If you’re not already familiar with SAP Fiori, here’s a quick refresher—the latest and greatest UX (user experience) for SAP, Fiori offers users even more power and flexibility with how they use the solution, all thanks to a new programming model. Of course, this new programming model also comes with a number of new security roles, which means you’ll need to update your current setup, (and in some cases, even rewrite your roles entirely).

In this article, we’ll go over some specific reasons why Fiori means you’ll need to rethink your SAP security roles, why your current GRC (Governance, Risk, and Compliance) solution might not cut it, as well as the best strategy for ensuring your org is keeping its data safe and sound.

Why Rethink SAP Security Roles?

Businesses that use SAP are trusting the solution with all sorts of sensitive information, as it can handle everything from business secrets to private employee data, all of which need to be kept secure. After all, a situation where the same employee can write a check, sign it, and then send it out is absolutely ripe for abuse. And if you agree with all of the above, you might be thinking to yourself, “Well, obviously. But I already take advantage of GRC. What is it about Fiori that means I need to create new security roles?”

Good question! Here are two big reasons why:

1) GRC’s False Negatives

With Fiori’s predecessor, SAP GUI, many GRC (Governance, Risk, and Compliance) access control solutions ensured that only authorized users were able to perform a given transaction by checking transaction authorizations against a set of Segregation of Duties (SoD) rules. In the situation we illustrated above, for example, if a user who wrote a check also tried to send it with SAP GUI, GRC would flag that as a conflict.

But because SAP Fiori doesn’t directly interact with transactions, the authorization model has changed, so if you relied on GRC to check for SoD conflicts, you might get false negatives. It’s certainly possible to rework your current GRC setup to take Fiori’s new architecture into account, but there are downsides to that strategy as well.

2) Creating New Roles vs Tweaking Old Ones

Let’s say that your development crew is willing to tackle the challenge of tweaking old security roles/GRC so that everything plays nicely in Fiori, or if that fails, simply creating new roles from scratch. That sounds like a great idea…until you’re dealing with 50 apps and 50,000 custom users. Whether you’re talking about reworking your old security setup or making new security roles from whole cloth, either strategy is pretty time-intensive, (and that’s not including all the time and energy you’ll need to spend keeping up with change management).

So if there are problems with rewriting old security roles and problems with creating new ones, what’s the solution? Easy—enlist an expert.

Enlist the Experts

We know that there’s nobody out there who has the depth of knowledge about your current SAP setup the way that your internal team does. But one advantage offered by a third-party consultant is their breadth of knowledge. By working with a wide variety of clients and setups, an expert consultant can give you the advice and insight you need to avoid common mistakes, blind avenues, and solutions that sound great (until they aren’t). An experienced consultant will help you figure out the best way to upgrade your security roles in light of SAP Fiori’s changes, saving you a ton of time, energy, and headaches.


There’s no question that Fiori has made the SAP platform more powerful and easier to use than ever. Still, the behind-the-scenes changes needed to make this upgrade possible will also affect your security roles. And if you need someone to help make sure you’ve updated them correctly and efficiently, Surety Systems has got your back. Our US-based senior-level SAP consulting team has the knowledge, experience, and skills to help ensure your company can make the most of SAP Fiori and do so securely.

Contact us today to get started.