Securing SAP S/4HANA

2.1 Deployment options

SAP Fiori apps consist of front-end components, which provide the user interface and the connection to the back end, and back-end components, which provide the data. The front-end components and the back-end components are delivered in separate products and must be installed in a system landscape that is enabled for SAP Fiori. There are multiple deployment options for the SAP Fiori components, each with their respective advantages and disadvantages. SAP Fiori applications are accessed through the SAP NetWeaver Gateway. The gateway consists of two components: SAP Gateway Foundation (SAP_GWFND) and User Interface Technology (SAP_UI). Both components are add-ons, which from NetWeaver version 7.4, are part of the SAP NetWeaver ABAP Stack. With NetWeaver 7.31, the components had to be deployed separately. This means that any system built on SAP NetWeaver, such as SAP ERP or SAP CRM, can be used to deploy SAP Fiori applications.

The following deployment options exist: central hub deployment, the embedded scenario and the cloud edition (see Figure 2.1).

Figure 2.1: SAP Fiori deployment options

2.1.1 Central hub deployment

The central hub deployment is the preferred option. Here, SAP NetWeaver Gateway is installed as a separate system. The Fiori applications are deployed here and access the data on the back-end business systems, such as SAP ERP or SAP CRM. Although this option implies an extra system, thus a higher total cost of ownership (TCO), it enables a multi-back-end system scenario while ensuring a consistent look and feel for the different applications. The central hub can be considered a single point of access for all mobile applications. In addition, installing SAP NetWeaver Gateway on a separate system allows you to move the system behind or in front of the firewall depending on your current network topology and security requirements.

2.1.2 Embedded scenario

SAP NetWeaver is the basis of all ABAP-based SAP applications, regardless of whether you are talking about SAP ERP, SAP BW, or any of the others. As the gateway is an add-on for SAP NetWeaver, it is available on every ABAP-based business application. This means that it can be activated and that Fiori applications can be deployed on any system. This makes an extra system unnecessary. However, we do not recommend the embedded scenario as, in contrast to the central hub deployment, it results in Fiori applications being installed all over the place — negating the advantage of the single point of access for all mobile applications. The embedded scenario should only be considered during a proof of concept or when the deployment of mobile applications is going to be limited to a single SAP application such as SAP ERP.

2.1.3 Cloud edition

The SAP Fiori cloud edition is a ready-to-use infrastructure which can serve as a front end while leaving the back-end systems on premise. The connection to the SAP Fiori Cloud is realized via SAP Cloud Connector, which must be installed on premise. The back-end components still have to be installed on the back-end systems.

2.1.4 Comparison of the deployment options

Table 2.1 compares the different deployment options. Every deployment option has its respective advantages and disadvantages. The importance of the pros and cons differ in every customer situation.

Table 2.1: Comparison of the deployment options

We strongly recommend the central hub deployment option as it enables a single point of access to your mobile applications for SAP ERP, SAP BW, and many others, while at the same time ensuring the same look and feel. Due to its limitations and dependencies, the embedded scenario should only be considered in a proof-of-concept scenario.