Efficient Data Management in Healthcare Using SAP Master Data Governance

SAP’s Master Data Governance application provides an integrated data management capability for the creation, maintenance, validation, and distribution of master data across the enterprise. If you already have an SAP ERP system, then adding SAP Master Data Governance accelerates the master data maintenance process, leading to enhanced quality of your master data by leaps and bounds.

This tool improves master data quality and ensures compliance with the legal requirements, for instance, by enforcing validation rules already available in SAP ERP Central Component (SAP ECC). Additionally, the automated workflow emails in SAP Master Data Governance facilitate the stabilization and acceleration of the maintenance and overall business processes. The new SAP S/4HANA version also allows enhanced master data consolidation, mass processing, data remediation, and central governance activities. One of the new features is de-duplication of active master data records. SAP S/4HANA also facilitates integration with SAP Data Services and SAP Information Steward for quality, cleansing, enrichment, and data remediation.

SAP Master Data Governance Overview

The SAP Master Data Governance tool permits master data volumes up to one million records per data object. As hospitals become bigger, branch out, and internationalize, a stable tool such as SAP Master Data Governance can help in maintaining the integrity and sanctity of master data, which is essential to establishing a sound foundation. A single digit mismatch in a vendor’s bank account, an inconsistency in a customer’s ship-to address, or an incorrect description in a material master can hamper business, delay deliveries, and result in a loss of revenue. The details of a drug, surgical appliance, and equipment all reside in ERP as master data. Inefficient master data practices over a period of time can lead to staggered financial risk for a hospital. It also could jeopardize human health and lives.

According to Kiran Rajaya at Baylor College of Medicine in Houston, “One of the most critical assets to our business is our customer database. Master data related to customers are pivotal to our survival as an organization. All services are ultimately driven by customer demand.”

Some companies implement SAP core modules first and then graduate to stable long-term master data management and governance strategies. This approach enables them to maximize future sales potential while continuing day-to-day business activities. On the other hand, new users of SAP applications in the process of migrating legacy data focus on efficiently converting and enriching the data into the correct SAP ECC format. Extract, transform, and load (ETL) activities have taken the front seat. Once the initial tables are loaded, their integrity is maintained by ensuring that the data is cleansed, standardized, and up-to-date. Without this conversion taking place first, users would not be able to execute business transactions in SAP ECC that require master data. They also would not have relevant data to feed into SAP BusinessObjects for reporting. According to HG Data (, medical industry leaders such as AstraZeneca have implemented SAP Master Data Governance for streamlining their data governance processes.

Process Areas

For hospitals considering new master data solutions, here are some examples of legacy data objects that could be migrated to SAP Master Data Governance. This exact list of objects would vary for each hospital based on its scope of operations, but at a high level, business process integration considerations could start with the following areas:

Procure to Pay (P2P)

P2P encompasses the end-to-end process of purchasing stocked items and consumables required for daily operations. Healthcare organizations complete numerous purchases of material from external vendors. The procurement teams are constantly trying to quantify medicine estimates, select the correct procurement methods (external or internal), prequalify vendors, and check the quality of products purchased. Subprocesses such as batch management and shelf life management of materials need closer monitoring. The buyers’ effort revolves around managing tenders, signing an outline or scheduling agreements with vendors, negotiating best prices, and ensuring adherence to agreed-upon terms. To alleviate some of these inherent complexities, an efficient SAP Master Data Governance implementation can go a long way. SAP Master Data Governance modules that need special emphasis include:

Supplier management: Maintenance of accurate vendor data, such as address, bank account details, purchasing data, and partner functions.

Material master process: Creation, maintenance, and deactivation of material master records in the ERP system.

Record to Report (R2R)

R2R is a finance and accounting process that revolves around capturing, processing, recording, and reporting relevant and accurate financial information. Some of this data is required for regulatory external financial reporting in SAP ERP Financials (FI), and some of it is for internal SAP Controlling (CO) purposes. SAP Master Data Governance modules covered as a part of this article include:

FI-related governance: Equip the hospital with tools to govern entities such as general ledger (G/L) accounts, and financial reporting structure and company codes.

CO-related governance: Provide the capability to govern the CO-related master data such as profit center, cost center hierarchy, and cost center.

Order to Cash (OTC)

OTC refers to the set of business processes for setting up customers in an SAP system, receiving and processing sales orders for goods and services, and receiving customers’ payments.
Customer management is part of the OTC stream Customer management: Address information, company code data, and sales area data.

In the words of Dr. Aditya Joshi at the University of Texas Medical Branch at Galveston, “Master data duplication at the various centers often gets ignored for a long time. The same material or reagent may get created in multiple databases with slight variations and this goes unnoticed to the human eye.”

In the next sections we drill down into some of the master data creation areas that are relevant for healthcare organizations.

Master Data Creation Areas

In this section we discuss the following master data creation areas:

  • Vendor master data
  • Material master data
  • General ledger (G/L) accounts
  • Controlling (CO) master data
  • Customer master data
Vendor Master Data

Supplier data is maintained in SAP ECC in the views shown in Figure 1.

Figure 1 — Display of supplier data views in SAP ECC

This data is used downstream for the creation of purchase requisitions, purchase orders, contracts, scheduling agreements, quotations, and source of supply. The upstream starting point of vendor master data is in SAP Master Data Governance, at the Supplier Governance dashboard (Figure 2). This section provides a high-level view of all open requests and a link to create, edit, or delete vendors. This includes functionality for data replication, processing of multiple vendors, and personal workflow queue status.

Figure 2 — Dashboard view of SAP Master Data Governance Supplier Governance

In the Create vendor screen (Figure 3), general, purchasing, and company code information is populated for new vendors. After the SAP Master Data Governance data is saved, the approval workflows are triggered. After the data custodians provide the approvals, the data is syndicated to SAP ECC and other downstream systems.

Figure 3 — SAP Master Data Governance form called Change Request (CR) to maintain vendor master data

Material Master Data

Now we’ll explain material master data creation. Before we can delve into the actual material creation, however, it’s imperative to understand how materials are housed and stored in hospitals. Let’s drill down more into the material master data creation and storage in the system. Figure 4 diagrams how material masters are configured and stored.

Figure 4 — Plant warehouse structure in the Materials Management module

The material master can be categorized as global data or local data.

Global data resides in SAP Master Data Governance and contains the information describing the material characteristics per a global data standard that is relevant at all plants. These field values are consistent everywhere the material is used globally (for example, dimensions or unit of measure).

Local data contains plant-specific and storage location-specific data attributes that describe how the material is purchased, valuated, used, or stored in the warehouse. These views may vary between plants and storage locations (for example, product price or value at a specific location).

The starting point of creating the material master data in SAP Master Data Governance is at the Material Master dashboard (Figure 5). The right side includes important functionality and features such as a workflow inbox for approvals, and on the left side, users can see their change request statistics. To access this screen use transaction code NWBC (NetWeaver Business Client) in SAP ECC. This view is available in SAP NetWeaver Business Client based on your security access in SAP ECC.

Figure 5 — Dashboard view of Master Data Governance Material Data Governance

Some data elements configured in SAP ECC, but captured in SAP Master Data Governance, include the following:

Material Type: The Material Type determines the basic character of the material master record and determines which fields are displayed on the screens when you enter, change, or display material master data. The Material Type also determines which fields are optional or mandatory. It determines whether a material is managed on a value basis or a quantity basis. The Material Type also determines if material is externally procured or internally produced.

The material global data such as description, base unit of measure, and material group is populated in the screen shown in Figure 6.

Figure 6 — Master Data Governance change request form

You enter data for creating a new material plant or enter location-specific data in the sections shown in

Figure 7.

Figure 7 — Master Data Governance material change request form for plant-related data

G/L Accounts 

Financial master data setup in SAP Master Data Governance includes G/L accounts. G/L master records typically consist of a chart of accounts segment and a company code-specific segment. Information that is entered in the chart of accounts segment (for example, a description) applies to all company codes across the client. The Financial Accounting Governance dashboard (Figure 8) is the starting point for maintaining G/L accounts.

Figure 8 — Dashboard view of Master Data Governance Financial Accounting Governance

Figure 9 lists some of fields that need to be populated while creating new G/L accounts in SAP Master Data Governance.

Figure 9 — List of fields required for creating new G/L accounts

CO Master Data

The CO master data setup in SAP Master Data Governance includes cost center and profit centers. The cost center is an object within a controlling area that represents a clearly defined location where costs are incurred (for example, marketing, physician’s payroll costs, and so on). Organizational divisions that are created can be based on a functional area or activity; they also can be spatial or based on a responsible person. The one-stop shop for such data is the Financial Controlling Governance dashboard (Figure 10).

Figure 10 — Dashboard view of Master Data Governance Financial Accounting Governance

Figure 11 shows the sections of the Cost Center screen.

Figure 11 — Master Data Governance Change Request (CR) form for Cost Center master data maintenance

Customer Master Data

Customer master data contains the information about the buyers that a hospital supplies goods or services to or does business with. While the general data is global, the sales data is specific to the sales area and relevant to the sales organization, distribution channel, and division. Company code data includes fields such as accounting info, interest calculation, payment terms, and insurance terms. Figure 12 shows the customer master data views.

Figure 12 — Customer master data views captured in SAP ECC

Acccording to Dr. Tarun Ghosh at Coliseum Northside Hospital, “Whenever evaluating new software products for our hospital, we lay special emphasis on the overall implementation cycle time and any potential adverse impact to the ongoing business.”

One of the advantages of implementing SAP Master Data Governance at hospitals is the relatively short implementation cycle. Much of the technical functionality of SAP Master Data Governance is model driven and supports a coding-free implementation. Technological functional consultants can play both roles with ease and implement SAP Master Data Governance. Many consultants are well versed with the standard technical components such as the SAP Business Workflow, Business Rule Framework, and Advanced Business Application Programming (ABAP) Dictionary that are used across several SAP products and modules. Such workforce functions can be smoothly transitioned over to the SAP Master Data Governance module with limited training. Many organizations upgrade to SAP Master Data Governance from their legacy master data systems such as SAP ECC. Just blueprinting some basic concepts such as data modeling, workflow, and SOA Manager/IDoc replication setup can easily get your healthcare organization started on this journey.

(Note: SOA Manager is used for the configuration of service providers and consumer proxies in a local system. Execute transaction code SOAMANAGER to access it.)

For more information go to these sites:


Simplify Release Strategy Decisions in Procurement with Business Rule Framework Plus (BRFplus)

Every procurement organization has its own complex business rules and processes for purchase orders and requisitions, uniquely designed to meet their own needs. To help its customers avoid errors and risks when processing purchase orders and requisitions, the standard SAP system delivers an approval process via a release strategy concept, which companies often adapt to their specific needs by adding enhancements and custom logic to ABAP code. While this tailors release strategies to individual organizations, it can place an extra burden on the system, and the added development and testing can require a lot of effort and can be cumbersome and expensive to maintain.

