAP HANA database. On SAP SLT server we define Mapping and Transformation. Below is a roadmap for data provisioning through SLT.

DATA Provisioning & Replication in SAP HANA

DATA Provisioning & Replication in SAP HANA

What is DATA Provisioning?

DATA Provisioning is a process of creating, preparing, and enabling a network to provide data to its user. Data needs to be loaded to SAP HANA before data reaches to the user via a front-end tool.

All these processes are referred as ETL (Extract, Transform, and Load), and detail is as below-

  • Extract – This is first and sometimes most difficult part of ETL, in which data are extracted from the different source system.
  • Transform – In the Transformation Part, series of rules or functions is defined for the data extracted from the source system, for loading data into the target system.
  • Load – TheLoad phase loads the data in the target system.

Replication in SAP HANA

SAP HANA supports two type of Provisioning tool –

  1. SAP HANA Built-In Provisioning Tool
    1. Flat File
    1. Smart Data Streaming
    1. Smart Data Access (SDA)
    1. Enterprise Information Management(EIM)
    1. Remote data
  2. External tool supported by SAP HANA
    1. SAP Landscape Transformation
    1. SAP Business Objects Data Services
    1. SAP Direct Extractor Connection
    1. Sybase Replication Server

At present, there are main methods of data provisioning for SAP HANA, these are –

Methods of Data Provisioning Description
SLT SLT (“SAP Landscape Transformation Replication Server”) running on the SAP Net Weaver Platform. SLT is an ideal solution for Real-Time and Schedule time replication for SAP and non-SAP source system.
SAP DATA Services SAP DATA Services is a platform for designing of ETL processes with a graphical user interface.
DXC DXC stand for Direct Extractor Connect is a batch driven ETL tool.
Flat File Upload This option used to Upload data (.csv, .xls, .xlsx) to SAP HANA.

SAP HANA SLT Road Map is as below – DATA Provisioning through SLT require RFC/DB connection to SAP/Non-SAP Source System and a DB connection for SAP HANA database. On SAP SLT server we define Mapping and Transformation. Below is a roadmap for data provisioning through SLT.

DATA Provisioning & Replication in SAP HANA

In an earlier blog, I already described the key benefits of the SAP Best Practices Explorer. This new web channel helps you to search, browse and consume SAP Best Practices content for SAP S/4HANA and other SAP products.

https://blogs.sap.com/wp-content/uploads/2017/03/Pic1_SAP_BPX.png

What makes the SAP Best Practices Explorer unique?

Customers who are interested in an implementation of an SAP solution can consult this knowledge base in order to find out about all the SAP Best Practices supported processes that are predefined by SAP for that solution. If a customer, for example, is interested in an SAP S/4HANA implementation – independently if it’s cloud or on-premise – then the Best Practices Explorer (BPX) helps to understand what scope of business, migration and integration scenarios is already delivered preconfigured by SAP. For example, the Best Practices for S/4HANA editions, entail a selection of predefined business processes for SAP solutions. Solutions are available on cloud (Finance Cloud and Professional Services Cloud) or on-premise (SAP S/4HANA) and they can be used to minimize the implementation time and costs.

What happens when a customer decides to implement an SAP cloud service?

Customers subscribing for a SAP cloud solution typically want to match their business requirements to the scope and adaptation options of the solution. SAP supports this matching with the so-called Fit to Standard Analysis, which is part of the on-boarding process of SAP. The analysis ensures that the configuration values are defined, and documents whether adjustments from the standard are needed. potential gaps are identified and documented. By using the assets available in the SAP Best Practices Explorer, customers can see how the product covers their processes Scope item fact sheets, which are available for every asset, entail configuration documentations, such as scope descriptions, of each end-to-end process. Furthermore, process diagrams and test scripts can be found in the BPX application. The latter provide customers with step by step instructions to guide the user through the business scenario using the starter system and existing master data.

Let me sum up: With the new SAP Best Practices Explorer, prospects can inform themselves in a self-study manner or with the support of SAP Sales on all available business processes that are activated with the solution. The SAP Best Practices Explorer delivers a standardized set of assets per business process and informs therefore on the business processes.

If adjustments from the standard are required, there are innovative tools that SAP offers. One of the tools is the “manage your solution” app, which supports in a potential refinement after the system is set up, and the processes are activated for the first time. Within this app, there is the possibility to view your solution. This function enables customers to view the activated processes of their deployed solutions. After the configuration needs are identified, they will be entered into the system via the Configure Your Solution function as part of the Manage Your Solution app. Thereby, customers can leverage self-service configuration UIs (SSCUIs) to update and personalize their configuration.

https://blogs.sap.com/wp-content/uploads/2017/03/Pic2_ManageYourSolutionApp.png

Accelerated Implementation with SAP Activate and SAP Roadmap Viewer

The SAP Activate Methodology Roadmap provides implementation project teams with a recommended list of deliverables (the What) in each phase, a process description in the form of tasks (the How), and accelerators (such as templates, examples, guides and web links) in a user-friendly format – helping implementations to run simple.

The SAP Roadmap Viewer contains detailed implementation procedures and methods that help you to bring improvements and innovations into your company. SAP provides SAP Activate Implementation Methodology roadmaps in two formats – general roadmaps, that provide project teams with Work Breakdown Structure (WBS) to plan and execute SAP implementation projects; and solution specific roadmaps that contain detailed guidance for implementation of specific SAP solutions (like SAP S/4HANA Finance Cloud or SAP Hybris Marketing Cloud).

The user can access the SAP implementation methodology roadmaps by phases, workstreams, or services (specific to Transition to SAP S/4HANA roadmap). The results are presented as activities, deliverables, and tasks. If the selected roadmap is relevant for a user, the attached project plan can be chosen and uploaded in SAP Solution Manager – for purposes of project planning and to control execution. The result is a project plan in the form of a work breakdown structure that customers can use as a starting point for delivery.

https://blogs.sap.com/wp-content/uploads/2017/03/Pic3_SAP_RoadmapViewer.jpg

SAP Best Practices Explorer proves with more than one million page views the validity and need for our standardized assets delivery – for cloud and on-premise implementation projects. Best Practices offerings on SAP Best Practices Explorer have been consumed with around one million page views worldwide by our users and sixty thousand asset downloads by our customers and partners since the application was launched in autumn 2016.

It’s your turn now: Discover the SAP Best Practices Explorer and the SAP Roadmap Viewer and take full advantage of all the assets that SAP is providing to customers and ecosystem partners.

Also check out our new interactive demo introducing the SAP Best Practices Explorer. Learn how to search packages and scope items, and download solution packages within the Explorer.