Successfully Navigating Security in SAP S/4HANA Upgrades

As SAP customers plan their transition from ECC to S/4HANA or upgrade to the latest versions of S/4HANA and Fiori, important security aspects must be considered as part of the upgrade plan. An upgrade presents an opportunity to strengthen system security, but if not addressed strategically, there can be a significant risk of business interruption and negative user experience due to access issues in the upgraded environment. Including the appropriate security steps and planning for adequate time and resources to address them will mitigate this risk and ensure a smoother transition to the upgraded environment.

SU25: A critical component of upgrade security

Transaction SU25 (upgrade tool for profile generator) plays a critical role in assessing and executing security updates during an SAP upgrade. Failing to properly run the SU25 steps can result in issues and in underutilizing new functionality and improvements introduced with the upgrade:

• Access issues: End users and technical or non-dialog user IDs may encounter authorization errors when trying to perform certain functions, because their assigned roles are not updated to include new or changed authorizations required by the upgraded system.
• Obsolete authorizations: Roles may contain obsolete or deprecated authorization objects, which can lead to users either having more permissions than necessary or lacking permissions they require.
• Increased errors: The system may exhibit an increased rate of errors and warnings due to unmaintained authorizations.
• Underutilization of new features: New features and enhancements introduced in the upgraded version may remain inaccessible to users because the roles and authorizations are not updated.
• Delayed adoption of best practices: New functionalities often align with industry best practices. Missing out on these features can prevent organizations from modernizing processes and staying aligned with evolving standards.
• Wasted investment: Upgrades require significant investment in terms of time and resources. Not fully utilizing new functionality can result in a diminished return on investment (ROI).

We have often seen SAP security administrators at our clients be overwhelmed by the process of planning and executing the SU25 steps due to lack of experience, lack of bandwidth and inadequate focus within the overall upgrade effort. The strategy we have successfully employed for our clients includes establishing a dedicated team of experts to ensure this effort is completed with the appropriate due diligence, which allows the organization to maximize the value of its investment and proactively prevent the issues described above.

Fiori deployment choices: Stand-alone/hub or embedded

If implementing Fiori as part of an upgrade, the choice of deployment model has a significant influence on how security is managed:

• Stand-alone/hub model: In this model, the Fiori front-end server is separate from the back-end system. The front-end server communicates with the back-end server through a trusted RFC connection, and users interact with the front-end server through Fiori. A disadvantage of this model from a security perspective is that it increases complexity and administration effort as users and roles must be maintained in both the front-end and back-end systems and access must be provisioned from both systems.
• Embedded model: The embedded model simplifies the landscape by combining the front-end server and the back-end system into a single instance and is the deployment model recommended by SAP. This model provides numerous benefits from a security perspective, eliminating the need for dual maintenance of roles and users, reducing administrative effort and simplifying issue resolution. Although the stand-alone Fiori front-end server model continues to be supported in S/4HANA 2025, if on this model currently, Protiviti recommends moving to the embedded model as part of a technical upgrade.

Revisiting role architecture

An upgrade involving Fiori may necessitate a review of role architecture:

• Separate or combined roles: In an embedded environment, an important security design consideration is whether to maintain separate security roles for Fiori app vs. transaction code access or to group the access together in security roles by related task. The latter is the most efficient approach for role maintenance, issue resolution and provisioning to users, and there are no technical constraints to doing so. We have helped many of our clients successfully streamline their task-based roles using this approach.

The Fiori Launchpad evolution

After an upgrade, the Fiori Launchpad (FLP) may experience functional, visual and structural changes. IIt is important to prepare for these proactively to ensure a smooth transition for both end-users and administrators:

• Performance enhancements and feature flags: SAP often introduces new FLP services such as spaces and pages, performance improvements and new user personalization options. Review newly available launchpad configuration parameters and enable the ones that fit the organization’s needs.
• Spaces and pages migration or update:
  • The shift from groups to spaces and pages includes:
    • The addition of new space templates
      • Changes in the layout or structure of delivered pages
      • Deprecated group-only features
      • It is important to familiarize users with the new launchpad layout and navigation ahead of time, as well as update user training materials.
  • Consider the go-live plan (pilot vs. big bang) when determining the appropriate Fiori Launchpad configurations and transporting them through the landscape. Not having the correct configuration in place can result in a blank Fiori launchpad in production. Test these scenarios in lower-level environments prior to transporting to Production to avoid any business impact.
• Pages per space: Be mindful of limitations on the number of pages within spaces when planning the design if shifting from groups to spaces and pages. Protiviti recommends less than ten pages per space which ensures clear, role-based separation of content, faster load times and better user experience and navigation, leading to better user adoption.
• User experience: Whether newly implementing Fiori or moving to a newer version or transitioning to spaces and pages, it is critical to consider user experience and how the security role design intersects with how users will see and interact with the Launchpad. Launchpad navigation should be tested along with the new or updated security roles and included in user training.

An SAP upgrade isn’t just a technical project – it’s a critical opportunity to enhance security, reduce complexity, and improve user experience. By following strategies such as properly executing SU25, reviewing and updating security roles, selecting the appropriate Fiori deployment model, and preparing for changes in the Fiori Launchpad, organizations can:

• Avoid access disruptions and business downtime
• Strengthen system security with updated roles and authorizations
• Simplify role maintenance and support through streamlined architecture
• Improve user adoption with a more intuitive Fiori experience

Ultimately, proactive security planning during an upgrade is key to positioning organizations for long-term success in the S/4HANA and Fiori landscape.

To learn more about our SAP consulting services, contact us.