Mastering the Fiori frontier: Crafting secure, intuitive spaces and pages in SAP S/4HANA This blog post was authored by Mohammed Abdullahi - Senior Manager, Business Platform Transformation, Gabriella Kirkpatrick - Senior Consultant, Business Application Solutions and Michelle Makuch - Associate Director, Enterprise Application Solutions on Protiviti's technology insights blog.A well-thought-out Fiori spaces and pages approach establishes a foundation for a user-friendly and scalable design that supports a least-privilege access model. When incorporated with security best practices, spaces and pages provide an intuitive experience within the Fiori launchpad in alignment with a business user’s tasks and responsibilities. As SAP S/4HANA users increasingly transition to the Fiori landscape, it is vital that businesses adopt best practices to harmonise their Fiori approach with security. Topics IT Management, Applications and Transformation Digital Transformation Understanding spaces and pages in SAP FioriImagine walking into a home where all the household items are not where they are expected. There are books in the refrigerator, eggs in the washing machine, and a toaster in the bed. That is what a Fiori launchpad is like without an effective spaces and pages design. Fiori spaces and pages provide organisation and structure for the thousands of applications (apps) available from SAP. With a proper design, users are presented with an organised dashboard of apps catered to their job responsibilities, paving the way for efficiency, discovery and productivity in the user experience. Let’s take a closer look at some key considerations when designing spaces and pages with security in mind.Key considerations for spaces and pages designWhen designing Fiori spaces and pages from a security administrator’s perspective, it is essential to align with the business role design. Business roles are security roles that bundle all technical security components required by a user into a business-facing role that can be provisioned to users. Business roles are defined in SAP GRC, which may be a standalone environment or embedded into the S/4HANA system.Fiori spaces serve as a centralised hub of apps that a user would receive access to through a business role assignment.Fiori pages are the individual screens that combine the applications within the Fiori space.To tie these together, space-only security roles are created to house Fiori spaces, which contain the pages required for the corresponding business role.Fiori pages should align with the existing security task roles and catalogs. By establishing a relationship between task role, catalog and page, administration efforts are streamlined and updates to the security design can be more easily implemented. Consistency between the Fiori page and the security task role ensures seamless integration of pages into the Fiori space, following the business role design. Just as task roles can be assigned to multiple business roles, Fiori pages can be assigned to many spaces. This approach ensures that the access granted to users in the SAP S/4HANA (back-end) matches what they receive on the front-end (Fiori). (Note, the use of the term front-end is for client environments that do not have an embedded Fiori and S/4HANA architecture. For the rest of this blog, we will assume that Fiori is not embedded in the S/4HANA back-end)Using these key principles, security administrators can effectively design Fiori spaces and pages in alignment with the overall business role design.The illustration below depicts the relationship between the security roles and Fiori spaces and pages. The business role provides a mechanism to tie all these elements together, resulting in a cohesive and intuitive user experience. Image Incorporating Fiori spaces and pages into a S/4HANA security implementationWhen incorporating Fiori spaces and pages into a security access model, it is essential to consider the following to achieve a seamless integration experience:Collaboration between security and development teams: In a Fiori integration with S/4HANA, it is important that the security and development teams discuss and plan for potential impacts when transitioning users over to Fiori spaces and pages. For example, ensuring that any Fiori apps enabled as part of an older S/4HANA implementation are still applicable for the Fiori version being implemented. This collaboration will help facilitate a smooth transition and proactively address potential challenges.Robust security access model: Characteristics of a robust security access model include clearly defined task roles to control access to various functions within the system (e.g., display/update apps for a given task) and business roles that accurately reflect the user’s job responsibilities. Duplication of transactions/apps should also be minimised at the task role level to enable an easy-to-maintain security design. If the security roles are not designed appropriately, it may be challenging to build spaces and pages that support segregation of duties (SOD) compliance as well as an intuitive Fiori experience for business users.Coordination with basis: Enabling Fiori spaces and pages within the S/4HANA environment requires the activation of various OData services and maintenance of system-wide parameters, typically the responsibility of basis administrators. For example, organisations planning to transition from Fiori groups to spaces and pages should ensure that the new experience can be toggled on or off (controlled through a parameter) especially in the development and quality environments as the solution is rolled out and tested to reduce the impact on users. Working closely with the basis team ensures that the necessary configurations and settings are in place to support the integration.Consistent naming convention: A consistent