Business Rule Framework Plus (BRFplus) can help make this easier. BRFplus is an SAP NetWeaver-based business rules framework that integrates with ABAP to make decisions based on the business rules defined within the framework. Using transaction codes BRF+ or BRFPLUS, you can add “n” number of rules and logic as reusable enhancements to the standard BRFplus framework. This step can be done via database lookups, decision trees, decision tables, loops, variables, if-else logic, Boolean logic, and formulas in a user-friendly way and with minimal effort. BRFplus then processes the defined rules and produces the derived output, which is passed to SAP ERP Central Component (SAP ECC) through a function that you create in BRFplus.

Here, I provide an example in which I have used BRFplus to help simplify the decision-making process for determining the release strategy for purchase orders. It picks up the appropriate release strategy based on a purchase price variance that otherwise would have required complex ABAP development with multiple lines of code. Note that although my example is specific to a release strategy, BRFplus can also be used for many other tasks, such as mapping complex business rules, enabling you to eliminate copious lines of ABAP code. You can also perform simulations and volume testing to test the functionality of the BRFplus objects you have developed using a variety of test data via file uploads. This way, you can ensure that the BRFplus objects satisfy your business needs before they are  called in your ABAP applications.

In short, BRFplus development includes two steps:

  1. Creating a function in BRFplus that uses rules, decision tables, decision trees, database lookups, Boolean logic, and formulas to generate an output.
  2. Calling the created BRFplus function through ABAP in a user exit, enhancement, Business Add-In (BAdI), or custom program.

In the following business scenario, I use BRFplus to create rules that help determine the appropriate release strategy for a purchase order when it is created in the system.

The Business Scenario

Let’s take a look at the parameters for the example business scenario. For material group ABC, if the purchase order (PO) price exceeds the standard price of the PO by $500, only then should the release strategy trigger a request for manager approval of the PO. For material group XYZ, if the PO price exceeds the standard price by $300, only then should the release strategy trigger a request for manager approval of the PO.

An SAP standard release strategy does not support this type of triggering and would require custom ABAP development. With BRFplus, however, it can be achieved by writing a few simple rules.

Writing Rules with BRFplus

Here, I show you how to complete the six steps necessary for writing rules with BRFplus that can help determine the right release strategy for a purchase order.

Step 1: Create an Application

The first step is to create an application. An application serves as a kind of mini project — you can group all the rules, expressions, data objects belonging to the same project, or all the functionality belonging to a project, into one application.

To create an application, execute transaction code BRFPLUS, and click on the Create Application button, which bring you to Figure 1. In the General Data section, enter the name of the application in the Name field (BRF_DEMO_PROJECT in the example), and in the Short Text field, enter a brief description.

Figure 1 — Name the application and add a brief description

Figure 1 — Name the application and add a brief description

In the Application section, select the Storage Type, which offers three options: Customizing, Master Data, and System. For the example, choose Customizing and for simplicity, create the application as a local copy, which will not ask for a Transport Request number. Note that if you want to move the application to higher environments, you will need to configure it as a transportable object. Keep in mind that while Customizing and System storage types can be created either locally or transportable to higher environments, the Master Data storage type can only be created locally, just like in SAP ECC, where we create/modify master data objects locally in any environment. The Development Package and Software Component fields are filled in by default when you create it as a local application; when it is not created as a local application, you need to specify the development package and software component.

Once you have completed the settings, click on the Create And Navigate To Object button.

Step 2: Define Data Elements

BRFplus allows you to create new data elements not available in SAP ECC or use data dictionary (DDIC) elements from SAP ECC.

To define data elements, right-click on the application name (BRF_DEMO_PROJECT) and follow the menu path Create > Data Object > Elements (Figure 2). Choosing the Mass creation option enables you to create multiple data elements all at once.

Figure 2 — Create the data elements

Figure 2 — Create the data elements

Figure 3 shows the data elements selected for the example. Note that PRICE DIFF is a new custom field we are defining, with the Built-In Type, for this application, which will be used for holding the variance between the PO price and the standard price of the material that will be derived later, and the remaining fields are SAP ECC data dictionary elements. After you click on the Ok button to save the fields, activate them by either right-clicking on the object and selecting Activate or by clicking on the Activate button at the top of the screen.

Figure 3 — The data elements selected for the example

Figure 3 — The data elements selected for the example

All the data objects, expressions, rules, and functions need to be activated or they cannot be used in the follow-on functions (that is, the expressions, rules, functions, and rulesets) that we will create in the next steps.

Step 3: Create Expressions

In this step, you have a lot of different options for expressions, as shown in Figure 4. You can choose the expression that best fits your purpose.

Figure 4 — Create an expression

Figure 4 — Create an expression

To create an expression, right-click on the application name (BRF_DEMO_PROJECT) and follow the menu path Create > Expression. For the example, you want to calculate the price difference between the PO price and the standard price, so choose Formula for the type of expression and name it PRICE_DIFF.

To write the formula expression, select the newly created formula expression and use the data elements defined earlier, which you can select in the Context section in Figure 5. You can also use the Formula Functions shown here for converting the value to absolute (ABS), to number (TONUMBER), and so on.

Figure 5 — Write the formula expression using the previously defined data elements

Figure 5 — Write the formula expression using the previously defined data elements

In the Result Data Object field, select the data element PRICE_DIFF from the dropdown that displays by clicking on the field. The result of the formula expression will be saved in the PRICE_DIFF data object, which is the custom data element defined earlier in Step 2. Save and activate the formula expression by clicking on the Ok button and then either right-clicking on the expression and selecting Activate or by clicking on the Activate button at the top of the screen.

Next, we create two decision trees for the formula expression results: one for a result of >500 and another for a result >300.

First, create DECISION TREE_ABC. This decision tree calls the PRICE_DIFF formula expression (Figure 6). If the value of the formula expression is >500, the output value is 60; otherwise, it gives an output of zero. This output value is stored in the object BRF_OUTPUT_VALUE as defined by the Result Data Object field. The BRF_OUTPUT_VALUE object must be defined as a Built-In Type data element just like the PRICE_DIFF object we defined earlier.

Figure 6 — Create a decision tree for a formula expression result of >500

Figure 6 — Create a decision tree for a formula expression result of >500

Next, create DECISION TREE_XYZ (Figure 7). With this decision tree, if the result of the formula expression is >300, the output value is 60; otherwise, it is 0.

Figure 7 — Create a decision tree for a formula expression result of >300

Figure 7 — Create a decision tree for a formula expression result of >300

Figure 8 shows the SAP ECC fields that can be used to hold BRFplus values for determining the release strategy. Any of the four fields shown can be used for this purpose — for the example, we use the SAP ECC field CEKKO-USRN1 to store the output value returned by BRF_OUTPUT_VALUE after processing the decision trees.

Figure 8 — The SAP ECC fields that can be used to hold BRFplus values for determining the release strategy

Figure 8 — The SAP ECC fields that can be used to hold BRFplus values for determining the release strategy

To add the BRFplus function to the CEKKO-USRN1 field, use transaction CT04 (Characteristic Maintenance) to map the PO_BRF characteristic to the field (Figure 9). Then, using transaction CL02 (Change Class), assign the PO_BRF characteristic to the PO release strategy class REL_PUR (Figure 10).

Figure 9 — Define the PO_BRF characteristic and map it to the CEKKO_USRN1 field in transaction CT04

Figure 9 — Define the PO_BRF characteristic and map it to the CEKKO_USRN1 field in transaction CT04


Figure 10 — Assign the PO_BRF characteristic to the REL_PUR PO release strategy class in transaction CL02

Figure 10 — Assign the PO_BRF characteristic to the REL_PUR PO release strategy class in transaction CL02

The value derived from the calculation of the BRFplus function (characteristic PO_BRF) will now be stored in the CEKKO_USRN1 field. This is where the handshake between the BRFplus application and SAP ECC occurs. The ability to use field CEKKO_USRN1 significantly enhances the PO release strategy functionality as it provides the flexibility to make use of numerous expressions types in BRFplus.

Step 4: Define a Rule

A rule mimics the business rules and executes various expressions defined for the application based on certain predefined conditions. For the example, we define two rules: one for DECISIONTREE_ABC and another for DECISIONTREE_XYZ.

To create the first rule, right-click on the application name (BRF_DEMO_PROJECT) and follow the menu path Create > Rule. Name the rule RULE_PO_REL_ABC.

To assign the conditions, expand the list of drop-down options under Assign Condition and choose Use Value Range From > Select Context Parameter (Figure 11), which takes you to the drop-down selection of the data objects defined earlier (Figure 12). Note that you can also select the defined expression as a condition.

Figure 11 — Assign conditions for rule RULE_PO_REL_ABC

Figure 11 — Assign conditions for rule RULE_PO_REL_ABC


Figure 12 — Select the object that will serve as the condition for executing the rule

Figure 12 — Select the object that will serve as the condition for executing the rule


Next, define the rule — for the example, the rule will execute if MATKL is equal to ABC (see Figure 13) and the expression called in Figure 14 will be processed. Note that you can have multiple AND or OR conditions.

Figure 13 — Define the condition that will execute the rule

Figure 13 — Define the condition that will execute the rule


Figure 14 — Specify the expression to be called if the condition is met

Figure 14 — Specify the expression to be called if the condition is met

If the defined condition (MATKL is equal to ABC) is satisfied, the decision tree expression DECISIONTREE_ABC is called and the result of the rule is stored in the BRF_OUTPUT_VALUE data object (Figure 15).

Figure 15 — The completedRULE_PO_REL_ABC rule definition

Figure 15 — The completedRULE_PO_REL_ABC rule definition

Next, create a second rule named RULE_PO_REL_XYZ. This rule is called if the material group is XYZ, and the result is stored in BRF_OUTPUT_VALUE (Figure 16).

Figure 16 — The completed RULE_PO_REL_XYZ rule definition

Figure 16 — The completed RULE_PO_REL_XYZ rule definition

Step 5: Define a Function

A function links the BRFplus application to SAP ECC. It receives input data, processes the data, and then returns an output value. You can call a function from SAP ECC using ABAP code, a Remote Function Call (RFC), or web services, for instance.

To create a function for the example, right-click on the application name (BRF_DEMO_PROJECT) and follow the menu path Create > Function. Name the function FN_PO_REL_STR and save. Then, create a ruleset within the function by clicking on Create Ruleset on the Assigned Rulesets tab. Name the ruleset RULESET_PO_REL_STR and click on Create And Navigate to Object and save (see Figure 17). The ruleset is now assigned to the function (see Figure 18).

Figure 17 — Create a new ruleset within the function

Figure 17 — Create a new ruleset within the function


Figure 18 — The ruleset assigned to the function

Figure 18 — The ruleset assigned to the function

Step 6: Define Conditions for the Ruleset

A ruleset is a collection of rules that is processed one after the other according to the sequence defined. When the function is called, all assigned rulesets are subsequently processed.

