cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP fiori embedded plus standalone FES

federico190086
Discoverer

on ‎2024 Aug 14 11:08 AM

0 Kudos
443

Hi all,

in our company we are working on a green field project were we have installed a lanscape S/4 Hana 2022 with embedded FES.

Due to new security requirementes we need to be able to segregate some Fiori app accessed via mobile device.

I need to understand if the installation on a standalone FES connected to the already existing backend can solve the problem ( by activating the odata and icf node just in the standalone FES). The final result would be that most of the APP are provided to the users via enbedded FES while some specific APP via the standalone FES both connected to the same Backend.

Another question is, in case the configuration is possible, do i need to create the user that need to use the segregated APP in the frontend system to add the related app roles or on both systems?

Thanks and regards

Federico

 

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (2)

Answers (2)

mamartins
Active Contributor
‎2024 Aug 14 12:46 PM
0 Kudos

Another FES will not solve the security fears that you mentioned. 

Do you already have public access to the system via a browser and your concern is the mobile devices? Even if you create an app for the mobile devices, nothing will stop the user to start a browser and access the system...

One option is to create a external server (like a portal) and use it as endpoint for Soap/REST calls from the mobile APP and create a tunnel between this new server and the WD. This way, you will only accept calls from one particular IP address (the PORTAL server).

Show replies
Show replies
mamartins
Active Contributor
‎2024 Aug 14 11:49 AM
0 Kudos

I would recommend to avoid that kind of solution, you will have one more system to manage and will not  improve very much the security posture.

 My suggestion is to use a WEBDISPATCHER installed on a DMZ to filter the traffic and allow only the necessary URL/endpoints. More info here: https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/48/9ac19148c673e8e10000000a42189b/frameset.htm

You can have the SSL termination at the WD. This will allow to monitor the traffic before exit the DMZ and reach the S/4 backend. It will increase the overall solution security, but at a cost of more complexity.

In front of the WD (public INTERNET) you should have a Web Application Firewall to block the most common vector attacks.

Show replies
Show replies
federico190086
Discoverer
‎2024 Aug 14 12:05 PM
0 Kudos

Thanks for the reply Mamartins,

We already have a WD to filter the traffic, my problem is more related to the security regarding the usage of the mobile devices  where i don't have two factor authentication, and the possibility for someone to login with a different user with different permissions, for example HR, and see sensible data.

Regards

Federico

Ask a Question