Eursap's Ask-the-SAP-Expert – Carmina Matyas

Eursap's Ask-the-SAP-Expert – Carmina Matyas.

This month, we feature Carmina Matyas. Carmina has worked in SAP for well over ten years and is a renowned expert in the field of SAP authorizations. She has also thrown herself into the SAP S/4HANA world, describing herself as a “Fiori enthusiast”. Carmina commits to keeping your data secure, one role at a time!

Thank you for talking to us Carmina, we really appreciate your time. Would you be able to start by giving us a brief personal introduction?

Thank you for inviting me, Jon. 

I am an authorization consultant and have been working in the SAP field for over nine years. Living in the beautiful town of Brașov, Romania, I feel fortunate to bring my expertise to the table, especially as I’ve spent most of my professional years collaborating with German companies and engaging in German-speaking projects. 🌍 Readers can follow me on my LinkedIn.

Can you describe your journey from when you first started working with SAP over ten years ago to becoming an authorization expert and Fiori enthusiast? Lots has changed in that time – it must have been quite a ride for you!

My SAP journey began in 2014 when I started as an internal SAP support technician. From day one, I immersed myself in the dynamic world of SAP, helping users troubleshoot installation issues and optimize their experiences.

With a passion for learning and problem-solving, I quickly soaked up the knowledge needed to advance my career. In 2016, I took a leap of faith and transitioned into a freelance SAP Security & Authorizations Consultant.

Being fluent in German opened numerous opportunities for me in the SAP landscape, making finding positions that matched my skills and aspirations easier. I’m now deeply involved in S/4 Conversions and Greenfield implementations workshops, focusing on enhancing authorization concepts and tackling Fiori authorization issues. It’s been an incredible journey!

What would you say has been the most challenging SAP implementation project you've worked on, and how did you overcome the authorization hurdles? 

Authorization challenges are present in every SAP implementation and represent some of the most complex elements of a project. 

Typically, authorization considerations are not prioritized at the project's outset, leading to authorization teams being engaged too late to fully comprehend the specific business processes that require authorization. 

The most challenging was to carefully balance between granting the access the client needs to perform their roles effectively and ensuring compliance and security within the organization. 

Even though an authorization matrix is provided to the client, decisions are often delayed for months by the business process owners, who frequently seek unrestricted authorizations. Meanwhile, the Key users need to test their daily tasks and put a lot of pressure on the authorization team to finish the job roles. 

How has the SAP authorization landscape evolved during your career, especially with the transition to S/4HANA? 

With the transition to S/4HANA, a lot has changed! I would say that the Role Concepts were simplified as S/4HANA introduced the Fiori user interface, which uses task-based roles instead of traditional SAP GUI roles. For me, this means that authorizations are more intuitive and better aligned with specific job tasks. 
SAP Adoption of CDS Views, which allow for more dynamic data modelling. Authorizations are now integrated at the CDS level, enabling fine-grained control over data access in reporting and analytics.

The transition to S/4HANA has also encouraged the use of automated tools to design, monitor, and analyse authorizations, reducing the manual effort involved in managing security.

What specific Fiori tools or applications have you found most valuable in your authorization work? 

The SAP Fiori Apps Reference Library is my holy grail. The App Library provides a centralized view of all available Fiori applications, helping you quickly identify apps that align with your business needs and the roles you need to define.

My second favourite would be the Fiori Content Manager. It's a robust tool within the SAP S/4HANA ecosystem that makes managing Fiori content simpler and more efficient. It’s specifically designed to help administrators handle various Fiori roles, catalogs, and groups.

I am always grateful when customers decide to grab those handy authorization tools for the mass creation of roles, catalogs, spaces, pages, and so on. Seriously, it’s like a breath of fresh air! In the world of standard SAP, options can feel a bit limited when you're trying to create roles, catalogs, spaces, and pages in bulk. It’s not just about saving time; it’s about making your life easier and more efficient.

As an authorization Fiori expert, I also focus on authorization errors on the SAP Gateway, which is responsible for communication between the SAP backend and the Fiori front-end. When working with Fiori, issues related to the Gateway’s configuration or authorization might arise. Monitoring tools and logs within the SAP Gateway help track if the correct services and authorizations are in place for smooth communication between the frontend and backend.

