Two approaches to SAP S/4HANA Authorization Migration (Part 1 – Geenfield)

SAP’s new business suite, SAP S/4HANA, does not only imply architectural changes in terms of database technology and extended product variants for SAP cloud solutions. This also brings numerous new functionalities to the on-premise solution.

The SAP Fiori launchpad is gaining more popularity and is becoming the preferred end user interface by more SAP customers. The new features for SAP HANA, which are documented for each release in the “Simplification List for SAP S/4HANA”, affect the authorization concept and lead to necessary procedural adjustments. There are transactions that are no longer available in SAP S/4HANA and are being replaced by new transactions or applications, e.g., via SAP Fiori applications. Unlike an SAP ERP system upgrade, the migration of the authorization concept from SAP ECC 6.0 to the SAP S/4HANA system cannot be done easily, because it requires the revision of the existing authorization concept.

The most important decision companies face regarding the S/4HANA migration concerns the migration approach: Greenfield or Brownfield? Which approach is best suited for you depends on a number of customer-specific factors and therefore requires further analysis (e.g., a comprehensive system analysis performed by Xiting). There is not one right, universal approach suitable for all companies, but you have to choose an approach that best suits your organizations new implementation.

In this two-part blog, I would like to show you – based on the on-premise product variant – how you can implement your migration project methodically and simplify this procedure by using the Xiting Authorizations Management Suite (XAMS). Based on both migration approaches – Greenfield and Brownfield – I will show you some examples. At this point I would like to emphasize that an S/4HANA authorization migration affects almost all business areas of your company and should by no means be understood as a pure IT project. Some of the processes are changing as a result of the migration to S/4HANA, which is why the specialist departments (or business areas) should be involved in the migration project. This does not only increase the user acceptance, but is also essential for building a sustainable, functioning, and maintainable authorization concept.

Greenfield: A method for the authorization migration

As its name suggests, by choosing this approach you start fresh with a new system landscape when implementing SAP S/4HANA. In this case, necessary data can be transferred from an old system. The Greenfield migration offers the possibility of a data migration clean-up, leaving legacy issues behind and approaching the SAP best practice standards. The redesign of the security authorizations is also part of the data model clean-up. The objective should be a secure and maintainable authorization concept. You can achieve this by creating standardized and simplified job roles, while also taking into consideration security-related requirements, both internal and external.

According to the Xiting Best Practice with SU24-compliant roles, the SAP role redesign also provides the opportunity to develop a role concept that can be maintained long term.

The Greenfield approach also covers the initial implementation roadmap of SAP S/4HANA. Given that the statistical data, or ST03N data, cannot be used as an optimal basis for setting up the new SAP system authorization concept, Xiting also offers a solution for this. With XAMS Quick Start you can use “out of the box” template roles and get started right away with your system conversion.

Here you can see a comparison of both options of the Greenfield approach.

Figure 1: Project Options Greenfield

Below, as shown in Figure 2, you can see the three most important project phases of a Greenfield implementation. I will further discuss the XAMS automation features that can help you manage challenging and often tedious manual steps efficiently.

Figure 2: Project methodology for a Greenfield implementation

Phase 1: Role design

In this project phase of your SAP S/4HANA conversion, you carry out the conceptual work and build a job-related and rule-compliant role concept together with your business areas. A job-related role concept is based on the jobs (job function) that a user performs. The redesign of functioning SAP authorizations is technically and organizationally complex, especially in view of the content comparison with the SAP Simplification List, which documents the SAP S/4HANA-relevant changes. In order to identify necessary transactions, including SAP Fiori apps and processes on the authorization side, it is highly recommended to strongly collaborate with the business areas. With the help of the Role Designer of the XAMS, this project phase can be simplified, as this module provides you directly with a wide range of modeling and migration functions for roles and statistical data.

The Role Designer offers the possibility to group user statistical data from the legacy system based on the defined positions and to design the functional scope of the role. By using the integrated SAP Simplification List, the manual comparison of S/4HANA-related changes is no longer necessary, meaning that you can create customized and SAP S/4HANA-migrated roles at the same time.

NOTE: The entire role modeling in the Xiting Role Designer takes place during the design phase in a virtual project environment. The actual creation of the role in transaction PFCG happens only after the departments have approved the authorization content. The advantage of this is that you can use what-if scenarios and built-in coverage analysis tools, as well as the XAMS set of rules for critical authorizations before the actual process of role building even begins.

Below, you can see an example based on the transaction “BP”, Business Partner, which replaces the old transactions for maintaining master data for customers and vendors in S/4HANA. The transactions for maintaining the customer master records, “FD01”, “FD02”, etc., were used in the old system and are intended for the “Accounts Receivable” transactional data functionality.

Figure 3: Role modeling in the Xiting Role Designer using ST03N data

Depending on the system release, Xiting’s Role Designer provides the appropriate content from the SAP Simplification List. In our example, the tool offers the transaction “BP” ad-hoc as a replacement for “FD01”, “FD02” etc. (Figure 4):

Figure 4: Comparison of the ST03N data with the simplification list in Xiting’s Role Designer

As can be seen in Figure 5, part of the data used is affected by the SAP S/4HANA migration and will be replaced by new objects:

Figure 5: Migration function in Xiting’s Role Designer

SAP Fiori Integration in der XAMS: Which SAP Fiori App should it be?