The ruleset header provides you with an option to define a precondition and allows you to define variables and expressions used in the ruleset. To update the ruleset created and assigned to the FN_PO_REL_STR function in the previous step (RULESET_PO_REL_STR), double-click on the ruleset and click on Edit. Figure 19 shows the preconditions, variables, and rules defined for RULESET_PO_REL_STR.

Figure 19 — Define any preconditions, variables, and rules for the ruleset

Figure 19 — Define any preconditions, variables, and rules for the ruleset

The precondition for the ruleset shown in the example is Plant=FL01. This precondition means that the ruleset executes only if the plant in the PO is FL01. You can assign the rules to the ruleset in the sequence you want them to process. You can also define an exit condition if you want the ruleset to stop processing further if one of the conditions is met.

Identifying Any Errors with a Simulation

BRFplus also enables you to run a simulation to check the function, rules, ruleset, and expressions you created. During a simulation, you can identify any errors or inconsistencies.

To begin a simulation of a decision tree, click on the Start Simulation button (Figure 20). Here, we are running a simulation of the DECISION TREE_ABC decision tree we created for the example.

Figure 20 — Start a simulation

Figure 20 — Start a simulation

In the simulation settings, select the Execute Actions option under Action Settings and then click on the Continue button (Figure 21).

Figure 21 — Specify the simulation action settings

Figure 21 — Specify the simulation action settings

Next, specify the simulation data (Figure 22). In the example, I have manually entered the input values to be used for the simulation. You can also choose to import test data, which is the best approach when you have multiple sets of test data. You then have two options for execution: Clicking on the Execute button provides the end result whereas clicking on the Execute and Display Processing Steps button gives you a step-by-step account of how the system arrived at the result.

Figure 22 — Specify the simulation data and execute the simulation

Figure 22 — Specify the simulation data and execute the simulation

In the example, we choose Execute, which takes us to Figure 23, where any errors in any of the steps are highlighted.

Figure 23 — Any identified errors are highlighted in the results

Figure 23 — Any identified errors are highlighted in the results

Calling a BRFplus Function from ABAP

BRFplus provides a very user-friendly way to call a BRFplus function from an ABAP application: a code template that automatically generates the code for calling the function. To create the code template, display the FN_PO_REL_STR function in BRFplus and click on the Create Code Template button (Figure 24).

Figure 24 — Create a code template to generate the code for the BRFplus function

Figure 24 — Create a code template to generate the code for the BRFplus function


On the next screen, select the Show Comments indicator and then click on the Apply button. The resulting code, shown in Figure 25, is generated automatically and can be used in ABAP to call the BRFplus function.

Figure 25 — The automatically generated code with comments displayed for the BRFplus application

Figure 25 — The automatically generated code with comments displayed for the BRFplus application

An alternative to this method is to generate the code by executing the FDT_TEMPLATE_FUNCTION_PROCESS report with transaction SE38 (ABAP Editor). In this case, you need to provide the function ID (Figure 26), which can be found in BRFplus (Figure 27).

Figure 26 — Provide the function ID to execute the report

Figure 26 — Provide the function ID to execute the report


Figure 27 — The function ID is provided in BRFplus

Figure 27 — The function ID is provided in BRFplus

The code template shown in Figure 28 is generated when the report is executed and can be copied to an ABAP program to access the BRFplus application created earlier.

Figure 28 — The code template is generated when the report is executed

Figure 28 — The code template is generated when the report is executed

Once you can access the BRFplus application from ABAP, whenever a new PO is created for plant FL01 and material group ABC or XYZ, the system checks for the rules defined in BRFplus to come up with the appropriate release strategy based on the result stored in object BRF_OUTPUT_VALUE.

Deploy SAP Solutions in Minutes in the Cloud

Gain Instant Access to Ready-to-Use Solutions with SAP Cloud Appliance Library


by Bettina Knauss and Markus Winter, SAP SE


Advanced capabilities delivered across a range of emerging technologies — from analytics to in-memory computing and machine learning — are opening up new opportunities for businesses, and those that seek to grow and remain competitive are looking to take advantage of these types of digital developments. In the past, software deployments could take weeks or even months, with significant resources sometimes devoted to planning and the installation and configuration of hardware and software. However, modern businesses are increasingly relying on IT to take an active role in driving innovation strategy, which means that IT staff have less time to work on in-depth setup and configuration tasks. As a result, IT departments are under increasing pressure to squeeze timescales for deploying software.

So how can SAP customers take advantage of the advanced functionality delivered by the latest on-premise SAP solutions without the time-consuming effort typically required for on-premise deployment? To help customers achieve this, SAP offers SAP Cloud Appliance Library, a tool that enables you to deploy the latest on-premise SAP solutions in the cloud, quickly and simply. A fully automated process and intuitive user experience enable a streamlined deployment of ready-to-use software solutions. This helps you to reduce your system provisioning costs, minimize manual effort for system setup, and free up time to focus on evaluating your future business strategy.

This article is an introduction to SAP Cloud Appliance Library for anyone who wants to test drive the latest SAP solutions, or who is involved in custom development, building test and demo labs in the cloud, or running training and demos in a cost-controlled way. We will look at how SAP Cloud Appliance Library can help simplify deployments in your own SAP landscape, how the scheduling and sizing options help to minimize the infrastructure costs, what it does, and how it works. We will also explore three key ways that the tool can help streamline business operations, including enabling you to easily evaluate new solutions, quickly run training and demo sessions, and improve application portability and business flexibility.


Why Use SAP Cloud Appliance Library?

SAP Cloud Appliance Library offers the easiest and fastest way to consume the latest on-premise solutions from SAP in the cloud by providing quick and easy access to ready-to-use solutions from a browser-based catalog. A simple login enables:

  • Access to over 90 SAP solutions: The growing list of available solutions includes the SAP HANA business data platform, SAP S/4HANA, the SAP NetWeaver technology platform, and SAP Solution Manager. It also includes a wide range of industry solutions, such as SAP Model Company services for Logistics Execution, Banking, Omnichannel Retail, and many more. You can find a complete list of available software at
  • Preconfigured software: Many of the solutions available within SAP Cloud Appliance Library are preconfigured, so there is no need for internal teams to spend time setting up the solution, or for you to pay costly fees for external systems integrators. The solution components and configuration information are detailed in the overview page for each solution listing (see Figure 1). Furthermore, automated deployment features mean that your software is ready to use in minutes.


Figure 1 — Each solution listing includes details about the product, such as a description, the solution’s components, documentation, and recommended virtual machine sizes


  • Easy management of solutions: The built-in web management console makes it straightforward for you to manage your access to solutions through SAP Cloud Appliance Library. Intuitive functionality enables you to get up and running with new solutions in a few clicks. In addition, sophisticated management features enable various customizing options to help you save on costs, such as flexible scheduling and the ability to resize virtual machines, both when creating the instance and when later managing the instance.

Accessing SAP solutions using SAP Cloud Appliance Library significantly reduces deployment timescales, as shown in Figure 2. On-premise implementation activities — including infrastructure setup and installation of the operating system and the SAP software itself, as well as configuration and validation of the solution — can take weeks to complete. In contrast, deployment in the cloud through SAP Cloud Appliance Library is completed automatically within minutes.


Figure 2 — SAP Cloud Appliance Library reduces deployment time from weeks to minutes


How Does SAP Cloud Appliance Library Work?

SAP Cloud Appliance Library is a self-service web application and a delivery channel for SAP software. It integrates tightly with leading infrastructure-as-a-service (IaaS) cloud services. As a prerequisite, the user needs an account with a cloud provider such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. This account can be registered in SAP Cloud Appliance Library quickly and easily. Once this is done, it takes only minutes until one of the solutions from the catalog for SAP Cloud Appliance Library is up and running in the cloud account and can be accessed by anyone within the company to get hands-on experience.

In three simple steps, any user — whether a student using the openSAP platform or a systems administrator preparing a proof-of-concept system for a business unit — can deploy a solution directly in their own account and access and manage it using SAP Cloud Appliance Library:

1. Users log on to SAP Cloud Appliance Library ( through a browser using their existing SAP Community credentials or by registering as a new user (see Figure 3).


Figure 3 — Log-in screen for SAP Cloud Appliance Library


2. Users browse through the solution library and select the solutions they are interested in (see Figure 4).


Figure 4 — Solutions available through SAP Cloud Appliance Library


3. The solution is automatically deployed as a running instance directly into users’ cloud accounts (see Figure 5). Connectivity to the system, along with management options for modifying the instances, is provided through the user interface for SAP Cloud Appliance Library, which means that there is no need to access the systems through the cloud provider account. The management options include the ability to resize virtual machines (see Figure 6) and adjust the scheduling of the instance (see Figure 7), along with a cost forecast functionality that instantly adapts to sizing or scheduling changes for a transparent cost estimation.


Figure 5 — Creating a new system instance using SAP Cloud Appliance Library


Figure 6 — SAP Cloud Appliance Library provides options for specifying the sizing and access points for virtual machines


Figure 7 — SAP Cloud Appliance Library enables you to configure when to activate, suspend, and terminate the instance


SAP Cloud Appliance Library in Action

There are a wide range of scenarios in which businesses use SAP Cloud Appliance Library, including quickly evaluating new solutions, easily running training and demo sessions, and improving application portability and business flexibility, which are some of the key ways that SAP customers are benefitting from the tool.


Quickly Evaluate New Solutions

Using SAP Cloud Appliance Library, you can create trial and proof-of-concept systems without the manual effort and infrastructure costs associated with an on-premise deployment. This means you can quickly and cost-effectively evaluate the latest SAP solutions to see how they can streamline your operations. System provisioning through SAP Cloud Appliance Library can be done by the project team itself, and also by a central organization within the company that passes on the system access to the evaluating parties. The ability to deploy applications, such as SAP S/4HANA, SAP Hybris solutions, and SAP Customer Relationship Management, that are ready to use not only reduces implementation time — in many cases, from several weeks to a matter of hours — it also increases adoption speed.

A lean approach and short spin-up times are a key benefit for IT consulting and software company DSC Unternehmensberatung und Software GmbH. “As a midsize company and long-standing SAP partner, we use SAP Cloud Appliance Library to quickly familiarize ourselves with new technologies,” explains Project Manager Karsten Fink. “Within just a few minutes, our project teams can access available solutions with minimal administrative overhead. Thanks to SAP Cloud Appliance Library, we can efficiently react to new market demands early on.”


Easily Run Training and Demo Sessions in the Cloud

SAP Cloud Appliance Library enables you to provide easy and fast access to SAP solutions. By training your teams on the latest SAP innovations and technologies and helping employees adopt new features early, you can fast-track improvements in business processes. Live demos of solutions can help customers understand the potential benefits of a deployment, speeding up the decision-making process.