And not to forget about my daily go-to transactions: SAP Authorization Trace (STAUTHTRACE), SUIM (User Information System), PFCG (Profile Generator), SU53 Transaction.

How do you approach balancing tight security requirements with user experience when designing SAP authorizations? 

It is always a little delicate to put up with the strict security needs. Everybody wants extended authorizations, almost SAP_ALL, to work fast and efficiently, but they do not understand that when going live in the productive environment, this will not work, and they will have extreme authorization problems.

The first step would be to understand business needs and user roles; this can only be done with the help of the client and concrete feedback. Understanding which users need access to specific data and transactions based on their role, department, and the criticality of the data is a key starting factor. I find that Authorization Experts are involved in projects too late.

The second step would be to use a role-based approach to grant access based on a user’s role within the organization: Role-Based Access Control. This allows you to limit access to only what users need to perform their jobs, minimizing the risk of over-provisioning and ensuring the security principle of "least privilege." This is a very good principle, but I have discovered that in many projects, this is not implemented because everything is done in a rush.

The third step, and my very favourite, is to personalize the user experience with SAP Fiori, so that users can have a tailored experience based on their roles and responsibilities. I would ensure that users see only the relevant apps, reducing clutter and enhancing the usability of the interface. This is also done in very good collaboration with the client. Unfortunately, if everything is in a rush, this is not possible. This needs to be negotiated before introducing the authorization team to the client. 

What's your process for managing role conflicts and segregation of duties in complex SAP environments? 

Everything starts with the correct design of the Roles and Authorizations Matrix, where the roles should contain distinct responsibilities to avoid overlaps of several authorizations, including the critical ones. I always use the task-based role approach and present it to the clients in the workshops. I prepare a template, as most clients want an exact starting point and want to spend as little time as possible on authorizations. 

The template roles that we provide are SOD-free, but if the customization of these roles is done massively based on feedback from the client, then a GRC tool would be the answer for me. After the design phase is finished, I would regularly review the roles to identify potential conflicts or overlaps

And what about when standard SAP authorization concepts didn't quite fit the business requirements? Have you had to make any creative workarounds which you can share?

From my experience, there is no standard SAP authorization concept that fully aligns with business requirements. The SAP authorization concepts must be tailored for every client. We provide a template, but this must be adjusted as the project evolves. This is, of course, where the challenges begin.
A few creative workarounds that can also be used in your authorization concept would be to create App/Transaction Variants, which would be tailored to the client's needs. Here, an accurate testing scenario is needed, and the Variants should be created according to the User Traces.

I also suggest creating so-called SAP Value Roles. SAP Value Roles are a concept used primarily in the context of SAP S/4HANA and SAP Fiori, and they are designed to simplify the process of managing user access to specific business processes and functionalities. Unlike traditional roles that are based on transaction codes or specific applications, Value Roles focus on business value and the user’s role within a business process. These roles are designed around how users interact with the system in a real-world business context.

And what about the SAP market in Romania? How would you say it differs from other European countries in terms of opportunities and challenges? 

Romania's SAP market has experienced significant growth and development over the past two decades. SAP is organizing more events in Bucharest to attract more Romanian clients! In July 2023, SAP expanded its global R&D network by opening an SAP Labs Site in Bucharest. This hub focuses on areas such as AI, cloud computing, and process automation, underscoring Romania's role in SAP's innovation strategy.

Celebrating 20 years in Romania in 2022, SAP identified the country as a "rising star" in the Eastern Cluster, emphasizing its readiness to deliver cutting-edge solutions in cloud computing and data analytics.

But still, my go-to market is Germany, Switzerland, and Austria, as I am a German-speaking SAP Authorization consultant. In my 9+ years career, I only have one Romanian client and also had the opportunity to visit them onsite and see all the Business processes discussed onsite. 

What unique perspective do Romanian SAP professionals bring to international projects? 

I think that Romanian SAP professionals are as good as any other SAP professionals from all over the world. I would say that everything is reduced to your exact experience and has nothing to do with the location where you live. The Romanian SAP professionals with whom I have worked were all fluent in multiple languages, such as English, German, Italian, and French, thanks to Romania's strong linguistic education system. They also have adaptability to different business cultures, which I have experienced in different projects. Most of them also have the same problem-solving approach and strong work ethic.

Have you noticed any industry-specific trends in SAP authorization requirements in Romania? 

