Migration to SAP S/4HANA (Part II): Build your authorization concept easily & precisely with XAMS!

In this SAP S/4HANA blog, we will specifically address the topic of authorizations for SAP security for access controls, since the introduction of SAP S/4HANA not only entails architectural and procedural changes, but also extensively affects your existing authorization concept. This means you must initially verify the SAP S/4HANA-related changes and requirements for your roles.

In the first part of this blog series, Migration to SAP S/4HANA – Basics (Part I), we talked about the application scenarios for your migration project (Greenfield vs. Brownfield) and approaches you as an SAP customer are facing in the course of the new SAP S/4HANA product line. The aim of that article is to shed some light on the conceptual preparation necessary before the introduction of SAP S/4HANA and to show the associated challenges and solutions.

Ultimately, the Xiting Authorizations Management Suite (XAMS) offers a multitude of features that handle a large part of the work, plus it supports you during everyday operations to make the move to SAP S/4HANA as convenient and targeted as possible.

The challenge & solution: Standard conformity

One of the most important preparatory measures before transferring the old SAP ERP to the new SAP HANA DB-based solution is to check the standard conformity for your end users of the current authorization structure. The more standard-compliant the current SAP system authorization concept is, the faster and more uninterrupted a change can be made. But what does standard-compliant mean in the context of authorizations? With regard to this question, the following facts must be taken into account.

Standard-compliant role building

In order to make the workload and migration as smooth as possible, your current SAP roles concept for user access must be built using SAP standard best practices. Conversely, this means that no manually added or changed authorization objects should be present in the roles, as otherwise a standard-compliant migration is not possible. This is important not only from a security point of view, but also because SAP S/4HANA now also requires standard conformity, making this essential for compatibility with future release changes.

As a customer, this means that you have to work on maintaining transaction SU24 (table USOBT and USOBT_C data). With regard to authorizations, this is best practice and absolutely necessary for automation of authorizations assignment to roles. The use of the SAP default values ​​is an essential prerequisite, especially with the focus on minimizing the maintenance and care effort of your roles. You can also use the SU24 optimization reports of the Xiting Role Profiler to quickly and clearly enrich your current proposal data with the necessary authorization objects, fields, and values (especially in the context of custom developments).

Standard-compliant role building

Validation of custom developments

Often, in-house developments not only represent significant security gaps, but are also insufficiently written with regard to SAP standard authority checks and BAPIs. This means that you cause excess authorization to use these in-house developments, or that you can no longer use certain functionalities in the event of a release change. With SAP S/4HANA, many custom developments will become obsolete, as they are now provided as standard business processes by SAP to cover even more use cases. In addition, in-house developments that do not conform to the standard cannot simply be transferred to the new solution. To analyze this, SAP provides a standard tool called the “Code Inspector”. This tool enables you to analyze your own developments for SAP S/4HANA compatibility. For cloud compatibility, you can also use the paid add-on called the “Code Vulnerability Analyzer”.

In addition, the XAMS module ABAP Alchemist can be used to scan your own developments for the targeted preparation of your company-specific developments in the course of an SAP S/4HANA migration, and to upgrade the security criteria. This XAMS module offers a detailed analysis with individual scan depths. It not only points out insufficient “Authority Checks”, but also offers suggestions for missing SU24 values and possible SAP standard APIs as a substitute for direct table access.

Validation of custom developments

The challenge & solution: Authorizations migration

One of the most important questions when changing the authorizations is what will be the effort that you as a customer face. However, it is not easy to quantify this effort, as it depends on many factors. The following factors are among the most important and should be considered first:

  • Scope of process changes or introduction of new business processes.
  • Standard conformity of the current authorization concept.
  • Extent of the migration work, including the SAP simplification list.
  • Number of custom developments that can be migrated.
  • Legal and internal requirements.
  • Use of SAP Fiori apps for the simplified user experience with the Fiori launchpad (including catalogs, pages and spaces).

In order to help you carry out an authorization migration quickly and easily, the Role Designer of the Xiting Authorizations Management Suite (XAMS) provides an extensive portfolio of different reports for your role structure. With an integrated simplification list, you are able to validate your old role concept with one click and embedded SAP S/4HANA-related changes in your new concept. By the way, you can always update this list with the current version by SAP to be up-to-date.

Depending on whether your current authorization structure corresponds to the standard, you can simply pull the usage data (transactions, reports, function modules, etc.) and set up a new virtual SAP S/4HANA-compatible role concept before you transfer the roles physically to transaction PFCG in the development system. You can integrate any process changes and legal requirements in this virtual project environment and check your virtual concept with the Xiting set of rules (or associated GRC set of rules) while the role is being created. During this, you are still using the SAP standard and SAP authorization defaults entirely.

In addition, our comprehensive analysis module, the Xiting Role Profiler, enables you to check the entire SAP HANA DB for consistency, security and privileges using various reports. This means that you can also validate the back-end system at any time and adapt it according to SAP best practice.


A transfer to the new SAP S/4HANA world requires a significant amount of organizational, procedural and technical work. The implementation is peppered with challenges, for which the XAMS offers you a single source of solutions. With numerous features, the suite provides everything needed for authorization migration — from standard compliance to an extensive analysis of your menu objects, or your custom development objects to migration under legal aspects.

At the same time, we not only offer technical and tool-based support, but also project-based support from experienced consultants who have successfully carried out various SAP S/4HANA projects. If you would like to find out more about our best practice approach or require comprehensive advice before an SAP S/4-HANA migration or redesign, we are at your disposal. In addition, we offer numerous services and products to support you in maintaining your authorization system. Just take a look at one of our weekly webinars and see for yourself.

Xiting E-book: SAP S/4HANA - The future of the SAP product range

Xiting E-book: SAP S/4HANA – The future of the SAP product range

An overview of the new 4th generation product line and its features in the authorization context.

Alexander Sambill

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now