For example, consulting company Accenture AG is using SAP Cloud Appliance Library to support their training environment. “Our business and IT managers use SAP Cloud Appliance Library to deploy new SAP software for quick customer demos and to train their teams on the latest SAP innovations and technologies,” says Dr. André Bögelsack, Infrastructure Services. “For each training session, they adopt an efficient deploy-and-dispose approach, saving a day in preparation and setup. This quick deployment gives our employees immediate access to new solutions.”


Improve Application Portability and Flexibility

By offering “containerized” applications, SAP Cloud Appliance Library removes the need to set up a virtual machine for every application, saving costs for operating system licenses. In addition, by providing an entire runtime environment, the tool removes obstacles to moving software between different systems, such as from development to production. In this way, SAP Cloud Appliance Library helps improve application portability and enables businesses to become more agile.


What’s Coming Next?

Going forward, SAP plans to extend and enrich the online solution library available through SAP Cloud Appliance Library. In addition to offering SAP solutions that were previously unavailable through the tool, currently listed software will be updated with the latest feature packs and product releases to offer the most recent innovations to customers.

Another key area for future investment is in making the deployment and management of solutions using SAP Cloud Appliance Library even more straightforward, including adding new management features in the web management console, providing real-time status tracking of SAP systems, and adding new features to its “containerized” application approach. Plans also include a new functionality that will enable email notifications to provide customers with timely information about software subscriptions, solution instance operations, and long-running instances.

For more information about SAP Cloud Appliance Library, or to sign up for a free 30-day trial to see for yourself how it can help you gain instant access to ready-to-use solutions, visit the product page at


Learn More

SAP Cloud Appliance Library

Product page for SAP Cloud Appliance Library

SAP Community for SAP Cloud Appliance Library

Tutorial: Set up an account for SAP Cloud Appliance Library and install a preconfigured SAP solution in the cloud

Roadmap for SAP Cloud Appliance Library


Bettina Knauss

Bettina Knauss ( is a Product Owner at SAP with a focus on SAP Cloud Appliance Library, where she works closely with customers, cloud providers, and partners to drive innovation for the library and manage the solution catalog. Previously, she worked in various positions in SAP Development and as a technical consultant.

Markus Winter

Dr. Markus Winter ( has been working in the field of landscape optimization, virtualization, and cloud computing for the past 18 years, and during that time has driven landscape management topics within SAP. He currently leads the Cloud Management product unit as Chief Product Owner.

Securing SAP S/4HANA

A Guide to Strengthening the Security of Your SAP S/4HANA Implementation


by Birger Toedtmann, SAP


A lot of SAP customers are currently at the point of either planning or executing a conversion to SAP S/4HANA from SAP Business Suite.1 Among many other considerations, security is one of the bigger topics that spring to mind as part of this conversion: What exactly are the differences between SAP S/4HANA and the standard SAP Business Suite setups? What are the typical pitfalls and which tasks require the most effort? What tasks must be performed right away, and what tasks can you shift to later points in time? All these questions are largely related to the architectural and technological changes that come with SAP S/4HANA.

This article aims to address these questions and to help ensure that you can leverage the full potential of the solution. It outlines the five critical areas security administrators need to look at when it comes to securing an SAP S/4HANA implementation. It takes a closer look at these five areas — roles and authorizations, SAP HANA security, infrastructure security, cloud integration, and user management and authentication — and then provides guidance on the challenges that can arise and how to properly address them. It also examines the resources available from SAP to help you along the way, and how to address the security of the SAP S/4HANA core system: SAP NetWeaver Application Server (SAP NetWeaver AS) ABAP.

First, to ensure a clear understanding of the security activities connected with an SAP S/4HANA implementation project, we’ll take a closer look at how some of the underlying technology changes with SAP S/4HANA affect security considerations in your landscape.

New Security Considerations with SAP S/4HANA

The core system for SAP S/4HANA, like SAP Business Suite, is SAP NetWeaver AS ABAP. From a security standpoint, it looks like a traditional SAP ERP system running on an SAP HANA database, with all the related internal optimizations, and the same standard security controls, switches, and customizing required for other SAP NetWeaver AS ABAP-based systems. While it may seem that only the SAP HANA database requires a closer look in an SAP S/4HANA implementation, there is more to the story: SAP HANA in this setup is not just a new database, it is also an application server, and certain SAP S/4HANA application processes may run natively from it — or, to be more precise, may run natively from SAP HANA extended application services, advanced model, which is a development and runtime environment delivered with SAP HANA for native applications.

These native SAP HANA applications bypass the ABAP stack and its security controls, which must be addressed. SAP S/4HANA also offers a high degree of simplification through optimized SAP Fiori apps and cockpits, which supersede the old SAP Business Suite transactions. With the shift to web-based activities, many companies plan to offer some of these apps to external audiences — for example, letting your vendors directly enter their numbers in your system is a highly efficient business functionality. However, this “opening” of access to ERP functions will have an impact on the underlying network security infrastructure, which will need to be considered.

In addition, some organizations have already shifted processes to the cloud, and SAP S/4HANA  comes with many options for integrating with these cloud-based scenarios in a hybrid landscape. For security teams, this means that critical data resides in a location other than on premise, and they must closely watch the security of the integration with external systems and applications. Finally, you must also coordinate access to all the different applications and instances, which requires smooth, efficient, and centralized user and authentication management.

Now that you have an understanding of some of the new security considerations related to SAP S/4HANA, let’s take a closer look at the tasks involved in securing your SAP S/4HANA landscape after a conversion from SAP Business Suite.

Securing an SAP S/4HANA Landscape

After converting from SAP Business Suite to SAP S/4HANA, there are five key areas you need to address quickly to secure your SAP S/4HANA landscape:

  • Updating roles and authorizations
  • Securing the SAP HANA system
  • Ensuring a strong security infrastructure
  • Integrating cloud applications
  • Managing user access and authentication
Updating Roles and Authorizations

First, a conversion to SAP S/4HANA is, at its core, an upgrade. As with all upgrades, this means that you must update your roles and authorizations. For example, there will be new checks for authorization objects, new transactions, and old transactions — this is business as usual, and will require a significant amount of effort. A firm grasp of security transactions SU24 (Maintain Check Indicators) and SU25 (Upgrade Tool for Profile Generator) will help smooth the way through the required tasks.

Second, SAP S/4HANA includes new SAP Fiori apps, which are basically web services. Users need the authorization to use these apps, which is not too difficult to configure, but SAP S/4HANA includes a major design change in how to build roles, and this can be a challenge for those who are not yet familiar with SAP Fiori apps and how they are published using SAP Gateway. In SAP S/4HANA, the role-building transaction PFCG includes new mechanisms to integrate app catalogs and to communicate and sync with the publishing instance (SAP Gateway). It is important to understand how these mechanisms work and which steps to take in transaction PFCG to ensure a proper role-building process in the SAP S/4HANA application life cycle.

Securing the SAP HANA System

Your hosting partner or your data center operations team, depending on whether your deployment is on premise or in the cloud, must learn the new security settings and authorizations setup of an SAP HANA database to operate it correctly and shield it from improper access. With SAP HANA 1.0, specific developers and administrators required direct access to the database’s SQL port because SAP HANA studio connected to this port, and this presented security challenges. Now, SAP HANA development and administration activities are largely performed via web interface, so access to only the application server’s web service ports is typically sufficient. If this is not sufficient — for example, if important development functionality is not yet available in the Web IDE for SAP HANA — you should allow access to the SQL port from dedicated workstations only, such as Windows Terminal Server (WTS) workstations.

Another area to be aware of is the new authorizations design of SAP HANA extended application services, advanced model (the development and runtime environment for native SAP HANA-based applications). Building roles and authorizations for SAP HANA extended application services, advanced model, which was introduced with SAP HANA 2.0, is significantly different from traditional database and SAP application server security administration. You will need an expert for this if you want to develop new native applications for SAP HANA with a proper security design, and this requirement should be reflected in your project plan. Granting access to the administrative applications SAP ships with SAP HANA extended application services, advanced model, is another task that user admin teams need to know how to perform.

Keep in mind that the new features for SAP HANA extended application services, advanced model, are required for advanced processes only. Standard SAP S/4HANA processes typically do not require custom apps based on SAP HANA extended application services, advanced model. Only when you want to make use of the full potential of your SAP HANA engine do you need to quickly embrace all these security techniques.

Ensuring a Strong Security Infrastructure

Going digital implies opening business processes to the outside world, such as offering individualized services to vendors, customers, and other parties, and enabling them to stay informed about the progress of their transactions and enter their own changes in certain process steps. It also means executing these processes in real time rather than using an outdated approach such as asynchronous processing via email. In the past, allowing external users access to certain parts of business applications could be difficult in the closed-shop SAP world with its fat client SAP GUI connected to dedicated network ports, and many customers addressed this with SAP solutions such as SAP Enterprise Portal.

With SAP S/4HANA and its SAP Fiori technology, it has become simple to publish dedicated small apps to other user groups and their devices, be it mobile or desktop. Granting access to business-critical system components must be thoroughly shielded, however, and so a strong security architecture, similar to the one shown in Figure 1, is required to ensure that the right users have network access to the right set of apps with properly enforced security controls, such as two-factor authentication. In addition, SAP Gateway, which is where the apps are published and accessed, may need to be in a demilitarized zone (DMZ), while the SAP S/4HANA core system stays in the internal high-security network zone.


Figure 1 — A simplified example of a security environment adapted to SAP S/4HANA — when SAP Gateway runs on the SAP HANA database as well, SAP HANA cockpit requires access to both SAP Gateway and the SAP S/4HANA back end


Data transmissions in this architecture must be secured with standard mechanisms such as the Transport Layer Security (TLS) protocol, and firewall setups must define where external users can and cannot go. You can also increase network security in scenarios where HTTP(S) and Remote Function Call (RFC) connections traverse network zones using the “reverse invoke” mechanism that is available with SAProuter (which handles RFC communication over network zone borders) and Web Dispatcher (which manages HTTP connections to SAP systems for web applications). This mechanism allows these types of traffic without permitting direct access to back-end systems — it reverses the Transmission Control Protocol (TCP) connection so that it is always initiated from the internal network instead of the DMZ, which enables easier and more secure firewall setups at the internal network zone border.

Keep in mind that individual teams — including the portal, SAP operations, security, firewall, and networking teams — must work closely together to synchronize all these configurations so there are no gaps created by misunderstandings. It is also important to note that these requirements are not new for digital businesses and are not specific to SAP or SAP S/4HANA, but you need to be sure to incorporate them into your SAP S/4HANA security project plan.

Integrating Cloud Applications

Instead of allowing certain external user groups access to on-premise applications, it is often easier and more secure to let users interact with cloud solutions. Many activities already take place in the cloud, and SAP S/4HANA offers a simpler way to exchange data in real time with environments such as SAP Cloud Platform through Cloud Connector, which easily and securely links SAP Cloud Platform applications with on-premise systems such as SAP S/4HANA.

