Select Page

Updating Your SAP Security Roles for Fiori—What You Need to Know

Jan 22, 2020

If you’re not already familiar with SAP Fiori, here’s a quick refresher—the latest and greatest UX (user experience) for SAP, Fiori offers users even more power and flexibility with how they use the solution, all thanks to a new programming model. Of course, this new programming model also comes with a number of new security roles, which means you’ll need to update your current setup, (and in some cases, even rewrite your roles entirely).

In this article, we’ll go over some specific reasons why Fiori means you’ll need to rethink your SAP security roles, why your current GRC (Governance, Risk, and Compliance) solution might not cut it, as well as the best strategy for ensuring your org is keeping its data safe and sound.

Why Rethink SAP Security Roles?

Businesses that use SAP are trusting the solution with all sorts of sensitive information, as it can handle everything from business secrets to private employee data, all of which need to be kept secure. After all, a situation where the same employee can write a check, sign it, and then send it out is absolutely ripe for abuse. And if you agree with all of the above, you might be thinking to yourself, “Well, obviously. But I already take advantage of GRC. What is it about Fiori that means I need to create new security roles?”

Good question! Here are two big reasons why:

1) GRC’s False Negatives

With Fiori’s predecessor, SAP GUI, many GRC (Governance, Risk, and Compliance) access control solutions ensured that only authorized users were able to perform a given transaction by checking transaction authorizations against a set of Segregation of Duties (SoD) rules. In the situation we illustrated above, for example, if a user who wrote a check also tried to send it with SAP GUI, GRC would flag that as a conflict.

But because SAP Fiori doesn’t directly interact with transactions, the authorization model has changed, so if you relied on GRC to check for SoD conflicts, you might get false negatives. It’s certainly possible to rework your current GRC setup to take Fiori’s new architecture into account, but there are downsides to that strategy as well.

2) Creating New Roles vs Tweaking Old Ones

Let’s say that your development crew is willing to tackle the challenge of tweaking old security roles/GRC so that everything plays nicely in Fiori, or if that fails, simply creating new roles from scratch. That sounds like a great idea…until you’re dealing with 50 apps and 50,000 custom users. Whether you’re talking about reworking your old security setup or making new security roles from whole cloth, either strategy is pretty time-intensive, (and that’s not including all the time and energy you’ll need to spend keeping up with change management).

So if there are problems with rewriting old security roles and problems with creating new ones, what’s the solution? Easy—enlist an expert.

Enlist the Experts

We know that there’s nobody out there who has the depth of knowledge about your current SAP setup the way that your internal team does. But one advantage offered by a third-party consultant is their breadth of knowledge. By working with a wide variety of clients and setups, an expert consultant can give you the advice and insight you need to avoid common mistakes, blind avenues, and solutions that sound great (until they aren’t). An experienced consultant will help you figure out the best way to upgrade your security roles in light of SAP Fiori’s changes, saving you a ton of time, energy, and headaches.


There’s no question that Fiori has made the SAP platform more powerful and easier to use than ever. Still, the behind-the-scenes changes needed to make this upgrade possible will also affect your security roles. And if you need someone to help make sure you’ve updated them correctly and efficiently, Surety Systems has got your back. Our US-based senior-level SAP consulting team has the knowledge, experience, and skills to help ensure your company can make the most of SAP Fiori and do so securely.

Contact us today to get started.

Myth #2—Activating SAP Fiori in SAP S/4HANA is Merely a Technical Task

From a technical standpoint, activating a group of apps through tasks lists in SAP S/4HANA is a pretty easy task, so long as you follow SAP Best Practices guides. But then things start to get a little complicated…

While most apps work just fine once they’ve been activated, some of them require additional functional configuration by default. Add in the fact that most Fiori apps allow you to customize them to best suit your needs, and it’s easy to see why you should consider all the related apps in a delivered business catalog, not just the apps that come up as tiles on the home page.

So if the technical part of activating SAP Fiori in SAP S/4HANA isn’t much trouble, what’s the problem? The issue is that companies who focus solely on the technical aspect of activating SAP Fiori in SAP S/4HANA aren’t spending as much time as they should on the non-technical side of things, including:

  • Putting together a dedicated project team to understand the new user experience, extensibility options, and how to make the most out of common features as part of your business process design.
  • Determining the right functional fit of the apps that will best match your business processes, roles, and tasks.
  • Setting the standards for governance on the user experience extension options and custom developments.
  • Optimizing the user experience for your business roles, across all functional silos and common features.

A bit like someone who pays money to enter a race only to show up in lead shoes, companies that don’t take into account the non-technical side of their SAP Fiori project are doing themselves a disservice. 

Speaking of focusing too much on the technical side of things, that brings us to Myth #3.

Myth #3—Your Project’s User Experience Focus Should Be the Technical Aspect

People new to SAP S/4HANA and SAP Fiori sometimes find it tough to really “get” user experience. We’ve found it easiest to think about it in terms of three main categories: People, Process, and Technology. While all three areas deserve time and energy, we’ve found that putting people at the center of your UX strategy leads to better outcomes. And if you want that to happen, you not only need the right project team for the job, you need to designate a user experience (UX) lead to take a holistic view of how all the elements of the user experience will come together.

Far too often, organizations don’t designate a UX lead at all, which means anything of central use or crossed-over functional teams can fall through the cracks. Or companies pick someone with the right technical skills but not the right outlook. In addition to their functional/technical background, a great UX lead must have a people-first outlook, always thinking about the person who’s going to log in on day one of go-live. And don’t forget about communication skills! It’s vital that your UX lead is able to effectively coordinate across all appropriate business units while working on your project.


In every project, there are always going to be areas where you and your team excel, as well as areas where you struggle. We think the best strategy for handling the latter is through preparation, education, and having a third-party expert on your team. That’s where we can help. 

Our SAP consultants know how Fiori integrates with the rest of your SAP platform, not to mention plenty of ways to avoid potential Fiori road bumps before they become massive sinkholes. Based in the US (so they can work on your schedule), our top-tier SAP consultants can help you configure your apps, making sure you’re getting the most out of all the innovations SAP Fiori has to offer. 

Contact us today to learn more.

Search
Generic filters
Exact matches only
Filter by Custom Post Type