naming convention should be developed for the Fiori spaces and pages to help simplify the build and maintenance efforts. To streamline the naming of the space and page objects, reference can be taken for the technical object names from the back-end security task roles (for pages) and business roles (for spaces).Continuous improvement and maintenanceAs SAP’s offerings and business solutions evolve, they regularly release new Fiori apps and deprecate existing apps. Simultaneously, the structural dynamic of SAP customers’ businesses typically changes over time. Functional areas develop and new business responsibilities for end users are introduced. Security administrators must consider the continuous evolution of the business roles that directly roll up to spaces and pages. Regular collaboration with business process owners to understand their day-to-day access needs is the only way to keep a security design scalable for a changing business.Although spaces and pages are closely interrelated with the security role design in the back-end system, they are not dynamically adjusted in the front end as the business role design is modified. Therefore, it is important to incorporate spaces and pages into the established security role creation and modification processes. This will ensure that there is consistent alignment between the front-end access granted in Fiori and the back-end SAP system from user to user as new requirements are introduced.As a Fiori space and page design is implemented, the following best practices can support the ongoing maintenance of a robust solution:Change control measures: Incorporate appropriate change control measures when adding or removing apps to keep the Fiori spaces and pages in sync as the security role design evolves over time. Ensuring that appropriate business approvals are obtained prior to making changes to the Fiori spaces and pages and that the changes are thoroughly tested will help maintain a controlled and validated process, minimising the potential for errors.Business role design impact: When updating the business role design, assess the impact on space-to-page mappings. Ensure that changes to business roles do not disrupt the existing mapping structure and functionality within the Fiori spaces and pages.Documentation and validation: Maintain accurate and detailed Fiori design documentation that can be easily validated against the configuration in the system. This documentation will serve as a reference and help to ensure transparency and accuracy in the Fiori design implementation.Key takeawaysDesign Fiori spaces and pages in alignment with security task roles and business roles to provide organisation and structure to the user experience.Collaborate with basis and development teams to proactively address potential challenges and ensure seamless integration within the S/4HANA and Fiori environments.Implement best practices for managing changes to the security design that incorporate necessary updates to the corresponding spaces and pages and take continuous Fiori enhancements into consideration.Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.To learn more about our SAP consulting services, contact us. Find out more about our solutions: SAP Consulting Services As a Gold Partner and 7-time partner of the year, Protiviti helps clients execute their S/4HANA journey. We provide digital transformation and intelligent automation solutions across business processes, analytics, cloud, security, compliance, and managed services. Finance and Accounting Process Optimisation Design, deliver, and manage processes and Finance Delivery Model that enable scalable efficient growth, transforming the workforce from transactional to advisory, and better integrate with other business functions. Enterprise Application Consulting Enterprise applications are at the centre of any business transformation. Strategically selecting, designing, implementing, maintaining, and protecting applications is key to success and the foundation for our enterprise application consulting services. Leadership Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Rupesh Mahto Rupesh is a senior director specialising in strategy, technology assessment and enabled execution, digital transformation, cloud migration, and application of emerging technology to business demands. He successfully leads interactions with CXO, focusing on increasing ... Learn More Ghislaine Entwisle Ghislaine is a managing director and leader in technology consulting and business performance improvement. She has over 20 years of applied experience across strategy, transformation, and delivery, guiding CIOs, CFOs, CDOs and CISOs in transformational initiatives that ... Learn More Congratulations on Choosing SAP. What Comes Next? Congratulations! Your organisation recently made the decision to move forward with selecting SAP S/4HANA, and you will either be leaving an old ERP or a previous version of SAP ECC behind — a great strategic move but only the first in many more decisions to come on the SAP ERP journey that lies ahead. Read more How SAP Central Finance Benefits Manufacturers Manufacturers often have heterogenous systems to accommodate different processes in a manufacturing cycle. From procurement and inventory management to calculating overhead, these systems carry critical financial data and information that are necessary to determine profitability, establish product cost and drive productivity of finance operations. Read more A Balancing Act: SAP in the Cloud SAP customers know the cloud can help them innovate and find new opportunities but are also concerned with compliance and risk. Recently, we spoke with SAPinsider’s Chief Research Officer Riz Ahmed about how SAP customers can find a balance whereby they realize cloud’s innovation opportunities while managing cloud’s risks. Read more