To support hybrid business processes that incorporate both SAP S/4HANA on premise and applications in the cloud, security teams should know how to set up and run Cloud Connector in a secure manner, which is fairly simple, and how to grant permissions to cloud applications using the SAP Cloud Platform Identity Authentication and SAP Cloud Platform Identity Provisioning services. You may want to compare the setup of Cloud Connector to SAProuter or Web Dispatcher installations — they are similar types of standalone infrastructure engines that control network communications between business systems.

Managing User Access and Authentication

One of the biggest challenges in digital business scenarios is coordinating the various types of access, particularly when access is taking place across hybrid landscapes. You may need to set up users not only in the SAP S/4HANA core (that is, the SAP NetWeaver AS ABAP system), but also potentially as native users in SAP HANA itself. These users also need to have access to SAP Gateway, which provides the app catalog for users, and to all connected cloud applications. In addition, you will want to have a smooth handover between the individual systems once a user is authenticated the first time — you do not want users to be prompted for passwords over and over again.

Against this background, efficient central user management and modern authentication mechanisms are key with larger SAP S/4HANA implementations. Security teams should be familiar with federated single sign-on and Security Assertion Markup Language (SAML) 2.0. Also, without a decent identity management solution, you will have trouble keeping track of the individual accounts you must create and maintain. This solution should be capable of provisioning users into both cloud and on-premise systems. At a minimum, a central user administration system for both SAP S/4HANA and SAP Gateway must be in place, while cloud users could potentially be maintained separately. The right choice of technology should therefore be a part of your project plan for an SAP S/4HANA conversion, as it has consequences for how the user management processes can be remastered to match the demand of the new solution landscape.

Navigating the Process with Support from SAP

You might now be thinking, “OK, this seems like a lot of additional work.” And it would be without the white papers, guidelines, recommendations, and tools SAP provides to help significantly simplify the process of establishing a secure setup and operation of SAP S/4HANA.2

Security White Papers

To help businesses increase the security of their SAP systems, SAP has published a series of white papers in SAP Support Portal ( The first two — “Protecting SAP Applications Against Common Attacks” and “Secure Configuration of SAP NetWeaver Application Server Using ABAP” — were published in 2011 and 2012, respectively, with others following over time, including “SAP Security Recommendations: Securing Remote Function Calls (RFC).” These white papers continue to be valid and contain the most important things to consider from an SAP perspective. All of them are applicable to SAP S/4HANA systems and should serve as a basis for securing SAP S/4HANA. Security teams should know them by heart. If your current (non-SAP S/4HANA) landscapes are not yet operating based on these recommendations, you have a gap that needs to be dealt with urgently.

SAP Solution Manager

With SAP Solution Manager, SAP provides the System Recommendations application to highlight security notes that are missing in systems and the Configuration Validation application to monitor whether systems are configured correctly with respect to security. The Security Baseline Template (SAP Note 2253549), also included with SAP Solution Manager, not only contains all security recommendations from the security white papers available in SAP Support Portal, but also provides predefined target setting containers that you can directly upload into the Configuration Validation application. This is ready-made monitoring for all SAP security recommendations with a fairly small implementation footprint (and no additional licenses as the SAP Solution Manager applications are freely available).

Security Guides and Training

For roles and authorizations, SAP offers the usual security guides that accompany its solutions. For example, SAP HANA security recommendations are well summarized in a chapter of the SAP HANA Security Guide. SAP’s education organization also offers training courses, including a course on SAP S/4HANA authorization setup (ADM945) and a course on SAP HANA native authorizations (HA240).

Solutions for Identifying Risks and Managing Access

SAP provides comprehensive solutions to help with identifying security risks and managing user access. SAP Enterprise Threat Detection can be helpful for those that need higher security standards and integration in security information and event management (SIEM) and security operations center (SOC) processes. SAP also offers state-of-the-art user provisioning services for cloud applications (see Figure 2). The SAP Cloud Platform Identity Provisioning and SAP Cloud Platform Identity Authentication services allow you to set up federated single sign-on scenarios in a simple way and manage user accesses in cloud applications. SAP customers can neatly integrate their own identity providers into this architecture, which enables users (external as well as internal ones) to hop from on-premise applications to cloud applications and vice versa without disruption, while Cloud Connector ensures that business data is available where needed.


Figure 2 — An example architecture that uses identity authentication and provisioning services for managing user access in the cloud


SAP Digital Business Services

For customers with stringent security requirements and a need for external assistance, SAP offers SAP Digital Business Services. As of Q1 2018, the new SAP Activate methodology for implementations and migrations contains elements that ensure security is not overlooked in any project. There are special phases focused on security design and implementation embedded in the overall implementation plan. SAP Value Assurance service packages also follow this design, offering assistance from SAP’s support services that can be used to safeguard an SAP S/4HANA implementation project.

In addition, SAP has refurbished its SAP MaxAttention offering (known as “New MaxAttention”), with a track (or “focus topic”) dedicated to security and compliance, as shown in Figure 3. You can make use of additional security services starting from the planning phase (for example, helping customers identify and close gaps in their solution landscapes) through the realization and run phases (for example, running security checks before go live).


Figure 3 — SAP MaxAttention includes a focus topic dedicated to security and compliance topics


Securing the Core

So far, this article has focused on the overall areas that are critical for securely running SAP S/4HANA solution landscapes. But what about the running core of SAP S/4HANA — that is, the SAP NetWeaver AS ABAP system? What are SAP’s most important recommendations for directly strengthening its security?

Using the SAP-provided white papers available at and the Security Baseline Template, you can create a short list of critical activities that must be performed to increase the overall security level of your core system, such as:

  • Standard user protection: Remove well-known factory passwords from the standard users SAP*, DDIC, and TMSADM using report RSUSR003 for all affected users.
  • Credential protection: Remove outdated hash storage of passwords and protect hash tables.
  • Secure SAP code: If it does not yet exist, set up a patching process to consume the security notes that SAP publishes each month.
  • Secure custom code: Check if you have developer guidelines to write secure code, and assess whether a security scan engine might be required.
  • Data transmission protection: Enable Secure Network Communication (SNC) and TLS for all client communications.
  • Logging: Turn on all logging to ensure that no attack information is lost.
  • Secure configuration: Check all relevant profile parameters and customizing for correct security settings.
  • Interface security: Remove the SAP_ALL profile from technical users, check destination credentials, and activate Unified Connectivity (UCON) and Remote Function Call (RFC) callback protection to minimize the attack surface.

While each of these activities is important, you may not be able to conduct them all at the same time because of limited resources. SAP recommends that you avoid running more than three items in parallel to prevent overloading your SAP Basis and security teams. To prioritize the activities properly, it is helpful to assess the protective measures identified as missing and then order them according to their criticality and the effort required to remediate them, as shown in Figure 4. You can then create a project plan that prioritizes the security measures based on their estimated run time and ability to generate quick wins, as shown in Figure 5.


Figure 4 — An example prioritization of security activities based on criticality and required effort


Figure 5 — Example project plan based on the prioritization of security activities



By securing your SAP S/4HANA implementation with the security strategies outlined in this article, you will be well on your way toward establishing a landscape that can leverage the full potential of the solution. You can help ensure the success of your SAP S/4HANA security project by answering some core questions at the very beginning of your project:

  • Have we already considered all past SAP security recommendations? If not, take a second look.
  • Are our skills for SAP S/4HANA and SAP HANA 2.0 roles and authorizations management sufficient?
  • What should the network security architecture for SAP S/4HANA business and cloud integration scenarios look like?
  • Is our user management technology capable of supporting the SAP S/4HANA landscape properly or do we need more advanced technology?
  • Do our support engagements get SAP’s additional security offerings without additional charge?

With the answers to these questions, you will be ideally positioned to establish a strong, secure SAP S/4HANA implementation and seize the opportunities it can offer going forward.


1 For more on converting from SAP Business Suite to SAP S/4HANA, see the SAPinsider articles “Making the Move to SAP S/4HANA” (January-March 2017) and “A Simplified Way to Bring Your Custom Code to SAP S/4HANA” (Issue 2, 2018) available at [back]

2 Using proper network design and the available technology are key, and remember that opening access to specific applications is not special to SAP software — it should be a standard request to security teams. [back]


Birger Toedtmann

Birger Toedtmann ( worked for over 15 years in the area of designing and operating secure telecommunication networks at various companies, before joining SAP in 2007. Since then he has served customers as Technology Principal Consultant in the GRC and security domain, assisting them in securing their SAP landscapes. Birger also leads SAP Professional Services’s internal security community, a virtual group providing expert knowledge transfer to all associated consultants.

Take Your ABAP Skills to the Cloud

Develop New Cloud Applications in ABAP with SAP Cloud Platform ABAP Environment

by Karl Kessler, Vice President of Product Management ABAP Platform, SAP SE

At SAP TechEd in the fall of 2017, Björn Goerke, SAP’s Chief Technology Officer, announced that ABAP would become available in SAP Cloud Platform in 2018, and as of September 2018, the new ABAP development and runtime environment — SAP Cloud Platform ABAP environment — is here. SAP Cloud Platform ABAP environment is a completely new environment for SAP Cloud Platform, comparable to SAP Cloud Platform for the Neo, Cloud Foundry, and Kubernetes environments.

Anyone familiar with ABAP knows that it is not just a programming language with a compiler and runtime — it is an integrated environment based on a primary database that contains the ABAP repository and all related ABAP artifacts, such as ABAP classes and the data definitions based on the core data services (CDS) data modeling infrastructure. SAP Cloud Platform ABAP environment not only brings this architectural blueprint — which is currently the foundation of more than 100,000 productive on-premise installations — to the cloud, it also enables you to bring your existing ABAP development expertise and on-premise assets with you, smoothing the transition to the cloud.

Moving your ABAP development and execution environment to SAP Cloud Platform allows you to immediately benefit from the latest features of ABAP and SAP HANA, as well as the innovations available in all existing SAP Cloud Platform services, such as SAP Leonardo with its machine learning, blockchain, and Internet of Things technologies, which enable new scenarios that are not currently possible in the on-premise world. It also allows you to delegate all infrastructure, lifecycle management, and system operations tasks to the development and operations teams at SAP and enables you to scale with your business needs rather than making large upfront investments in hardware and services. In addition, you can take advantage of innovations much faster, since updates are delivered quarterly rather than years apart.

This article prepares SAP customers and partners for this new world by explaining the basic architecture and mechanics of SAP Cloud Platform ABAP environment and, through practical examples, shows you how to use this new environment for ABAP development. It walks through how to set up the development environment, how to use the development tools to create a back-end service, and how to enable the newly created back-end service for consumption by an SAP Fiori application.

