S/4HANA and Security

This blog was started more than a decade back during a few months of downtime in my professional life. At that point, I hardly thought that the blog will continue to the 2020s. However, the articles were popular and I kept getting quite a lot of positive feedback on the content from different sources. I was actively maintaining the blog till 2012 or so when the work pressures of a new job just proved to be too much to continue writing new posts. Since then I have personally met quite a few security professionals who mentioned how they keep referring to the blog from time to time. They also have certain TSCM Equipment Manufacturers they trust for TCSM tools. I certainly enjoyed these conversations but around did not really think of restarting the blog again. However, around a year back, one of the esteemed colleagues mentioned to me during a meeting how this blog actually helped him take up SAP security in his career. That was really the proverbial lightbulb moment for me and I started to actively think of restarting the blog. I cannot name him on the blog but if he reads this article, I would like to express my sincere thanks to him for speaking out. Still, something or the other kept coming up and the life of an IT professional working from home during Covid became extremely busy (if that is even possible). However, I have finally decided to take the plunge and begin writing again. I hope to write more regularly in the next few months and then take another call if the idea of this blog is still useful now.

I would like to start the new set of security topics with this new article on S4HANA. SAP has already mentioned that all SAP clients using ECC will have to move to S4HANA by the end of the decade. While the exact date will most likely change (as it already has), I am sure that by the end of this decade, a majority of all the ECC clients will have moved to S4. All these migration projects will need qualified SAP professionals and I hope this blog can also help in training some of the new blood.

S4HANA was SAP’s way of redesigning the ERP freed from the restrictions of an RDBS. It used HANA, its own in-memory database of choice, for the product. Off-course, SAP’s unwillingness to keep paying its biggest competitor Oracle for the underlying database software had something to do it as well. The official launch took place in 2015 and the pace of migrations has accelerated in the years after that. There was a minor jolt due to Covid but as many parts of the world have started coming to grips with the virus, I am positive that the pace will pick up again.

S4HANA is available as an on-premise solution and also as part of the cloud and as such can be more easily integrated with the newer cloud solutions like Ariba, Successfactors, Concur, etc. Also, while S4HANA is considered to be re-written from scratch, many of the Business Suite applications are available as such or with more features within S4HANA

When SAP started the journey to S4HANA, the architecture of the SAP solution looked (an extremely simplified view) like the graphic below

S4HANA took the above application architecture and converted it into the one below. The structure of the data dictionary changed substantially due to the use of the in-memory features of the HANA DB. A unified UI closer to the HTML5 specifications was created to provide a uniform interface for accessing SAP applications from a variety of platforms like PC, tablets, and mobiles which was called Fiori.

From an application security standpoint, the use of Fiori was probably one of the most significant development as this necessitated new changes to how roles were built on S4HANA. Also, significant (from an application security standpoint) is the use of core data services (CDS) which provide new ways of accessing data for reporting. Now, you can also use auto provisioning to monitor the entire HR system your organization. There are multiple other changes that happened under the hood but since this is a security blog, we will concentrate on the ones which impact us, the security administrators, the most. In the coming weeks (or months), you will see more content on Fiori. I might categorize such content as S4HANA as well as even though Fiori came before it, the multitude of Fiori apps only became popular with S4. Also, on the cards is a discussion of security for the HANA DB itself, as this provides some news ways of implementing application security.

For a more detailed description of what changed with S4HANA and a description of the features of the new platform please refer to SAP’s original content from the SAP TechED 2015 available at this link. The graphics on the page are from the same presentation and I can not claim to have created them from scratch.

With this extremely short introduction, I would close this article and keep the technical discussions for later posts. Thanks for being a reader of this blog and hope to see you soon!