SAP Security: Best Practices, Risk, and More

SAP Security is like an extraordinarily complex, multi-person juggling act. You may have seen performances where a couple people juggle several balls, throwing them between each other, while always keeping them in the air. Imagine if that were expanded to include every person in your business and all those balls represented every one of your customers, every item in your inventory, and, all of your financial information. With SAP Security in place, every person in your organization has access to the data needed to do their jobs, while restricting access to other areas. That means that there is limited possibility of accidentally damaging or deliberately misusing vital information. This post explores SAP Security, how it mitigates risk, best practices, and more.

Mitigating Risk

SAP Security works by analyzing the different kinds of information your company uses and the people who have access to them, and then building appropriate protections around them. In order to mitigate your risks, you need to establish a baseline. Review who has access to the company’s most sensitive information; what titles do they hold? Then examine your company’s standard operating procedure to determine where protections are most needed. This is where you create a Segregation of Duties (SoD) analysis. It’s also key to think about scenarios outside the norm and plan for those as well. It’s best to include SAP Security in the planning stage; it’s possible to do it after your SAP system is up and running, but security should be integrated from the start. Finally, SAP Security maintains its integrity by performing regular system-wide assessments which should also be included and planned for.

Best Practices – General

There are some basic best practices that should be employed with every SAP Security system, and some that apply to the different kinds of SAP systems and modules. With every SAP system, Admins create a standard role for a position (or title) and that can be assigned to anyone who fills it. For instance, your company may have account managers who deal with specific clients. There would be “keys” available for all account managers, and then more specific “keys” for each manager’s clients. That way, every account manager can access all the information necessary for their clients, but not for another account manager’s clients.

Best Practices – SAP HANA

SAP HANA security requires some adaptations from the standard SAP security system. Best practice here means that SAP HANA Security operates on a least access rights paradigm that diminishes the potential damage an employee could cause with access to more information. SAP HANA permissions work with different implementations than general SAP permissions, and it also handles objects differently, so it’s important to have someone with expertise in SAP HANA Security. If that is not part of your corporate structure, contracting with the professionals at 1st Basis is a wise choice.

Best Practices – SAP Fiori

Again, implementation of SAP Fiori varies from other SAP systems, and the most important best practice action you can take is to ensure that you are working with someone with a comprehensive understanding of SAP Fiori. There are 9 main security best practices that should be followed when using SAP Fiori. Most businesses are taken up with the actual work of the company, not the SAP system or its security. Employing the experts at 1st Basis is best practice.


When working correctly, SAP Security should be invisible, allowing each member of the company to access the needed information at the appropriate time so that productivity remains high. It’s a juggling act where the balls are always in the air or in the right person’s hands, never breaking the rhythm of the movement, never concealed in a juggler’s pocket, and never on the floor.

“The Inmates Are Running the Asylum” says Alan Cooper, in his seminal work on the topic of user-oriented design concepts, first published in 1999. Cooper, the father of Visual Basic, pioneered the use of “personas” as a design method. Personas are imagined user profiles based on use cases for the system in question. Cooper observed, correctly, that the worst person to design the typical user experience (UX) was a programmer. Back in 1999, coders were serving in that capacity and the result was: hard to use, clumsy, uninspiring interfaces. To be fair, some of the limitations to UX were due to hardware, technology and cost limits, but today, those limitations are no longer extant. The SAP GUI represents the old-school method of interfacing with complex systems—complex interfaces.

SAP has adapted the concept of personas and improved user-oriented design with Fioriand Screen Personas (a stepping stone to Fiori). Both are part of an effort to improve UX for SAP systems for reasons that should be obvious:

  • Increased productivity – faster and direct access to relevant information and applications
  • Transparency on items needing your attention – timely notifications
  • Helps users decide what needs to be done next
  • Allows users to take quick and informed actions
  • Increased user satisfaction

This is not just about pretty interfaces, although interfaces that are pleasing have greater utility also. The main reason for the push for improved UX from the C-suite is the savings through efficiency. Clicks cost money. So do errors and training. All of which are reduced by better interfaces. Check out this comparison between the GUI and the improved-UX of Fiori.

Propel UX:an FBC partner, is one of the SAP UX design firms that are now sought after to cleanly and expertly implement the new UX improvements SAP is making. They believe in a design philosophy that balances desirability (look and feel) feasibility (what can be built) and viability (what it will cost). The bad news about UX enhancements is that there is an overhead to implementation and some to maintenance, but the savings on improved efficiency, multiplied over each user/hour makes a compelling case for ROI to justify it. Contact Dharma Subramanian. He will connect the UX dots for you like no one else.

Neptune Software:also an FBC partner, can further expand UX improvement options with a complimentary solution to Fiori. Neptune allows you to leverage your ABAP assets and get Fiori apps without the jump to HANA. Their solution boast the following advantages (working offline among them):

  • Implement Fiori in days
  • Enable ABAP developers
  • Reduce development time 80%
  • 63% reduction in TCO
  • Offline capability
  • Locking Tables
  • Backwards compatible & “future proof”
  • Use existing roles & authorizations
  • Low code, drag and drop development (90% reduction in front-end code)
  • Mobile apps with native capabilities
    • GPS
    • Camera
    • Push Notifications

At an ASUG conference an SAP official defended the new improvements of Fiori and HANA when confronted with developers who wanted to hang on to their, now obsoleted, code by saying, “We are building a car, not a faster horse.” Well said.

—David Beiswenger.