Mastering the Fiori frontier: Crafting secure, intuitive spaces and pages in SAP S/4HANA This blog post was authored by Mohammed Abdullahi - Senior Manager, Business Platform Transformation, Gabriella Kirkpatrick - Senior Consultant, Business Application Solutions and Michelle Makuch - Associate Director, Enterprise Application Solutions on Protiviti's technology insights blog.A well-thought-out Fiori spaces and pages approach establishes a foundation for a user-friendly and scalable design that supports a least-privilege access model. When incorporated with security best practices, spaces and pages provide an intuitive experience within the Fiori launchpad in alignment with a business user’s tasks and responsibilities. As SAP S/4HANA users increasingly transition to the Fiori landscape, it is vital that businesses adopt best practices to harmonise their Fiori approach with security. Topics IT Management, Applications and Transformation Digital Transformation Understanding spaces and pages in SAP FioriImagine walking into a home where all the household items are not where they are expected. There are books in the refrigerator, eggs in the washing machine, and a toaster in the bed. That is what a Fiori launchpad is like without an effective spaces and pages design. Fiori spaces and pages provide organisation and structure for the thousands of applications (apps) available from SAP. With a proper design, users are presented with an organised dashboard of apps catered to their job responsibilities, paving the way for efficiency, discovery and productivity in the user experience. Let’s take a closer look at some key considerations when designing spaces and pages with security in mind.Key considerations for spaces and pages designWhen designing Fiori spaces and pages from a security administrator’s perspective, it is essential to align with the business role design. Business roles are security roles that bundle all technical security components required by a user into a business-facing role that can be provisioned to users. Business roles are defined in SAP GRC, which may be a standalone environment or embedded into the S/4HANA system.Fiori spaces serve as a centralised hub of apps that a user would receive access to through a business role assignment.Fiori pages are the individual screens that combine the applications within the Fiori space.To tie these together, space-only security roles are created to house Fiori spaces, which contain the pages required for the corresponding business role.Fiori pages should align with the existing security task roles and catalogs. By establishing a relationship between task role, catalog and page, administration efforts are streamlined and updates to the security design can be more easily implemented. Consistency between the Fiori page and the security task role ensures seamless integration of pages into the Fiori space, following the business role design. Just as task roles can be assigned to multiple business roles, Fiori pages can be assigned to many spaces. This approach ensures that the access granted to users in the SAP S/4HANA (back-end) matches what they receive on the front-end (Fiori). (Note, the use of the term front-end is for client environments that do not have an embedded Fiori and S/4HANA architecture. For the rest of this blog, we will assume that Fiori is not embedded in the S/4HANA back-end)Using these key principles, security administrators can effectively design Fiori spaces and pages in alignment with the overall business role design.The illustration below depicts the relationship between the security roles and Fiori spaces and pages. The business role provides a mechanism to tie all these elements together, resulting in a cohesive and intuitive user experience. Image Incorporating Fiori spaces and pages into a S/4HANA security implementationWhen incorporating Fiori spaces and pages into a security access model, it is essential to consider the following to achieve a seamless integration experience:Collaboration between security and development teams: In a Fiori integration with S/4HANA, it is important that the security and development teams discuss and plan for potential impacts when transitioning users over to Fiori spaces and pages. For example, ensuring that any Fiori apps enabled as part of an older S/4HANA implementation are still applicable for the Fiori version being implemented. This collaboration will help facilitate a smooth transition and proactively address potential challenges.Robust security access model: Characteristics of a robust security access model include clearly defined task roles to control access to various functions within the system (e.g., display/update apps for a given task) and business roles that accurately reflect the user’s job responsibilities. Duplication of transactions/apps should also be minimised at the task role level to enable an easy-to-maintain security design. If the security roles are not designed appropriately, it may be challenging to build spaces and pages that support segregation of duties (SOD) compliance as well as an intuitive Fiori experience for business users.Coordination with basis: Enabling Fiori spaces and pages within the S/4HANA environment requires the activation of various OData services and maintenance of system-wide parameters, typically the responsibility of basis administrators. For example, organisations planning to transition from Fiori groups to spaces and pages should ensure that the new experience can be toggled on or off (controlled through a parameter) especially in the development and quality environments as the solution is rolled out and tested to reduce the impact on users. Working closely with the basis team ensures that the necessary configurations and settings are in place to support the integration.Consistent naming convention: A consistent naming convention should be developed for the Fiori spaces and pages to help simplify the build and maintenance efforts. To streamline the naming of the space and page objects, reference can be taken for the technical object names from the back-end security task roles (for pages) and business roles (for spaces).Continuous improvement and maintenanceAs SAP’s offerings and business solutions evolve, they regularly release new Fiori apps and deprecate existing apps. Simultaneously, the structural dynamic of SAP customers’ businesses typically changes over time. Functional areas develop and new business responsibilities for end users are introduced. Security administrators must consider the continuous evolution of the business roles that directly roll up to spaces and pages. Regular collaboration with business process owners to understand their day-to-day access needs is the only way to keep a security design scalable for a changing business.Although spaces and pages are closely interrelated with the security role design in the back-end system, they are not dynamically adjusted in the front end as the business role design is modified. Therefore, it is important to incorporate spaces and pages into the established security role creation and modification processes. This will ensure that there is consistent alignment between the front-end access granted in Fiori and the back-end SAP system from user to user as new requirements are introduced.As a Fiori space and page design is implemented, the following best practices can support the ongoing maintenance of a robust solution:Change control measures: Incorporate appropriate change control measures when adding or removing apps to keep the Fiori spaces and pages in sync as the security role design evolves over time. Ensuring that appropriate business approvals are obtained prior to making changes to the Fiori spaces and pages and that the changes are thoroughly tested will help maintain a controlled and validated process, minimising the potential for errors.Business role design impact: When updating the business role design, assess the impact on space-to-page mappings. Ensure that changes to business roles do not disrupt the existing mapping structure and functionality within the Fiori spaces and pages.Documentation and validation: Maintain accurate and detailed Fiori design documentation that can be easily validated against the configuration in the system. This documentation will serve as a reference and help to ensure transparency and accuracy in the Fiori design implementation.Key takeawaysDesign Fiori spaces and pages in alignment with security task roles and business roles to provide organisation and structure to the user experience.Collaborate with basis and development teams to proactively address potential challenges and ensure seamless integration within the S/4HANA and Fiori environments.Implement best practices for managing changes to the security design that incorporate necessary updates to the corresponding spaces and pages and take continuous Fiori enhancements into consideration.Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.To learn more about our SAP consulting services, contact us. Find out more about our solutions: SAP Consulting Services As a Gold Partner and 7-time partner of the year, Protiviti helps clients execute their S/4HANA journey. We provide digital transformation and intelligent automation solutions across business processes, analytics, cloud, security, compliance, and managed services. Finance and Accounting Process Optimisation Design, deliver, and manage processes and Finance Delivery Model that enable scalable efficient growth, transforming the workforce from transactional to advisory, and better integrate with other business functions. Enterprise Application Consulting Enterprise applications are at the centre of any business transformation. Strategically selecting, designing, implementing, maintaining, and protecting applications is key to success and the foundation for our enterprise application consulting services. Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More