cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Consume S/4HANA (Cloud) Object authorizations in a Side-By-Side Extension

gregorw
Active Contributor

on ‎11-17-2021 7:38 AM

Hallo SAP BTP Extension Developers,

during yesterdays SAP TechEd 2021 "Experts and Executives in the Keynote Exchange" the following question was brought up: "How do you think the topic of governance will play in the proper adoption of low code, no code platforms?"

That where the answers by Jürgen, Thomas and Julia (links to the starting location in the YouTube Video).

In Side-By-Side Extension projects I'm facing the issue that I'm currently not able to consume detailed Object authorizations from S/4HANA (Cloud). Let's give me more details:

When you're developing Side by Side Apps on SAP BTP using the SAP Cloud Application Programming Model (CAP) you can implement the general authorizations baled on Roles. Such roles are assigned in BTP Cloud Foundry to Role Collections. The Role Collections can be assigned to a user using mapping of SAML Group Assertions, automated assignment using SAP Identity Provisioning or manual assignment by an Admin. But those roles are are rather broad restrictions. In most cases you will have an admin rolle that gives access to the applications used for to configure technical settings it. Another role might be a business admin that does the customizing. And last but not least you have application specific roles like a processor and approver.

But this roles are not suficcient to restric the access to specific business objects. CAP has the concept of User Attributes and you can fill them using SAML Assertions. But I doubt that any customer would invest the effort to replicate the S/4HANA Authorization Objects to the Identity Provider (IdP). Let's take the example "V_KONH_VKO - Condition: Authorization for Sales Organizations". This Object has already 4 attributes:

VKORG Sales Organization
VTWEG Distribution Channel
SPART Division
ACTVT Activity

and that is just a single authorization object. I don't think that SAML Assertions are the right way to bring them to the Cloud applicaiton. Authorizations like the restriction of Sales Organizations are part of S/4HANA (Cloud).

On a technical level accessing the authorization objects would be possible using the RFC enabled function module SUSR_USER_AUTH_FOR_OBJ_GET. But to call this function module using a SAP Supported Build Pack in SAP BTP Cloud Foundry I'm forced to use Java. Only there I have support for the Java Connector (JCo). If you're building CAP using Node.JS this results in an extra runtime (longterm costs) and skills that you might not have in your team.

Here is my wish:

SAP please get together with the SAP developers building Side-By-Side extensions and work on a concept how such detailed authorizations can be consumed from S/4HANA (Cloud).

Best Regards
Gregor Wolf

This was also cross posted in the DSAG Working Group for BTP: Zugriff auf S/4HANA Berechtigungsobjekte in Side-By-Side Extension

CC: juergen.mueller, thomas.saueressig

Show replies
Show replies
gregorw
Active Contributor
‎11-18-2021 3:17 PM
0 Kudos

Hope that michael.ameling and martingrasshoff can add their 2 cents here.

gregorw
Active Contributor
‎12-07-2021 10:41 PM
0 Kudos

I've created the following S/4HANA influencing request:

Provide released OData API to consume object authorizations for Side-By-Side Extensions

MustafaBensan
Active Contributor
‎02-23-2022 6:49 AM
0 Kudos

gregorw,

It's a shame that the result of your S/4HANA Cloud Influencing Request is: "Prioritization - Not planned within SAP's standard in the foreseeable future".

gregorw
Active Contributor
‎02-23-2022 9:08 PM
0 Kudos

Hi Mustafa,

thank you for the heads up. Seems I've missed the notification about this decision. Let's see if Helmut answers my follow up question.

Best Regards
Gregor

nils-lutz
Participant
‎02-24-2023 12:50 PM
0 Kudos

So is it correct that we are currently not able to use S/4HANA (Cloud) auth objects and values in Side-by-Side Extensions? If yes, CAP with Node.JS is more or less useless because every customer would want to integrate their extension apps/solution with already in-place and maintained authorizations and business roles.

Tayane
Advisor
Advisor
‎09-01-2023 6:13 PM
0 Kudos

Dear Gregor,

We helped you to accept the answer, since there were no updates after 7 days.

You can unaccept it anytime if the answer provided was not helpful enough and you have further questions.

Kind regards.

gregorw
Active Contributor
‎09-01-2023 10:37 PM
0 Kudos

Hello,

Martins answer was more a comment that this requirement also exists for SuccessFactors.

CU
Gregor

Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

zia_akbar3
Explorer
‎09-19-2023 5:29 PM

For side-by side applications, building authorizations on BTP is adding a lot of extra effort to on-board users. In addition, constant maintenance of user roles requires a separate admin/process. Auditing and checking for Segregation of duties is another item to take care of. This is a major roadblock to moving new applications from backend SAP to BTP. Backend development is still more efficient and due to tools like GRC, authorizations are simple to handle.

Show replies
Show replies
martinstenzig
Contributor
‎11-17-2021 7:59 AM

While we are on the subject of authorization, we have similar issues with SuccessFactors. Customers would like to use the SF internal authorization as basis for BTP apps.

So the aspirational target should be a consistent authorization management across all SAP solutions (including BTP).

Show replies
Show replies
gregorw
Active Contributor
‎11-17-2021 6:05 PM

Hi Martin,

thank you for joining the discussion. Good to know that I'm not alone :-).

CU
Gregor

Tayane
Advisor
Advisor
‎08-21-2023 9:01 PM
0 Kudos

Dear Gregor,

Thank you for the Influencing Request.

SAP is committed to reviewing and responding to the requests submitted on a regular basis. The requests with most votes will receive a higher level of attention for responses and consideration. The processes and procedures associated with this site will continue to evolve and enhance over time.

Kind Regards.

Show replies
Show replies
Ask a Question