The Architecture of SAP Cloud Platform ABAP Environment

Figure 1 provides an architectural overview of SAP Cloud Platform ABAP environment. Administrators (and developers with the appropriate privileges) can launch SAP Cloud Platform cockpit via their SAP Cloud Platform account and create a new ABAP instance — that is, a complete ABAP stack with an underlying SAP HANA database — in the cloud. The cloud-based ABAP system is then up and running and can be accessed by the Eclipse-based ABAP development tools, which are the standard development tools for SAP Cloud Platform ABAP environment.


Figure 1 — The overall architecture of SAP Cloud Platform ABAP environment


The cloud-based ABAP system is based on the same ABAP kernel used for SAP S/4HANA Cloud 1808. Its primary purpose is to provide a development and runtime environment for SAP Fiori applications that are decoupled from the digital core and optimized for SAP HANA using a RESTful programming model, a services-based approach, and a cloud-optimized ABAP language. While SAP Fiori applications created in the cloud-based ABAP environment are based on the consumption of CDS views that are exposed as services through the OData protocol and presented with corresponding SAP Fiori elements, simple transactions are also supported. The ABAP applications connect to back-end systems through standard protocols such as HTTP and OData. In the initial version of SAP Cloud Platform ABAP environment, these applications can connect to an SAP S/4HANA Cloud back end, and in planned future versions, access to on-premise back ends will be enabled through the Cloud Connector component for SAP Cloud Platform.

It is important to note that with SAP Cloud Platform ABAP environment, SAP Fiori is the only supported user interface (UI) technology — SAP GUI and Web GUI are strictly prohibited, since screen processing is not ideal for the cloud. In addition, unlike in the on-premise ABAP stack, the ABAP development tools do not call any embedded SAP GUI tools in SAP Cloud Platform ABAP environment. All tool access in SAP Cloud Platform ABAP environment is done with the native Eclipse plug-ins available at

SAP Cloud Platform ABAP environment is embedded into the Cloud Foundry environment of SAP Cloud Platform, which allows ABAP applications to use other services of SAP Cloud Platform, such as SAP Leonardo. The traditional change and transport concept is still in place from a logical perspective, meaning that you can develop an ABAP application in one system and then transport it into a test or productive system, for example. However, in contrast to the on-premise world, where transport requests are exported to the central directory of a landscape (typically under /usr/sap/trans) and then imported into the target system, in SAP Cloud Platform ABAP environment, the transport requests are exported in readable format to a Git repository. This enables you, for example, to export the same ABAP artifact in different versions, which is not possible in the traditional on-premise world. With this approach, Git-aware tools that support continuous integration and delivery can benefit from the source representation in Git, making the ABAP world more open to cloud innovations.

So, what does development look like in SAP Cloud Platform ABAP environment? Let’s take a look.

Setting Up the Environment

To give you an idea of how development works in SAP Cloud Platform ABAP environment, we will walk through how to develop an ABAP back-end service for consumption in an SAP Fiori application. Before we start our development work, however, we must set up the development environment by creating an ABAP instance in SAP Cloud Platform and creating a project in the Eclipse IDE.

Create an ABAP Instance with SAP Cloud Platform Cockpit

The first task is for an administrator — or a developer with the appropriate privileges — to create an ABAP instance. The Service Marketplace within SAP Cloud Platform cockpit lists all the available services, including SAP Cloud Platform ABAP environment, which is listed as ABAP System (see Figure 2). Clicking on ABAP System displays a list of already active ABAP instances that you have started in your SAP Cloud Platform account (see Figure 3). You can create a new ABAP system by clicking on New Instance. In the example, we have created the instance TechEd App Center.


Figure 2 — The Service Marketplace in SAP Cloud Platform cockpit lists the available services


Figure 3 — Selecting the ABAP System service displays a list of already active ABAP instances as well as the option to create a new instance


Create an ABAP Cloud Project in Eclipse

Next, we need to create an SAP Cloud Platform ABAP environment development project using the Eclipse IDE. You will find this task fairly easy if you are familiar with using the Eclipse-based ABAP development tools for on-premise ABAP development, since SAP Cloud Platform ABAP environment uses the same set of tools. Cloud development is simply carried out in a new Eclipse project perspective: ABAP Cloud Project.

In the Eclipse IDE, create an ABAP Cloud Project by following the menu path New > Project and selecting the corresponding wizard (see Figure 4). Then configure the system connection to the Cloud Foundry environment for SAP Cloud Platform. First, select a “region” — that is, where your cloud provider runs the data center you want to work with (see Figure 5). (While initially only the Amazon Web Services cloud provider in the Frankfurt region is supported, additional regions and cloud providers will become available in the future.) Then enter the credentials for your SAP Cloud Platform account.


Figure 4 — Create an ABAP Cloud Project

Figure 4 — Create an ABAP Cloud Project


Figure 5 — Configure the system connection to the Cloud Foundry environment for SAP Cloud Platform


Next specify the instance details, including the Cloud Foundry organization and space, and select the ABAP instance to use for the connection from the drop-down list of available instances that were displayed in SAP Cloud Platform cockpit (see Figure 6). For the example, we select the instance TechEd App Center.


Figure 6 — Specify the ABAP instance to use for the connection


Log in to your ABAP back end — TechEd App Center in the example — using your SAP Cloud Platform credentials (see Figure 7). The system responds with a URL for the ABAP back end, which will be used to identify your back-end connection (see Figure 8).


Figure 7 — Log in to the ABAP back end


Figure 8 — The configured connection includes a URL for the ABAP back end that will be used to identify your back-end connection


You can then name your project (P15_Dev in the example) and add a favorite package to contain your local development objects — for the example, we choose the predefined package ZLOCAL for local development (see Figure 9). Clicking on Finish takes you to the familiar Project Explorer overview in the Eclipse IDE workspace, which now includes your newly created project and the package for local development (see Figure 10). From this point on, your development work will be similar to any other project that uses the Eclipse-based ABAP development tools.


Figure 9 — Add a package to contain local development objects


Figure 10 — The Project Explorer overview in the Eclipse IDE workspace includes the newly created project and the package for local development


When you next log in, you can select your development project by simply logging in to the ABAP back end — just click on the project name in the Eclipse IDE and log in with your credentials — without the need to drill down from the Amazon Web Services data center in Frankfurt.

Using the Development Tools

With the ABAP Cloud Project configured, we’re now ready to start our development work. Here, we’ll create an ABAP back-end service for consumption in an SAP Fiori application using the well-known flight example to demonstrate the steps in the development environment. Before beginning the development tasks, however, it is important to understand that with SAP Cloud Platform ABAP environment, the ABAP language has been optimized for cloud operations, meaning that certain language elements that have been used in on-premise development are no longer allowed.

To help ensure smooth operations in the cloud, the Released Objects node in the Project Explorer navigation tree lists all the whitelisted objects available for development use in SAP Cloud Platform ABAP environment, including APIs, CDS views, and dictionary objects (see Figure 11). This list contains important ABAP classes for the ABAP runtime environment and various dictionary elements. It is important to note that tables are not included as whitelisted objects, which means that an ABAP statement referring to a standard ABAP table will cause a syntax error. You must use a whitelisted API to access any underlying tables. This approach is different from ABAP on premise, where you can access almost any ABAP repository element, even if it was never intended for use in custom code.


Figure 11 — The Released Objects node in the Project Explorer navigation tree lists all the whitelisted objects available for development in SAP Cloud Platform ABAP environment


With SAP managing the cloud-based environment — and not the customer, as in on-premise deployments — all upgrades, patches, and hotfix collections are applied independently of the customer’s project at predefined maintenance intervals, which are kept as short as possible to provide maximum availability of the cloud environment. For cloud operations, this means that custom code must strictly adhere to the whitelisted objects, which are managed in a compatible way so that the customer can continue with development or production uninterrupted by maintenance. In an on-premise environment, a customer would execute transaction SPAU (Process After Upgrade) to adjust any custom code to the new SAP repository version. In cloud environments, this approach is simply unacceptable.

SAP will extend the whitelist based on customer and partner demand, but to keep ABAP innovation up to speed, not all legacy frameworks can be moved to the cloud. This is similar to Java, where frameworks such as Web Dynpro could not be moved to SAP Cloud Platform and were instead replaced with SAP Fiori and SAPUI5.

With these guidelines in mind, let’s now begin our development work, which starts with creating a package to contain our development objects.

Create an ABAP Package to Contain the Development Objects

First, create an ABAP package in your ABAP Cloud Project (the P15_Dev project in the example) that will contain all the artifacts for the ABAP back-end service. In the Project Explorer navigation tree in the Eclipse IDE workspace, right-click on the ZLOCAL package you added for local development, which will serve as the superpackage for the new package, and select ABAP Package to start the wizard. Name the package Z_MYFLIGHTS, add a description, and specify a package type (see Figure 12).


Figure 12 — Define an ABAP package to contain all the artifacts for the ABAP back-end service


Create a Database Table to Hold the Data

Next, create a database table by right-clicking on the newly created package (Z_MYFLIGHTS), selecting ABAP Repository Object, and choosing Database Table from the list of Dictionary tools (see Figure 13). Enter a name (ZFLIGHTS) and description for the table (see Figure 14).


Figure 13 — Choose the Database Table tool to create the database table

Figure 13 — Choose the Database Table tool to create the database table


Figure 14 — Define the database table


The ZFLIGHTS table now appears in the Project Explorer navigation tree and is displayed in the table editor within the Eclipse IDE workspace (see Figure 15), which replaces the former ABAP dictionary transaction (SE11). Note that with SAP Cloud Platform ABAP environment, all ABAP artifacts are represented by native Eclipse editors within the workspace.


Figure 15 — The ZFLIGHTS table displayed in the table editor within the Eclipse IDE workspace


Develop a Console Application to Populate the Database Table

To spool some data into the new ZFLIGHTS database table, we need to develop a console application, which is similar to a traditional ABAP report in the on-premise world. The console application is essentially an ABAP class that performs some actions — in the example, it performs database insert operations — and writes messages to the console.

To create the class, right-click on the ABAP package, select ABAP Class to start the wizard, and then enter a name (Z_LOADFLIGHTS) and description for the class (see Figure 16). The class is now included in the Project Explorer and displayed in the editor within the Eclipse IDE workspace (see Figure 17). The class uses the previously defined table ZFLIGHTS and creates database records from an internal table called it_flights, which is defined by the data declaration statement. Running this class (by pressing F9) inserts data into the ZFLIGHTS table (see Figure 18).


Figure 16 — Define an ABAP class for spooling data into the database table


Figure 17 — The Z_LOADFLIGHTS class displayed in the editor within the Eclipse IDE workspace


Figure 18 — Running the Z_LOADFLIGHTS class inserts data into the ZFLIGHTS table


When developing an application in SAP Cloud Platform ABAP environment, keep in mind that statements that violate the previously mentioned whitelist, such as dynamic SQL, will raise a syntax error. When SAP Cloud Platform ABAP environment has more comprehensive runtime checks, some of the dynamic capabilities in ABAP will again be released, but as with the whitelist approach, the philosophy is to start small and extend the cloud capabilities step by step.