The SAP Fiori launchpad as a new UX (user experience) comes into focus in SAP S/4HANA to optimize the user interface. It is intended to generate a simplified and user-friendly user experience with many intuitive functions. Exactly which apps are now required is one of the most frequently asked questions during an S/4HANA migration, and the answer can be found using the SAP Fiori Apps Reference Library. You have the possibility to determine suitable applications, for example based on the usage data. This mapping is also embedded in the Role Profiler of the XAMS, which suggests SAP Fiori apps ad-hoc based on the ST03N data that can be used as an alternative or in addition to the transactions used (Figure 6).

 Figure 6: SAP Fiori apps mapping

Finally, the design phase is significantly simplified thanks to the XAMS which supports the central identification of requirements for all relevant applications. This means that all the important information is now available, and you can start collaborating with the required business areas.

Fiori Administration – A small side note

Unlike ABAP authorizations, the SAP Fiori app authorizations are not administered solely in the PFCG transaction, but also by using tools such as the SAP Fiori Launchpad Designer or the SAP Fiori Content Manager, which are further described in the blog series “SAP S/4HANA Fiori | SAP Fiori authorization roles and role building”. Especially at the beginning of the project, Fiori catalogs, groups or spaces have to be created en masse. With the Xiting Role Designer and Xiting Role Replicator, the XAMS offers attractive features that help with the mass processing of SAP Fiori catalogs and administration of the roles. With integrated status checks via the Xiting Role Profiler you also have the ability to uncover inconsistencies in your SAP Fiori set-up. If there is still a need for clarification or action at this point, please do not hesitate to contact us. We have the right solution for you.

Phase 2: Test Simulation

The test phase is fundamental for a smooth operational transfer of the migrated role concept with the least amount of downtime. However, preparing the test scenarios is time-consuming and, unfortunately, tests are often not always carried out thoroughly. In addition, with SU24-based role maintenance, you also receive open authorization object proposals in the role profile, whose characteristics you must determine through these tests. By using standard tools, you start a lengthy and resource-intensive “trial and error” procedure between test user and role administrator. The productive test simulation of the XAMS addresses this issue.

The PTS increases the efficiency of the test phase by assigning users extensive project roles and testing the new role in the background through the assignment of a reference user. The project role gives the users sufficient authorization for uninterrupted testing. The missing authorizations of the new role are logged and can be evaluated using clear, detailed result tables. Parallel to the test evaluation, you can also directly maintain the appropriate authorization default values from XAMS in transaction SU24, thus guaranteeing a high technical quality of the role.

With the XAMS, you can also run detailed real-time analysis of the roles, e.g., with regards to critical authorizations and SoDs, during, but also in everyday business, so that risks can be identified at an early stage and eliminated or mitigated as required. You thus receive the necessary all-round support for managing technically maintainable and secure roles. The entire procedure and all you need to know about setting up the test scenarios is detailed in this blog post written by my colleague Jennifer Kraft:

Note: For the rollout of new processes, the SAP Best Practice Explorer offers useful solution packages for SAP Best Practices, such as test scripts and business roles for common business processes.

Phase 3: Protected Go-Live

An error-free and smooth operational transfer of the new roles is extremely difficult, especially with the Greenfield implementation. The probability that S/4HANA-related enhancements, in terms of processes or applications having a negative impact on the go-live is far too high. In order to minimize the risk of business interruption and at the same time guarantee efficient support in the event of an error, we use the Protected Go-Live with the XAMS. With the Protected Go-Live users have the ability to use a self-service tool to retrieve extended authorizations, e.g., the extensive project role from the test phase, immediately and for a previously defined period.

This function is possible with the XAMS both in the SAP GUI and in the SAP Fiori launchpad. The user continues to work without errors immediately, while the authorizations are recorded in the background using a trace, so that missing authorizations can be identified and corrected. The encountered errors are analyzed just like in the productive test simulation. With regard to this project milestone, I would like to refer to a blog written by Manuel Griebel on the subject of “Protected Go-Live”, which explains in detail how this works:


You have now gained an insight into how a Greenfield implementation using the XAMS can be performed. Although this approach requires longer project times, the Greenfield authorization migration should be considered as a long-term investment which helps you save resource time. Despite the high degree of structural and organizational complexity, this method offers you the opportunity to approach the SAP standard best practices and to use high quality data and roles. The XAMS reduces this level of complexity and supports you not only in building secure roles according to the minimum requirements, but also in identifying relevant SAP S/4HANA applications and migrating your roles accordingly.

Xiting offers a wide range of SAP S/4HANA migration services. Are you interested in receiving more information? Take a look at our Services and gain insight into the XAMS in one of our XAMS Best Practice Workshops with one of our experienced consultants.

Other useful links on the subject:

As the blog title suggests, there is a second approach to the S/4HANA migration which I will address: Brownfield approach. In the second part of this blog series, you will find out how this one differs from the first approach and which methodology is behind it.


Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now