Starting a migration project? Consider these things when converting SAP ERP authorizations to SAP S/4HANA

SAST Blog: Starting a Migration Project? Consider These Things when Converting SAP ERP Authorizations to SAP S/4HANA.The upgrade from SAP ERP to SAP S/4HANA also involves a changeover to a new technology. This offers new possibilities thanks, to the increased speed of the SAP HANA in-memory database, as well as an improved user experience through the new FIORI UI. At the same time, however, the implementation of SAP S/4HANA also presents many enterprises with the difficult challenge of planning and executing their migration projects correctly: existing processes and role concepts have to be reconsidered.


Clarify Crucial Questions Before Starting the Migration Project.

In our projects, we have experienced situations far too often in which the persons responsible aren’t really aware of the challenges that face them – particularly in extensive projects like migrating from SAP ERP to SAP S/4HANA. Because the new SAP S/4HANA solution is not an enhancement to SAP ERP, but instead must be considered an entirely new product, it is crucial to clarify fundamental questions that involve the migration approach ahead of time:

  1. Should choose a greenfield approach and do an initial install?
  2. Alternatively, should we choose a brownfield approach and try to minimize the effort required?
  3. Do we want to take a selective data approach, seizing the opportunity to transfer good processes and rebuild obsolete processes?
  4. Should we choose central hub deployment, to present the Fiori apps centrally on the front-end server?
  5. Or should we choose embedded deployment, which means we can’t take advantage of front-end/back-end separation?

When designing your SAP S/4HANA authorization concept, the quality of your current roles is a factor in determining whether the brownfield or the greenfield approach is right for you. Our SAP S/4HANA experts will be happy to support you in these decisions as part of a pilot authorization study.

The use of Fiori apps requires enterprises to make another key decision:

  • Should we follow a Fiori-first approach and give employees a new user experience?
  • Should we postpone the decision on Fiori apps until the end of the project and then decide what to do with Fiori?
  • Another possibility is to leave Fiori out completely and pass up the benefits that the apps offer – at least at first.

Changed Authorizations Are Pitfalls, Because Conversions Are Often Neglected.

As you can see, significant decisions have to be made in the run-up to any SAP migration project, temping enterprises to put the topic of changed authorizations on the back burner. They often underestimate the massive effort involved in converting the SAP authorizations. In addition to the more obvious Fiori issues, the replaced, obsolete, and new SAP S/4HANA transactions represent another pitfall.

The scope and complexity of this task for your enterprise is described by SAP in a dedicated “simplification list” – that is over 1,000 pages long. But this list isn’t the only source you should trust for a successful migration. The Fiori apps reference library is another. It describes the new Fiori catalogs and groups for the individual transactions and apps. As such, significant manual effort will be required to identify the necessary changes in your authorization roles.

What’s more, the conversion and changes at the transaction and authorization object levels require more detailed revision of the roles. The end result of these factors: the authorization concept you have used to date will require optimization and adjustments. However, many enterprises lack the resources needed to execute a full migration successfully.

Role Conversion: Clear Role Management Thanks to the SAST SUITE.

SAST Role Management lessens the load when it comes to these decisions and processes. It analyzes your existing roles and determines a recommendation as to whether migration or a full redesign of the roles makes more sense in your case.

Tools help you identify obsolete, replaced, and suitable Fiori apps, with checking rules based on the simplification list, the Fiori apps reference library, and other sources for the SAP S/4HANA system. The authorization objects in SU24 are also updated, to enable use of the roles in the new SAP S/4HANA system.

If your enterprise is following a Fiori strategy that includes using apps, you can add the matching SAP standard catalogs and groups to the roles. 

SAST Blog: Starting a Migration Project? Consider These Things when Converting SAP ERP Authorizations to SAP S/4HANA

Streamline Roles First, Then Start the Migration Project.

As most specialist departments know, even the best initial role concept is diluted over time due to constant adjustments. Although these adjustments are often minor, in sum they can represent a critical security risk over time. Many of the transactions implemented in roles are no longer used; users may have been assigned critical authorizations and SoD conflicts that aren’t used at all in day-to-day business. The SAST SUITE helps you to identify these transactions, remove them, and streamline your roles through SoD analysis and transaction usage statistics – all before the migration. This approach guarantees that avoidable risks don’t have a chance to establish a foothold in your new SAP S/4HANA at all.

SAST Blog: Starting a Migration Project? Consider These Things when Converting SAP ERP Authorizations to SAP S/4HANA

Does your enterprise face the challenge of migrating a legacy SAP ERP system to SAP S/4HANA? Then conserve your resources by automating your SAP role generation. With SAST Role Management, we offer an ideal solution for optimizing your existing roles and migrating them to a clear role management concept – efficiently, securely, and cost-effectively. You can choose whether you want to build on the predefined role templates in the SAST SUITE or determine your roles automatically, through automated analysis of your user activities and transaction usage. Changes can be carried out quickly and trouble-free.

Our SAP S/4HANA experts will also support you in rendering the authorization structures behind the Fiori apps transparent – particularly in complex SAP landscapes with a combination of Fiori front-end and SAP back-end servers. You not only get a detailed record of user activities, but also a code analysis of the executed reports – an immense gain for your optimized journey to SAP S/4HANA.

Have we sparked your interest? If so, visit our website or e-mail us.

Paul Michaelis (SAST SOLUTIONS by akquinet AG)
Paul Michaelis (Consultant SAP S/4HANA Authorizations, SAST SOLUTIONS)

Would you like to learn more about this topic? Then feel free to visit our webinar on August 25 “Tips for the secure conversion of your SAP ERP roles to S/4HANA”. Register now:


This might interest you too:

Adapting authorization management in a central hub SAP S/4HANA system – save valuable time with the right strategy and the right administration tool

SAP S/4HANA authorizations – it’s your choice: brownfield or greenfield