Define a CDS View to Retrieve Data from the ABAP Back End

Now that we have a base table for the CDS definition, we can define a CDS view that retrieves data from the ABAP back end (the ABAP instance TechEd App Center specified earlier) — in the example, it selects an LH flight. To create the CDS view, right-click on the ABAP package, select ABAP Repository Object, and choose Data Definition from the list of Core Data Services tools (see Figure 19). Enter a name (ZLHflights) and description for the view. The code for the CDS view is now displayed in the editor within the Eclipse IDE workspace, where the developer can then define the necessary fields and the data from the base table is restricted simply by a corresponding where clause.


Figure 19 — Choose the Data Definition tool to create the CDS view

Figure 19 — Choose the Data Definition tool to create the CDS view


Figure 20 — Define the CDS view for retrieving data from the ABAP back end


Figure 21 — The ZLHflights CDS view displayed in the editor within the Eclipse IDE workspace

Figure 21 — The ZLHflights CDS view displayed in the editor within the Eclipse IDE workspace


Create a Service Definition to Expose the CDS View

To expose the CDS view through OData, you must create a service definition — right-click on the ABAP package, select ABAP Repository Object, and then choose Service Definition from the list of Business Services tools (see Figure 22). Enter a name (ZFlightservice) and description (see Figure 23). The code for the service definition is displayed in the editor within the Eclipse IDE workspace, where the developer can specify the services to be exposed (see Figure 24). While the service definition corresponds roughly to the @odata:publish: true annotation well-known in the on-premise world, with SAP Cloud Platform ABAP environment, you need to define the nature of your service more precisely using a service binding.


Figure 22 — Choose the Service Definition tool to create a service definition

Figure 22 — Choose the Service Definition tool to create a service definition


Figure 23 — Define the service definition for exposing the CDS view


Figure 24 — The ZFlightservice service definition displayed in the editor within the Eclipse IDE workspace

Figure 24 — The ZFlightservice service definition displayed in the editor within the Eclipse IDE workspace


OData comes in two different versions, which both support application-to-UI communication and application-to-application communication. To enable an application-to-UI communication for the example, we create a service binding based on the version 2 specification by right-clicking on the ABAP package and selecting Service Binding from the list of Business Services tools. Name the binding (ZFLIGHTBINDING), provide a description, and associate the newly created flight service (ZFLIGHTSERVICE), as shown in Figure 25.


Figure 25 — Define the service binding to enable application-to-UI communication


Next, in the editor pane within the Eclipse IDE workspace, publish the service by clicking on Publish Locally, which populates the fields under Binding Type Information in the editor pane (see Figure 26). The information includes an executable URL that shows the metadata of the OData service. A preview functionality is planned for a future version that will enable you to examine the data provided by the service independent of a concrete UI client.


Figure 26 — Publish the service in the editor pane within the Eclipse IDE workspace


Create a Communication Scenario to Provide Authentication

The final ABAP development task required to make the service ready for use is to create a communication scenario. Right-click on the ABAP package, select ABAP Repository Object, and choose Communication Scenario from the list of Communication Management tools (see Figure 27). Name the communication scenario (ZFLIGHTCOMM) and provide a description (see Figure 28).


Figure 27 — Choose the Communication Scenario tool to create the communication scenario

Figure 27 — Choose the Communication Scenario tool to create the communication scenario


Figure 28 — Define the communication scenario for authenticating with the back-end service


Next, in the editor pane within the Eclipse IDE workspace, specify the authentication and authorization for the communication scenario in the Inbound Settings on the Inbound tab (see Figure 29). For simplicity, we use basic authentication (that is, user name and password) for the example. The role is assigned automatically. We then add an inbound service for the communication scenario (ZFLIGHTBINDING_IWSG), which is derived from our flight service binding (see Figure 30). The communication scenario can then be published on the Overview tab in the editor pane, which adds the service details to the Inbound Service fields on the Inbound tab (see Figure 31).


Figure 29 — Specify the authentication and authorization for the communication scenario


Figure 30 — Add an inbound service to the communication scenario

Figure 30 — Add an inbound service to the communication scenario


Figure 31 — Publish the communication scenario


Enabling Access to the ABAP Back End

With the ABAP development steps complete, there are just two tasks that remain to enable access to the ABAP back end and make the service ready for consumption:

  • An administrator must configure communication with the service
  • The developer must create an SAP Fiori template that consumes the service

It is useful for developers to understand the mechanics of the administrative tasks described here — in particular, because the settings contain information required for creating the SAP Fiori template.

Configure Communication with the Service

To make the service available for consumption, several administrative tasks are required. Instead of using the ABAP development tools, the administrator uses SAP Fiori launchpad, which contains tiles for the administrative tasks (see Figure 32). First, the administrator must configure a communication user that logs on to the ABAP back end (the TechEd App Center ABAP instance) and executes the flight service returning the LH flights. Enter a user name (P15_WEBIDE in the example), a description, and a password (see Figure 33).


Figure 32 — The SAP Fiori launchpad for administrative tasks


Figure 33 — Configure a communication user to log in to the ABAP back end


Next, to handle the inbound and outbound communication, a communication system must be defined — in the example, with WEBIDE_BASIC as the system ID and name (see Figure 34) — that describes the ABAP back end (see Figure 35).


Figure 34 — Specify the system ID and name for the communication system


Figure 35 — The completed communication system definition


Lastly, a communication arrangement is defined, named ZFLIGHTCOMM in the example (see Figure 36), that bundles together the communication user and communication system (see Figure 37). Note that the communication arrangement contains the URL that identifies the service (ZFLIGHTBINDING), which will be used in the SAP Web IDE project when creating the SAP Fiori template to consume the service.


Figure 36 — Define the communication arrangement


Figure 37 — The completed communication arrangement definition


Create an SAP Fiori Template to Consume the Service

The final task is to create an SAP Fiori template that consumes the service using SAP Web IDE, which is an SAP Cloud Platform service for the Neo environment. Remember that SAP Cloud Platform ABAP environment is a service for the Cloud Foundry environment — for this reason, we use the full stack SAP Web IDE that can access Cloud Foundry services, which is accessible via SAP Cloud Platform cockpit.

First, in SAP Cloud Platform cockpit, define a destination that provides access to the ABAP back end. Specify the destination information, including a name (P15_WEBIDE_BASIC in the example), the URL from the communication arrangement definition, and the corresponding communication user defined previously (see Figure 38).


Figure 38 — Define the destination that provides access to the ABAP back end


Next, select New Project from Template on the start screen of SAP Web IDE (see Figure 39).


Figure 39 — To create a new project, select New Project from Template on the SAP Web IDE start screen


Name the project — Flights in the example (see Figure 40) — and specify the service URL from the communication arrangement definition that represents the LH flights, which will display the metadata of your service (see Figure 41).


Figure 40 — Name the project


Figure 41 — Specify the service URL, which will display the metadata of the service in the application


Specify the OData collection — the CDS view created earlier, ZLHflights (see Figure 42) — and generate the project.


Figure 42 — Specify the CDS view created earlier as the OData collection


The components of the finished project are shown in the Project Explorer of SAP Web IDE (see Figure 43). From there, you can launch the application, which retrieves the data and displays it in a list report template (see Figure 44).


Figure 43 — The components of the finished project in the Project Explorer of SAP Web IDE


Figure 44 — The application retrieves the data and displays it as a list report



SAP Cloud Platform ABAP environment is available as of September 2018 and is priced in two dimensions: ABAP memory and SAP HANA memory. The minimal setup is a 16GB ABAP application server running on a 64GB SAP HANA database, which is €3,000 per month per customer. Customers can choose between subscription billing and pay-per-use billing, similar to other services offered through SAP Cloud Platform.

With SAP Cloud Platform ABAP environment, SAP customers and partners have the opportunity to move their ABAP skills and assets to the cloud. Cloud operation requires stricter compatibility rules compared to on-premise ABAP development, but the benefits are significant and include access to innovative ABAP capabilities on top of SAP HANA. The development tools are fully based on the user-friendly Eclipse IDE, and the development environment can be used to extend SAP S/4HANA Cloud as well as recent on-premise installations of SAP S/4HANA and SAP Business Suite (version 7.0 of SAP NetWeaver and higher), enabling you to use your existing ABAP expertise together with cloud innovation to tap into a new world of opportunity.

Karl Kessler

Karl Kessler ( joined SAP SE in 1992. He is the Vice President of Product Management ABAP Platform — which includes SAP NetWeaver Application Server, the ABAP Workbench, the Eclipse-based ABAP development tools, and SAP Cloud Platform ABAP environment — and is responsible for all rollout activities.

Southwire Powers Up with Analytics to Redesign User Roles

Wire and Cable Manufacturer Reduces Segregation-of-Duties Conflicts and Improves Roles by Leveraging Insights from SAP User Transaction Histories


by Heather Black, Senior Editor, SAPinsider


Successful companies are often built on a simple idea: Make life better for ordinary people. Southwire Company, LLC, was founded on this premise. Due to post-war wire shortages in the late 1940s, many rural farming families were living without electricity. With a mission to bring power to rural families living in Carroll County, Georgia, Southwire’s 12 employees started producing wire using second-hand machinery in 1950. Nearly 70 years later, the family-owned business has become a leading manufacturer of wire and cable in North America with 7,500 employees in over 30 locations across the US and beyond, including Canada and Mexico.

Southwire manufactures and sells wire and cable products for the distribution and transmission of electricity — from the power plant to the outlets in a residential home — and the depth and breadth of its products make the company unique in its industry. Its offerings include high voltage cable for overhead and underground transmission, wires for manufacturing machinery, and wiring for light fixtures in homes and office buildings.

To support its operations and processes, Southwire has maintained an SAP solution landscape since 2010, which began with the implementation of SAP Treasury and Risk Management to manage the high volume of copper going through its rod mill. It has since expanded to include other solutions, such as SAP Business Warehouse, SAP Process Integration, the SAP BusinessObjects Business Intelligence suite, SAP SuccessFactors solutions, and SAP Hybris applications. Anchoring this SAP environment is SAP ERP, which is used by all of the company’s business divisions to enable processes such as order to cash, plan to inventory, and procure to pay. As its use of technology has increased, user access across technologies and business functions has become both a key to operational efficiency and, if poorly managed, a material and unacceptable risk.

In a sizable and growing business such as Southwire, where large numbers of users access a variety of applications and information daily, avoiding segregation-of-duties (SoD) conflicts is critical to ensure regulatory compliance, prevent errors, and avoid fraud. Identifying existing user access risk due to SoD conflicts in its SAP landscape became a pressing mandate for Southwire’s IT Center of Excellence team in early 2017, when it was tasked by the company’s board to minimize and mitigate SoD conflicts across the organization.

