Roles and authorisations in SAP S/4HANA are central to system security, user productivity, and regulatory compliance. Effectively managing roles and authorisations in SAP S/4HANA is critical for ensuring system security, enhancing user efficiency, and adhering to regulatory and licensing requirements. As businesses transition to S/4HANA or adopt the RISE with SAP model, they are encountering new complexities arising from enhanced functionality, cloud-based environments, and the evolving nature of Fiori apps and AI.
The removal of license compliance and security-based restrictions will also necessitate changes to standard processes that have been in place for years. This includes initially reviewing the essentials of role design, identifying compliance risks (such as Segregation of Duties, license compliance, and FUE calculations), and adopting practical strategies to optimise authorisations for both security and cost efficiency. Additionally, it involves understanding how these factors will evolve in the S/4HANA environment.
Roles in SAP act as containers for authorisations, granting users access to transactions, apps, and data. Authorisations, in effect, are controlled by authorisation objects, which define permissions at a granular level (e.g., access to specific company codes or plants).
Key points in S/4HANA include user master data, role types, and Fiori authorisations. User master data connects users to their respective roles, determining the level of access they have within the system. Role types are categorised into three main types:
Fiori authorisations are crucial in managing app-level access, utilising Fiori catalogs, groups, and spaces. Additionally, roles must include access to relevant OData services to ensure smooth operation of Fiori apps.
Roles in S/4HANA differ significantly from those in ECC due to several key changes introduced by the system. One major shift is the Fiori-First approach, which requires roles to integrate both traditional GUI transactions and Fiori apps, ensuring seamless access to both interfaces.
Additionally, S/4HANA’s simplified data model, which reduces the number of tables, has a direct impact on the design of roles and authorisations. The introduction of embedded analytics also brings about new authorisations for Core Data Services (CDS) views and analytical tools, which are essential for users to access and interpret business intelligence.
With RISE licensing focusing on FUE (Full User Equivalent) metrics for cloud subscriptions, role design is now impacted by this shift in licensing structure. Furthermore, the reduction of measures supporting compliance, such as the removal of Developer keys, places a greater emphasis on roles and authorisations for ensuring Named User compliance
Violations of Segregation of Duties (SoD) can result in fraud and audit findings, exposing the organisation to financial and legal risks.
Tools like SAP GRC can be used to proactively identify and mitigate SoD conflicts before roles are deployed, ensuring that responsibilities are clearly divided to prevent unauthorised actions and ensure compliance.
Poorly controlled data access can lead to violations of regulations such as GDPR, SOX, or HIPAA, resulting in severe penalties and reputational damage. Regular internal audits should be conducted using SUIM reports to ensure that user access is properly monitored. SAP Audit Logs should be used to track and monitor access to sensitive data, ensuring ongoing compliance with relevant regulations.
Over-licensing or violations related to indirect access can result in significant financial penalties and compliance issues. SAP License Utilisation Management (SLAW) should be used to audit user license classifications, ensuring that users are assigned appropriate licenses based on their roles and usage. Roles should be aligned with license types (e.g., Employee vs. Professional) to avoid unnecessary costs and maintain compliance. This review level is based on Customer assigned license types and will not cover a “below the hood” view of R&A and is likely to require additional visibility to properly assess requirements.
Full User Equivalent (FUE) is a metric used in RISE with SAP to calculate the number of required subscriptions and its associated fees. Users and processes are classified based on their roles and system usage, such as Employee User = 0.5 FUE, Professional User = 1 FUE, and Developer User = 2 FUE
Roles and authorisations for companies are often historical, inherited, and cobbled together from updates and changes accumulated over many years of SAP ECC implementation and use by the business. The adoption of S/4HANA presents a valuable opportunity to update these rules, but it does not serve as an automatic impetus for change.
With Rise with SAP, Standard user measurement will be defined based on this setup. Instead of relying on SLAW and USMM, it will delve deeper into the Roles and Authorisation level. Even if the initial conversion from Named Users to FUEs does not highlight potential issues, businesses may encounter challenges during future audits. Standard sizing metrics for RISE will not necessarily highlight misaligned Roles and user assignment. Identifying potential risks now and planning a clear path forward will be essential to keeping Rise-related costs manageable.
A proliferation of technical Roles, vendors or partners being assigned copied Roles from employees, and the misassignment of cloud-only users are some of the issues that require rethinking when transitioning to S/4HANA and RISE. Addressing these challenges will help reduce costs, lower security risks, and help create a licensing assignment process that better reflects business needs and new licensing specifications.
In SAP S/4HANA and RISE with SAP, role design is more than a technical exercise—it’s a critical process for ensuring security, compliance, and cost optimisation. By aligning roles with licensing models (e.g., FUEs), mitigating SoD risks, and leveraging tools like SAP GRC and SUIM, organisations can maximise efficiency while remaining compliant. RISE has introduced a new focus on Roles and authorisations. These will be pivotal for sizing a RISE environment, maintaining compliance and future measurement by SAP.
Ready to optimize your SAP landscape? SoftwareOne’s SAP Advisory Sevices offers a variety of programs to support customers in their SAP technology and software management journeys. Reach out to your SoftwareOne representative and schedule a call with one of our SAP Solution Advisors to understand how we can support you to get in control to avoid and save costs.
Contact us to discuss how you can check your compliance status, optimize your Oracle licensing strategy, and cut unnecessary costs.
Contact us to discuss how you can check your compliance status, optimize your Oracle licensing strategy, and cut unnecessary costs.
