Security in SAP S/4HANA Cloud (Public): Executive Manual

Empower your enterprise with confidence by leveraging BearingPoint’s secure platform support for SAP S/4HANA Cloud Public Edition. Designed to meet the evolving demands of digital transformation, our tailored services ensure seamless integration, robust cybersecurity, and continuous innovation.

The underlying challenge and its associated costs

Role sprawl & over-provisioning

Users accumulate access across projects and releases. Result: audit findings, Segregation of Duties (SoD) risk, and higher blast radius.

Slow, friction filled onboarding

Manual user creation and inconsistent role assignment stall productivity and invite errors.

Opaque access & audit fatigue

It’s hard to answer “who can do what, where, and why?” - especially under tight audit timelines.

Upgrade drift

Quarterly releases change catalogs, restrictions, and templates - quietly breaking compliance and user experience.

Integration & connectivity risk

Basic auth, misscoped comm users, and adhoc arrangements increase exposure between SAP and external systems.

Limited visibility into authorization failures

Troubleshooting access issues takes too long without targeted traces and clear evidence.

Inconsistent UX & adoption

Crowded launchpads and inconsistent spaces/pages increase training cost and support load.

Solutions included in the Executive Manual

Tight, role based access (Least privilege)

Model access with business roles and business catalogs, then refine via read/ write/ value help restrictions and leading restrictions.

Outcome: shrinks attack surface; SoD friendly by design.

Streamlined identity & lifecycle

Orchestrate manage workforce + maintain business users. Integrate corporate IdP via SAP Cloud Identity Services (IAS).

Outcome: faster onboarding, policy driven authentication (incl. MFA), cleaner exits.

Operational governance, not guess work

Use IAM Information System & IAM Key Figures for role usage, unmaintained restrictions, and “unrestricted” hot spots.

Outcome: realtime risk posture, auditready evidence.

Release proof role management

Control change with software collections and manage business role changes after upgrade (handle deprecations, dependencies, and restriction updates).

Outcome: fewer surprises; compliant role evolution through Dev → Test → Prod.

Secure connectivity by design

Define communication users, systems, scenarios, and arrangements with leastprivilege scopes and certificate options.

Outcome: tighter systemtosystem trust boundaries.

Faster, fact based troubleshooting

Run authorization traces to pinpoint missing permissions without overgranting.

Outcome: resolve incidents quickly and safely.

Adoption ready UX structure

Govern spaces & pages for rolealigned layouts; use role/user groups to scale assignment.

Outcome: cleaner launchpads, lower training overhead.

How it works - process flow & connectivity

Access governance flow

The access governance process begins by modeling roles and catalogs to define clear access structures. Next, access is restricted using leading fields (such as Company Code) to ensure users only see what’s relevant. Users are then assigned to these roles, followed by validation through IAM reports to confirm compliance and spot risks. Once validated, roles and changes are transported via software collections to maintain consistency across environments. Ongoing monitoring and tracing help detect issues and maintain security. Finally, after upgrades, roles and restrictions are adapted to ensure continued compliance and operational stability.

Download the Executive Manual
Connectivity flow

End users authenticate through Identity Authentication Services (IAS), which securely connects them to SAP S/4HANA Cloud Public Edition. Integrated systems communicate via scoped, authenticated, and logged communication arrangements, ensuring that all connections are secure, traceable, and compliant with governance requirements.

Download the Executive Manual

About the Executive Manual

Key takeaways

A repeatable blueprint for leastprivilege design in SAP S/4HANA Cloud Public Edition

A step by step lifecycle model for users, roles, and UX layouts

A governance toolkit (reports, key figures, traces) to stay auditready

A release management approach to survive upgrades without rework

A connectivity pattern for secure, certificatebacked integrations
A concise, nontechnical guide for leaders to secure SAP S/4HANA Cloud Public Edition - covering role design, IAM governance, troubleshooting, transports, and integration.

Format: PDF

What’s inside: process flows, governance checkpoints, upgrade playbook

Why now: reduce risk before the next audit and release cycle

Download the Executive Manual now
Who is this designed for?

CISOs & CIOs seeking verifiable control without slowing the business

SAP Security & Basis Leads standardizing controls across tenants

Internal Audit & Compliance teams needing transparent evidence trails

IT Operations/AMS leaders running Dev/Test/Prod with clean transports
A concise, nontechnical guide for leaders to secure SAP S/4HANA Cloud Public Edition—covering role design, IAM governance, troubleshooting, transports, and integration.

Format: PDF

What’s inside: process flows, governance checkpoints, upgrade playbook

Why now: reduce risk before the next audit and release cycle

Download the Executive Manual now

Measurable outcomes

Risk reduction: minimize overprovisioning; isolate integration trust.
Operational efficiency: faster onboarding/changes via mass actions and templates.
Audit readiness: evidence on demand (who has what and why).
Upgrade resilience: predictable changes; governed adoption of catalog updates.
User productivity: rolealigned Launchpads reduce clicks and tickets.

Does this apply to SAP S/4HANA Cloud, Public Edition only?

The patterns described are tailored to the Public Edition authorization and connectivity model.
Will this change our current role model?

The manual shows how to evolve to leastprivilege roles using catalogs, restrictions, and derivations, without exposing sensitive configurations.
How do we stay compliant through upgrades?

Use manage business role changes after upgrade to adopt successor catalogs, update restriction types, and validate dependencies - then transport via software collections.
Do you cover SSO/MFA?

Yes, at a policy level using SAP Cloud Identity Services (IAS) and corporate IdPs.

Contact us if you would like to receive the manual per email:

Your first name

Your last name

Your email address

Your phone number

I agree to the privacy and cookie statement from BearingPoint Group.

We use reCaptcha to secure our forms. This requires JavaScript enabled.

Complete all fields marked with an asterisk

Schedule a workshop with our team to shape your future AMS organization

The future AMS organization will not only take care about your operating system but will support business through digital advisory and even change business strategies with digital innovation.

Book a workshop