Skip to main content
Image coming soon

The SAP Fiori UX & Security Administrator Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The SAP Fiori UX & Security Administrator Playbook

Catalogs, groups, spaces, business roles, and PFCG menus that stay SoD-clean while the launchpad still feels usable.

A Fiori tile rendered for a user it should not have rendered for, and the audit trail in PFCG, the IAM tile, and Launchpad Designer all looked clean.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Administrators who own both Fiori UX and S/4HANA security sit on a gap that most SAP documentation treats as two separate jobs. Catalogs, groups, spaces, and pages live in the Launchpad world. Business roles, PFCG roles, authorisation objects, and SoD rulesets live in the security world. The same catalog ID shows up in both, and a clean PFCG role can still produce an unintended tile through a group inherited via a business role added in the IAM tile. Every quarterly access review, every internal audit, and every GRC mitigation control walks that boundary. Owning both sides means the playbook has to cover both sides as one mapping, not two.

What you walk away with

  • Design a catalog and group model that maps cleanly to business roles and the SoD ruleset.
  • Govern spaces and pages so launchpad changes do not silently expand authorisations.
  • Draw the line between business roles in the IAM tile and PFCG roles without leaving orphan tiles.
  • Build SoD rulesets that survive a quarterly access review and a GRC mitigation audit.
  • Operate a launchpad change-management process that keeps both UX users and auditors happy.

The 12 modules

Module 1. The catalog as the unit of authorisation
Why the Fiori catalog is the single object that connects the UX side and the security side, and what that means for naming, ownership, and lifecycle. Walks through the relationship between target mappings, tile catalogs, group catalogs, and the PFCG menu nodes that inherit them. Sets the vocabulary the rest of the course uses and shows where most SoD findings actually originate.
Module 2. Group and space design that survives reorganisation
How to model groups and spaces so that a finance reorg, a controllership split, or a shared-services move does not force a full re-cataloging exercise. Covers naming conventions, ownership tagging, and the difference between user-personalised groups and admin-published groups. Includes a worked example of a finance and procurement co-tenant space that holds up through a year of org changes.
Module 3. Business roles versus PFCG roles
The boundary nobody documents cleanly. When the business role in the IAM tile is the right place to grant a catalog, when the PFCG role is the right place, and what happens at the user master record when both are used at once. Worked examples for FI, MM, SD, and HR users. Resolves the question of which side to extend when a new app needs to be granted.
Module 4. SU01, SU24, and the launchpad menu
How the start authorisation check and the SU24 proposal model interact with Fiori app launches. Covers what SU53 actually tells you for a failed tile, why SU24 maintenance for OData services matters more than for transactions, and the trace techniques that find the missing authorisation object without breaking the audit log. Practical for any admin who has spent an hour chasing a tile that should have worked.
Module 5. OData services, ICF nodes, and the catalog target mapping
The plumbing layer between a tile click and an S/4HANA backend call. Walks through the OData service activation in SICF, the relationship between the service binding and the catalog target mapping, and the authorisation checks that fire at each step. Covers the gateway tracing tools and the common misconfigurations that produce a tile that opens to a blank screen.
Module 6. SoD ruleset design for S/4HANA Fiori footprints
How to build an SoD ruleset that works in a Fiori-first world where the same business process is reachable through three different apps. Covers the move from transaction-code-based SoD to authorisation-object-based SoD, the new app-to-process mappings GRC Access Control ships with, and how to extend the ruleset for custom Fiori apps. Aimed at administrators who own the ruleset definition, not just the user assignment.
Module 7. Quarterly access review without launchpad chaos
Running the access certification cycle in a Fiori-administered estate. How to prepare the user-to-role inventory so reviewers see business roles in their language, not PFCG technical names. How to handle the standard delegation, escalation, and revoke paths so the launchpad still works on Monday morning. Includes a tested communication template for finance and procurement reviewers.
Module 8. Launchpad change management as a security process
Adding a tile is a security change. Removing a tile is a security change. The course covers the change-control workflow that treats both that way without slowing UX work to a crawl. Walks through the four-eyes process for catalog edits, the regression test pack for affected business roles, and the rollback procedure when a published space breaks a finance close.
Module 9. Custom Fiori apps and the authorisation default model
When the project team ships a custom Fiori app on top of S/4HANA, the question is which OData services it consumes and which authorisation objects fire on those services. Covers the SU22 to SU24 propagation, the customer-defined default model, and the negotiation with developers about which checks belong in the service versus the UI. Aimed at administrators who get the app dropped on them after the build is done.
Module 10. Embedded analytics, KPI tiles, and the data-side authorisations
KPI tiles, smart business apps, and embedded analytics each read CDS views or analytical queries that have their own authorisation checks. Covers DCL, the relationship between the analytical authorisation and the transactional authorisation, and the pattern for granting a CFO a KPI tile without granting the underlying transactional tile. Includes a worked example for a contribution-margin tile that reads sensitive data.
Module 11. IDP, conditional access, and the launchpad sign-on path
The sign-on path that ends at the launchpad starts at an identity provider, runs through a conditional access policy, lands in the SAP Cloud Identity tenant, and proxies into S/4HANA. Covers the responsibility split between the IDP team and the SAP security team, the configuration of risk-based authentication for sensitive Fiori tiles, and the audit-trail joining required to investigate a suspicious launchpad session.
Module 12. Operating model and the next twelve months
How to run the joint Fiori UX and security function as one operating model rather than two job descriptions. Covers ticket queues, on-call rotation across both skill sets, the documentation pattern that keeps the catalog-to-role mapping current, and the upgrade path through the next two S/4HANA release waves. Closes with a check-in cadence with the GRC team that prevents end-of-quarter scrambles.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