Driven by this directive, the IT team embarked on a multi-phased project aimed at understanding the scope of the issue, identifying conflicts, mitigating risks, automating user provisioning, making support operations more efficient, and improving the role catalog. The project started with an investigation phase to first gain a full picture of the issue, which was followed by a planning phase to determine what the solution should look like, an implementation phase, and finally a continuous improvement program that would systematically analyze and improve role designs. Analytics were critical to each stage and continue to play an important part in Southwire’s access management strategy.

Getting Plugged In

To initially scope the project, Southwire implemented the Separations Enforcer application from Security Weaver to identify and manage SoD conflicts in its SAP ERP system. (For more information about Security Weaver, see the sidebar at the end of the article.)

Separations Enforcer enabled Southwire to do a rapid yet thorough analysis of its SAP landscape for SoD conflicts and sensitive access risks with reports that were readable and comprehensive. The solution was also able to handle custom transactions because of its advanced pattern-matching capability, which extends its analytics beyond explicitly defined SoD rules to automatically discover SoD-relevant custom transactions that have not yet been included in the SoD ruleset.

“Previously, we had no tool in the legacy systems that would identify the number of SoD conflicts, and we had no means of reporting on them,” says Chris Easterwood, Vice President of Southwire’s IT Center of Excellence. The reports generated by Separations Enforcer revealed a surprising number of conflicts — approximately 10,000 — and when the company’s board saw the results, it passed down another directive to the IT team to address these conflicts.

To understand how to mitigate or remove a conflict, the team needed a way to look in depth at what transactions each user was exercising in the system. In the second quarter of 2017, Southwire selected Security Weaver’s Transaction Archive application to accomplish this task. Transaction Archive provided Southwire with detailed SAP transaction code execution histories that could be filtered by user, transaction, time period, user group, and other criteria. It not only showed which users were using which transactions, it also showed what transactions were being exercised in a role across the population of users who had the role. In addition to role and user analytics, Transaction Archive discovers and monitors Remote Function Calls (RFCs) within the SAP system to improve security across the integrated landscape.

The decision to go with Transaction Archive was an easy one because of its rich analytics. It also integrated easily with other Security Weaver solutions in use at Southwire as well as with the core SAP ERP system. “We decided to pursue Transaction Archive to help us better understand our past and present user activity and provide that information in a meaningful report for IT and for the business,” says Bryan Mann, Manager of SAP Basis and Security in Southwire’s IT Center of Excellence.

The in-house IT team implemented Transaction Archive within a day across Southwire’s global SAP instance using the standard change management functionality within the SAP system. The solution went live throughout the company’s SAP landscape, covering all of its SAP users, in August 2017.

Shining a Light on User Roles

Since that time, Southwire has successfully utilized Transaction Archive to optimize roles and improve security. The reports generated by Transaction Archive have enabled Southwire to:

Analyze user transaction history, including which transactions were executed and by which users, how often they were executed and in what sequence, and when the transactions were used
Evaluate role efficiency in terms of how roles are used — such as what percentage of users have exercised each transaction in a role — to ensure that the roles are not bloated with access rights
Identify unused roles and then remove those roles to improve the user experience and reduce SoD conflicts

The data provided by Transaction Archive has made it possible for the IT team to redesign and optimize roles. “Previously, we managed roles manually based on what we thought users would need,” says Mann. “Transaction Archive makes the process more intelligent — it allows us to design our roles around what the users are actually doing.”

Using Transaction Archive and Separations Enforcer together enabled the IT team to significantly reduce conflicts, from approximately 10,000 to fewer than 1,000. For example, an SoD analysis of Southwire’s finance group using Separations Enforcer revealed several conflicts among users. “When we looked at those particular users in Transaction Archive, we discovered that they never actually used the transactions causing the conflicts,” says Easterwood. By changing the roles for these users and taking away rights to transactions they didn’t use, the IT team was able to reduce the number of SoD conflicts without affecting user productivity.

“Once we did that, many of the SoD conflicts that had been on the report simply disappeared,” adds Easterwood, “and we were left with just the SoD conflicts for transactions that were actually being used, which we could easily monitor going forward.”

The sales group was another area with SoD conflicts. Once Separations Enforcer identified the conflicted users, Transaction Archive enabled the sales group and the IT team to see what authorizations sales administrators were exercising. Then, using that information, the IT team was able to reduce the number of conflicts by redesigning user roles in a targeted way. For example, some users were viewing data using a transaction that allowed changes to the data when a display-only transaction would have sufficed. “Knowing this enabled us to remove access that would allow them to change something when all they needed was to display it,” says Easterwood.

Connecting with the Business

Separations Enforcer and Transaction Archive also enabled the IT team to better partner with business users — a critical step in mitigating SoD conflicts. The IT team worked with the business side to review what their users were accessing, the transactions they were executing, and the transactions they never used.

“With Transaction Archive, we were able to communicate with the business exactly which transactions their users were actually using, and which transactions could be better used either by a different department or by other resources available in the company,” says Mann. “We also used that information to help the business to better define their processes.”

Because IT and the business are the core users of analytics from Transaction Archive at Southwire, with the business users usually serving as the final approvers for SoD mitigation, it was important that the tool was easy to use for both teams. “We provided a one-hour workshop for each of the functional areas on how to use the product,” adds Mann, “and after that, with just a few questions here or there, most of the business users were proficient.” Sharing the workload across IT and business users has been a critical success factor for access management at Southwire.

Wired for Success

The Transaction Archive tool has become an integral part of Southwire’s SAP environment, according to Mann, and is used daily by IT and business users. The ability to quickly and easily see exactly what users have been doing in the system, and have it presented in a consolidated, meaningful report, has yielded significant returns — first and foremost by decreasing the overall number of SoD conflicts by more than 90%. “The number one benefit is that by the end of the project, we were able to present a report to the board that reflected a significant reduction in SoD conflicts,” says Easterwood.

Other benefits produced by the project have been time and cost savings, including reducing the time it takes to investigate conflicts from days to minutes. “It is a lot simpler to get to the information that we need,” Easterwood reports, “and it takes less time to review what users are doing in the system than anything we’ve had in the past.” The team was also able to use its existing resources to implement, administer, and manage the tool, as well as review and respond to reports, saving the company from having to spend money on additional resources, which would have cost more than $100,000 per year. “It limited the resources we needed to work on the project,” adds Mann.

In addition to enabling the IT team to efficiently address immediate access risks, the visibility into user activities provided by the tool has helped IT and the business make progress toward its overall goal of building better roles for users. “It gives us insight into how the system is being used, and we can then take that information and make better decisions about how roles should be designed,” says Easterwood. The role redesign — which is an iterative process of designing, testing, and adjusting roles before moving them into production — is an ongoing endeavor that will continue over the next few years. “It’s a continual process,” adds Mann, “and Transaction Archive will continue to play a valuable part in the overall project.”

Southwire Company, LLC

Headquarters: Carrollton, Georgia

Industry: Wire and cable manufacturing

Employees: 7,500

Company details:

Founded as Richards and Associates in 1937 by Roy Richards, Sr. in Carroll County, Georgia, as a company to put up power poles and lines for utility companies
Began manufacturing wires and cables in 1950 with 12 employees as Southwire Company to meet the need created by post-war wire shortages
Currently operating in more than 30 locations across the US, Canada, Mexico, and other locations
Leading manufacturer of wire and cable in North America

SAP solutions: SAP ERP, SAP Business Warehouse, SAP Process Integration, the SAP BusinessObjects Business Intelligence suite, SAP SuccessFactors solutions, and SAP Hybris solutions

Third-party solutions: Security Weaver Transaction Archive, Separations Enforcer, Secure Provisioning, Authorization Help, Risk Visualizer, and Reset Password

Security Weaver Helps Southwire Control Risk Through SAP User Analytics

Security Weaver partners with organizations to rapidly deliver efficient controls. Its solutions and services satisfy the most demanding enterprises without sacrificing the usability imperatives or ignoring the budget and staff constraints of smaller companies.

Any organization improving the business value of its compliance-related investments can trust Security Weaver to deliver governance, risk, and compliance (GRC) solutions fitted to match its unique requirements and individual technology roadmaps. Security Weaver’s solution architecture ensures superior application performance, rapid implementations across diverse environments, and high returns on compliance-related investments.

Security Weaver provided Southwire with a proven platform for reducing cost and increasing productivity in its SAP environment. Regarding this partnership, Terry Hirsch, CEO at Security Weaver, says, “At Security Weaver, we pride ourselves on offering solutions that can be deployed quickly, scale indefinitely, and support best practices, with low ongoing maintenance requirements. We are pleased to see that Southwire has successfully leveraged our solutions to create a leaner, more efficient enterprise, and to optimize its user management processes.”

Security Weaver also offers automated password reset, role recertification, and role management solutions, as well as GRC implementation services, solutions for transaction monitoring, process auditing, and emergency access management. It offers custom applications to the smallest and largest SAP customers.

Visit for more information.

Accurate and Affordable Data Cleansing in the Cloud

Embed Address Cleansing and Validation Across Your Landscape with SAP Data Quality Management, Microservices for Location Data

High quality and trusted data is the differentiation between a company that is surviving in the digital age and one that is thriving. To help customers enhance data management within their own companies, SAP has brought it's on-premise data quality expertise to the cloud. Hear how SAP Data Quality Management, microservices for location data, helps businesses with address parsing, standardization, validation, cleansing, and enrichment functionality for global address data through a pay-per-use license model.

This content is available to SAPinsider Members(complimentary).
Please click below to log in or create an account

Login Now »

Create Acount »

Robotic Process Automation — Hype or Real Business Value?

Why SAP-Specific RPA Solutions May Be the Fastest Path to ROI

With the digital economy demanding more speed, accuracy, and transparency than ever before, organizations need to rethink business processes and find greater paths to efficiency. Robotic process automation (RPA) helps companies eliminate repetitive data management tasks — such as invoice processing, journal entries, and pricing changes — in exchange for more productive work days. Hear how the right RPA solution can help organizations save time and money while also enabling employees to focus on higher-value work.

This content is available to SAPinsider Members(complimentary).
Please click below to log in or create an account

Login Now »

Create Acount »

Rainforest Connection to Use Predictive Analysis to Fight Deforestation and Protect the Global Environment

Non-Profit Tech Startup Enhances Real-Time Detection System with SAP Cloud Platform to Pinpoint Illegal Logging Before It Happens

Deforestation is devastating to Earth’s rainforests, and to the planet as a whole — it creates more of an impact on climate change than the emissions of planes, trains, cars, trucks, and ships combined, according to a study. With 90% of rainforest logging being done illegally, a massive opportunity opened up for Rainforest Connection, a non-profit organization focused on using technology to combat deforestation. Rainforest Connection teamed up with SAP to analyze data collected by recycled cell phones that monitored the sounds of the rainforest not only to identify illegal logging as it was happening, but even predict where a tree could be cut illegally ahead of time, allowing rangers to stop the activity and prevent future deforestation.  

This content is available to SAPinsider Premium Members.
Please click below to log in or create an account

Login Now »

Create Acount»