Unfortunately, my experience with Romanian companies is very limited, and I cannot give you an exact opinion on this. Nevertheless, if I look at all my clients, there are a few industry-specific trends in SAP authorization requirements that I can mention:

1. SAP roles and authorizations in the financial sector are becoming more granular, with organizations implementing stricter access controls to protect financial transactions, customer data, and regulatory reporting
2. Healthcare institutions need to comply with healthcare-specific regulations, such as healthcare data protection laws in line with GDPR. This means tighter authorization controls on who can access patient data, pharmaceuticals, and inventory systems. SAP roles for healthcare employees are becoming more specific, with clear segregation of duties to prevent unauthorized access to sensitive patient and medical data.
3. The logistics sector, on the other hand, aims to qualify its SAP authorization systems to support real-time- time access management. Especially around warehouse management systems (WMS) as well as transportation management.
4. Small and medium-sized enterprises are beginning to implement simpler and role-based access controls for the purpose of making sure that users can only access the modules they need for their positions.

If you could automate one tedious aspect of SAP authorization management, what would it be and why? 

Automating role and user provisioning could use data from HR systems to automatically assign roles based on the user's department, job title, and responsibilities. This would reduce human error and administrative overhead, ensuring the correct roles are assigned to users in real time.

SAP moves fast! How do you stay current with SAP's rapidly evolving security landscape and Fiori developments? 

You're right—SAP is constantly evolving, especially in areas like security and Fiori/UI5.

Here’s how I (and how you can) keep up with SAP’s rapidly changing landscape:

1. I regularly check SAP Security Patch Day - SAP releases security patches every second Tuesday of the month. Regularly reviewing SAP Security Notes via the SAP Support Portal is crucial.
2. I Stay Updated on SAP Fiori/UI5 by reading and attending SAP Community & OpenSAP Courses and SAP Community & Blogs. 
3. I follow SAP Security experts on LinkedIn like Jocelyn Dart, Jennifer Schmider, Alessandro Banzer, Tiede-Jan de Jong, and many more. 

As you know, we specialize in publishing tips and tricks for SAP and Fiori. If you had a favourite little hint you could give consultants about Fiori, what would it be?

A trick would be that when you try to open a Fiori App in the Launchpad and it gives you an error, the first and most important check would be to go to the Launchpad Content Manager, search for the Fiori App ID, and check the services for this Fiori App to see if everything is green or not. This is the very first routing problem of a Fiori Application:

If the services are on red, then the Basis team needs to be contacted. If the services are all on green, every single one, then contact your authorization team; they need to investigate the problem further.

OK let’s have a little fun now…If SAP roles were personalities at a party, which one would be the life of the party and which one would be hiding in the corner? 

Haha, great question! If we imagine an SAP Party, where all the SAP roles are invited, I will say that the roles with extended authorizations like SAP_ALL would be the life of the party. This Role is bursting with energy, showing off ALL dance moves. Everyone loves them because they make things look good and work seamlessly. 😊 This role is requested by every client in all the projects in which I have taken part.

Hiding in the corner would be the SAP Financial roles, which are undergoing critical authorization checks every month. Watching over everything with a serious expression, making sure the party (financial system) doesn’t crash. Only comes out when something goes wrong, like when someone spills a drink on the DJ booth 😊

When you look back at your years working with SAP, what achievement are you most proud of, and what goals do you still have for your career?

Great question! If I were to reflect on my "career" in the SAP world, I’d say my biggest achievement has been helping SAP consultants and clients find faster, smarter solutions—whether it’s debugging tricky Fiori Authorization issues, optimizing security settings, or explaining different aspects of the SAP concepts. I appreciate working with open-minded people and learning new things from them. The bond between technical and functional consultants needs to be improved for S/4HANA implementations to go smoothly. 

As for future goals, I’d love to learn more about newer technologies, like the latest BTP innovations for security and authorizations, and dive deeper into Security-first Fiori development.

And the question we always like to ask our experts: what would be your advice to new SAP consultants, or existing SAP consultants in the market now?

Never stop learning! Don’t just do your job and that’s it; try to learn something new every day. It does not count if it is a small thing, such as reading a SAP Note, a short LinkedIn post, or maybe spending more time going through an SAP learning journey to learn/refresh new information.

For new consultants, my advice would be to learn to adapt to every situation given, make mistakes as often as you can, and do not forget to write down what you have learned from them.