A Fiori tile rendered for a user who should not have had access, and PFCG, the IAM tile, and Launchpad Designer all looked clean.
GRC flagged an SoD conflict that did not show up in the previous quarterly review, and the ruleset has not changed.
A custom Fiori app the project team built last quarter is failing the access review because the authorisation default model was never finalised.
Finance is asking for a contribution-margin KPI tile for a CFO who must not see the underlying transactional posting app.

What you get with this course

  • Twelve written modules in the Art of Service learning environment.
  • Downloadable templates for catalog inventory, business-role-to-PFCG-role mapping, and SoD ruleset extensions.
  • Worked examples for FI, MM, SD, HR, and a custom Fiori app scenario.
  • A hand-built implementation playbook tailored to your own catalog and business role footprint.
  • Thirty-day money-back if it does not match the work.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules one to four cover the catalog model and the business role boundary, designed to be worked through in the first week.

Modules five to eight cover OData plumbing, SoD ruleset, and quarterly access review preparation, designed for the second and third weeks.

Modules nine to twelve cover custom apps, embedded analytics, sign-on path, and operating model, designed for the fourth week and ongoing reference.

Before and after

Before

Catalog-to-role mapping lives in three spreadsheets and one person's head. Every access review surfaces a Fiori finding nobody can fully explain. Custom apps get dropped on the security team after the build is done.

After

One mapping, one ownership model, one change-control workflow across Fiori UX and security. Access reviews close without Fiori surprises. Custom apps come with an agreed authorisation default model before they ship.

What happens if you do not address this

The next quarterly access review will surface the same kind of Fiori finding the previous one did, and the explanation will still be that the launchpad layer and the role layer are owned as two separate problems. Auditors are tightening the question about how Fiori catalogs map to authorisation, and a generic answer no longer passes.

Who it is for

An SAP security administrator who also runs Fiori UX administration. Comfortable in PFCG, SU01, SUIM, and ST01. Comfortable in Launchpad Designer, the IAM tile, the Spaces and Pages app, and the Business Role app. Likely owns the SoD ruleset definition in GRC Access Control or an equivalent. Responsible for the launchpad experience of finance, procurement, sales, HR, and IT users without breaking the access reviews.

Who this is NOT for. Pure ABAP developers who never touch security. Pure GRC analysts who never open Launchpad Designer. Functional consultants who do not own production role design. Anyone working only on Classic SAP GUI without a Fiori footprint.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. About four to six hours per week for four weeks if worked through end to end, plus reference use afterward when a specific catalog or SoD question comes up.

Why $199 is the right number

SAP openSAP runs free general-audience Fiori courses and free general-audience security courses, separately. SAP Learning Hub offers role-based certification tracks that treat the two domains apart. This playbook treats the joint Fiori UX and security administrator role as one job and is built around the catalog-to-role mapping problem specifically, with a tailored implementation playbook for your own footprint rather than a generic curriculum.

FAQ

Is this only for S/4HANA, or does it cover ECC too?
The course is built around S/4HANA Fiori and the IAM tile / business role model. Classic ECC PFCG concepts are referenced where they matter for migration, but the focus is the current S/4HANA Fiori-administered estate.
Do I need GRC Access Control to use the SoD modules?
No. The ruleset design pattern is shown in GRC Access Control terms because that is the most common environment, but the same pattern applies to Pathlock, SAP Cloud Identity Access Governance, or a custom SUIM-based ruleset.
Will the implementation playbook actually be tailored to my own footprint?
Yes. After purchase you share a minimal description of your catalog count, business role count, and the apps in scope. The implementation playbook is hand-built around those numbers within 24 hours.
What does the course actually deliver?
Written modules in the Art of Service learning environment, downloadable templates and worked examples for every module, and the hand-built implementation playbook delivered alongside course access. No live sessions unless you ask for one separately.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!