cancel
Showing results for 
Search instead for 
Did you mean: 

SAP fiori embedded plus standalone FES

federico1900
Discoverer
0 Kudos
148

Hi all,

in our company we are working on a green field project were we have installed a lanscape S/4 Hana 2022 with embedded FES.

Due to new security requirementes we need to be able to segregate some Fiori app accessed via mobile device.

I need to understand if the installation on a standalone FES connected to the already existing backend can solve the problem ( by activating the odata and icf node just in the standalone FES). The final result would be that most of the APP are provided to the users via enbedded FES while some specific APP via the standalone FES both connected to the same Backend.

Another question is, in case the configuration is possible, do i need to create the user that need to use the segregated APP in the frontend system to add the related app roles or on both systems?

Thanks and regards

Federico

 

View Entire Topic
mamartins
Active Contributor
0 Kudos

I would recommend to avoid that kind of solution, you will have one more system to manage and will not  improve very much the security posture.

 My suggestion is to use a WEBDISPATCHER installed on a DMZ to filter the traffic and allow only the necessary URL/endpoints. More info here: https://help.sap.com/doc/saphelp_nw75/7.5.5/en-US/48/9ac19148c673e8e10000000a42189b/frameset.htm

You can have the SSL termination at the WD. This will allow to monitor the traffic before exit the DMZ and reach the S/4 backend. It will increase the overall solution security, but at a cost of more complexity.

In front of the WD (public INTERNET) you should have a Web Application Firewall to block the most common vector attacks.

federico1900
Discoverer
0 Kudos

Thanks for the reply Mamartins,

We already have a WD to filter the traffic, my problem is more related to the security regarding the usage of the mobile devices  where i don't have two factor authentication, and the possibility for someone to login with a different user with different permissions, for example HR, and see sensible data.

Regards

Federico