Background

In this blog, we will explore few ideas for creating a domain-centric data mesh using SAP components, without engaging in the debate of whether data fabric or data mesh is the right approach.

We will focus on a futuristic use case within the Aerospace or Defense industry, which demands stringent data governance due to compliance requirements such as ITAR, EAR, BAFA, DOE 810, NERC/CIP, and SEC. Additionally, safeguarding intellectual property is a critical concern as business growth often relies on increased collaboration, both internally and externally, spanning product and engineering, supply chain, cross industry- partnerships, and joint ventures. I am happy to hear your ideas too!

Business Problem

Aerospace and defense customers often face challenges in keeping up with rapid technological advancements due to the burden of data debts and the need to comply with stringent legal and regulatory data security requirements.

This challenge is further amplified when dealing with legacy ERP systems, as identifying and restricting sensitive data becomes complex, hindering the end-to-end data lifecycle management. Moreover, the Aerospace and defense industry grapples with the formidable challenge of reducing IT costs, as the presence of significant data risks renders offshore operations an impractical option.

Let's consider the example of a product manager based in the United States, working for a US corporation. Their product is subject to ITAR regulations but has both government and commercial applications.

In order to comply with the business rule, the access to ITAR data in SAP should only be granted to US persons while they are in US locations. However, when this product manager is on a business trip to Singapore, meeting with suppliers at their APAC regional headquarters, exposing material data, CAD drawings, or BOMs stored in SAP would violate ITAR regulations.

In the context of a UK energy company establishing a joint venture with a local company in China to cater to the emerging market, an added layer of data security is required based on location. This ensures that access to BOM items and intellectual property not related to the joint venture is restricted, safeguarding sensitive information and preserving the integrity of the collaboration.

In the context of the aerospace and defense , "Data is not only the ammunition that fuels engines but it is also an the armor that protects international and national peace"

BTP SAP S/4 HANA Data Mesh Pattern

To solve the problem described above, we will hypothetically integrate Collibra, Next Labs ABAC/DAM, IAG and GRC  and SAP S/4 HANA  to provide data insights to users without compromising  data security requirements. Please note that is is hypothetical pattern and we have to review and apply it according to client specific data security requirements.

MVP- Bill of Material Data Mesh

In the world of aerospace and defense, organizations face the challenge of managing bill of material (BOM) data across multiple systems. R By integrating diverse systems such as SAP S/4HANA, Team Center, and Siemens, they created a unified network of interconnected data mesh. This will enable seamless collaboration among internal and external engineering, supply chain, and product sales teams. With real-time visibility into BOMs, teams made informed decisions, optimized designs, synchronized manufacturing, and tailored offerings. The BOM data mesh can empower the organizations to achieve faster product development cycles, reduced costs, and improved customer satisfaction. 

Step 1: Define Role Requirements, Meta-data catalo Data Governance and access policies for BOM in Collibra

• Identify the specific role requirements based on your organization's needs and compliance regulations.
• Determine the attributes that will be used for access control, such as user roles, data sensitivity, and contextual factors.

Step 2: Understand BOM Creation and Editing Requirements

• The organization requires that only users with specific engineering roles can create and edit BOMs. Additionally, certain fields in the BOM may be restricted for external supply chain users based on data sensitivity, such as pricing information.

• Determine the functional access (actions user can perform) and data access (data records or fields users can see) and governance (rules for access)

Step 3: Define SAP S/4HANA Role

• Create a custom role named "BOM Specialist" or copy standard role in SAP S/4HANA.
  Assign the authorization object M_BOM_GRP to the role, which controls access to BOM groups.
• Assign transaction codes CS01 (Create BOM) and CS02 (Change BOM) to allow users with this role to perform BOM creation and editing tasks.

Step 4: Configure Next Lab ABAC DAM

SAP Next Lab ABAC DAM works natively with SAP and manages authorization logic through an externalized, standards-based policy framework. For instance, a rule may state, “Allow only US-based employees to access ITAR-classified materials from US locations.” When a user attempts to access materials, this rule is validated in real-time before access is granted.

•  Configure Next Lab ABAC with attributes such as "User Role," "Data Sensitivity Level," and "Contextual Factors."
•  Define "User Role" as an attribute to determine the user's role in the organization.
•  Define "Data Sensitivity Level" as an attribute to classify BOMs based on their sensitivity, such as "Confidential" or "Public."
•  Define "Contextual Factors" as attributes to consider additional factors, such as project or department.

Step 5: Integrate SAP GRC and Next Lab ABAC

This MVP use case leverages SAP GRC Access Control and SAP authorization for Governance and Functional Authorization and leverages ABAC for Data Authorization. It combines the features and fully integrated capabilities of SAP GRC Access Control and SAP authorization, such as ease of user assignment and role management, to efficiently supporting data attributes and avoiding the “role explosion” and custom development that would otherwise be necessary and costly.

• Integrate SAP GRC and Next Lab ABAC to synchronize roles and access control policies.
•  Map the "BOM Specialist" role in SAP GRC to the corresponding role in Next Lab ABAC, ensuring consistency in access control.

Step 5: Define ABAC Policies

•  Define ABAC policies in Next Lab ABAC to enforce attribute-based access control for BOM creation and editing.
•  Create a policy that allows users with the "BOM Specialist" role (User Role attribute) to create and edit BOMs.
• Create a policy that restricts access to certain fields in the BOM based on the "Data Sensitivity Level" attribute and user profile policy (Ex: Manufacturing, Engineering, Supply Chain).

Step 6: Test and Validate the Role using AI

• Train the model on different user profiles to validate data access using SAP BTP AI Launch Pad
• Train the model further to auto-correct access issues and detect patterns to suggest changes to role access profiles (don’t let AI implement dynamic role access changes as it can be dangerous 😊)
• Perform supervised automated test to test the “BOM Specialist" role by assigning it to a user and verifying that they can successfully create and edit BOMs.
•  Validate that the ABAC policies.

Step 7: Integration SAP BTP Identity Access Governance to Active Directory

By integrating SAP BTP Identity Access Governance directly, users can seamlessly access data from multiple systems, including SAP S/4HANA, Team Center, Siemens, and other engineering, manufacturing, and supply chain systems. This integration enables a cohesive data mesh approach, allowing users to view and manage bill of materials across various systems.

Step 8: Integrate Collibra and Datasphere to Monetize and Publish bill of material insights to engineering, supply chain and product sales team.

You have the ability to define and design self-service analytic insight reports, which can be monetized and shared with both your internal and external engineering, supply chain, and product sales teams.