on 11-17-2021 7:38 AM
Hallo SAP BTP Extension Developers,
during yesterdays SAP TechEd 2021 "Experts and Executives in the Keynote Exchange" the following question was brought up: "How do you think the topic of governance will play in the proper adoption of low code, no code platforms?"
That where the answers by Jürgen, Thomas and Julia (links to the starting location in the YouTube Video).
In Side-By-Side Extension projects I'm facing the issue that I'm currently not able to consume detailed Object authorizations from S/4HANA (Cloud). Let's give me more details:
When you're developing Side by Side Apps on SAP BTP using the SAP Cloud Application Programming Model (CAP) you can implement the general authorizations baled on Roles. Such roles are assigned in BTP Cloud Foundry to Role Collections. The Role Collections can be assigned to a user using mapping of SAML Group Assertions, automated assignment using SAP Identity Provisioning or manual assignment by an Admin. But those roles are are rather broad restrictions. In most cases you will have an admin rolle that gives access to the applications used for to configure technical settings it. Another role might be a business admin that does the customizing. And last but not least you have application specific roles like a processor and approver.
But this roles are not suficcient to restric the access to specific business objects. CAP has the concept of User Attributes and you can fill them using SAML Assertions. But I doubt that any customer would invest the effort to replicate the S/4HANA Authorization Objects to the Identity Provider (IdP). Let's take the example "V_KONH_VKO - Condition: Authorization for Sales Organizations". This Object has already 4 attributes:
VKORG Sales Organization
VTWEG Distribution Channel
SPART Division
ACTVT Activity
and that is just a single authorization object. I don't think that SAML Assertions are the right way to bring them to the Cloud applicaiton. Authorizations like the restriction of Sales Organizations are part of S/4HANA (Cloud).
On a technical level accessing the authorization objects would be possible using the RFC enabled function module SUSR_USER_AUTH_FOR_OBJ_GET. But to call this function module using a SAP Supported Build Pack in SAP BTP Cloud Foundry I'm forced to use Java. Only there I have support for the Java Connector (JCo). If you're building CAP using Node.JS this results in an extra runtime (longterm costs) and skills that you might not have in your team.
Here is my wish:
SAP please get together with the SAP developers building Side-By-Side extensions and work on a concept how such detailed authorizations can be consumed from S/4HANA (Cloud).
Best Regards
Gregor Wolf
This was also cross posted in the DSAG Working Group for BTP: Zugriff auf S/4HANA Berechtigungsobjekte in Side-By-Side Extension
CC: juergen.mueller, thomas.saueressig
For side-by side applications, building authorizations on BTP is adding a lot of extra effort to on-board users. In addition, constant maintenance of user roles requires a separate admin/process. Auditing and checking for Segregation of duties is another item to take care of. This is a major roadblock to moving new applications from backend SAP to BTP. Backend development is still more efficient and due to tools like GRC, authorizations are simple to handle.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
While we are on the subject of authorization, we have similar issues with SuccessFactors. Customers would like to use the SF internal authorization as basis for BTP apps.
So the aspirational target should be a consistent authorization management across all SAP solutions (including BTP).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Martin,
thank you for joining the discussion. Good to know that I'm not alone :-).
CU
Gregor
Dear Gregor,
Thank you for the Influencing Request.
SAP is committed to reviewing and responding to the requests submitted on a regular basis. The requests with most votes will receive a higher level of attention for responses and consideration. The processes and procedures associated with this site will continue to evolve and enhance over time.
Kind Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
75 | |
9 | |
7 | |
7 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.