Comprehensive SAP S/4HANA security strategy reduces additional downstream costs

Expert talk of IT-Onlinemagazin with SASTSchott AG is considering its SAP S/4HANA transformation from all aspects, from code and processes, down to authorizations for its SAP S/4HANA migration.

In this interview, Thomas Frey (SAP Authorizations Consultant, SAST SOLUTIONS) explains the requirements you need to keep track of when rolling out SAP S/4HANA – and what you must avoid at all costs.


The following interview between Helge Sanden (Editor in Chief of IT-Onlinemagazin) and Thomas Frey first appeared on January 13, 2021, in IT-Onlinemagazin.


Mr. Frey, which requirements must companies keep track of when rolling out SAP S/4HANA? What should they avoid?

In our experience, it is unfortunately still the case that too few companies planning their migration to S/4HANA take into account security for the new systems.

During the changeover , it is crucial to incorporate a robust, consistent foundation of security in your migration strategy. This is how companies can avoid both the typical traps in changing platforms – for example forgetting about interfaces and legacy systems – and the transfer of SAP authorizations much too late in the process.

What challenges arise when companies do not consider all aspects of the migration to S/4HANA?

All the approaches do have one thing in common and that is that there are a number of basic decisions that must be made well before rolling out SAP S/4HANA. Often, we see that the responsible parties aren’t really aware of the challenges they face at the start of a project. This not only costs time later, but also frequently incurs significant additional costs.

In fact, a migration project actually gives you the opportunity to take your SAP IT migration to a new level, with a cleanly designed, holistically planned security and compliance strategy for safeguarding your IT systems.

At the same time, these challenges can be approached as opportunities to improve the security of your SAP target system, streamline your role concepts, and enable use of the new system with all its benefits.

How do you see your role in SAP projects? What about the meaning your software tool takes on?

There are so many critical decisions made directly when the project starts. This is why we support our customers right from the get-go, allowing us to tailor our responses for each customer’s company. We look at which transactions need to be replaced, or have become obsolete. We look at how to identify the Fiori apps that best fit the roles. And, of course, we look at how to do all this while remaining in compliance with the relevant authorization concept.

When companies use the right tool, like SAST SUITE, they save time and money because the number of manual tasks is substantially reduced. Our software improves analysis results, recommends approaching authorization roles as a migration or with a new concept, and delivers default values directly. It also detects obsolete transactions, or transactions that have been replaced, and identifies which Fiori apps would be a good fit.

All in all, this is the perfect interplay between SAP security & compliance expertise and tool support. This also prevents avoidable risks from coming up in the first place in the customer’s new SAP S/4HANA system.

Can you give a few examples of misconceptions you come across in S/4HANA projects?

One frequent misconception is that SAP FIORI is a solution for nearly everything. On the contrary, many processes aren’t even supported yet. That’s why we recommend only using Fiori where it truly adds value.

Our second tip is to plan in more time. Typically, user departments have neither the required level of process expertise nor the understanding of how they plan to work in S/4HANA in the future. Designing business processes that make sense and are optimized for work across multiple departments is just not something that can be done alongside daily business workloads.

A third misconception that we encounter all too often are “legacy burdens” that are migrated to the new system inadvertently – the source code is a specific example here. Instead of analyzing things beforehand to determine what they really need, they simply copy everything on a 1:1 basis. However, this means that any security risks are also copied over and leave open any backdoors that could inflict damage in the systems.

These examples are all absolutely avoidable by devising an end-to-end strategy for SAP S/4HANA security from the start.

What will you be talking about at the IT online conference 2021?

We’ll be sharing our day-to-day practical experiences in the Expert Talk. We’ll go over what frequently causes projects to flounder, what is truly crucial for intelligent project management, talk about the how the opportunities for completely rethinking authorization concepts, and, last but not least, cover the advantages of tool support during a migration.

In addition, our customer SCHOTT AG will present a comprehensive deep dive into how their migration of authorizations to S/4HANA – in the middle of the corona pandemic – is going. They’ll also share their experiences and lessons learned.

What do you expect the dominating topic to be in the SAP community in 2021?

In our eyes, the dominating topic will most certainly be whether or not more companies learn from the early adopters and truly take a holistic view of their SAP S/4HANA transformations.

We are also exciting to see how those companies who have decided to delay their migrations, for example due to the pandemic, will cope with the expected ongoing shortage of consultant expertise.

Thank you for the interview.

Helge Sanden, Editor in Chief of IT-Onlinemagazin, asked the questions.

Would you like to dive deeper into this subject? Then we recommend the recording of our SAST Expert Talk from 27 January 2021 (in German). Christian Puscher (SCHOTT AG) and Thomas Frey (SAST SOLUTIONS) were guests and speakers at the IT-Onlinekonferenz 2021 “SAP S/4HANA, SAP Optimization, Increase in Efficiency, and Digital Transformation” and reported together about the transformation of the SAP system landscape at SCHOTT AG.


Thomas Frey  (SAP Authorizations Consultant, SAST SOLUTIONS)     

                                                                               Helge Sanden IT-Onlinemagazin





Helge Sanden (Editor in Chief of IT-Onlinemagazin)


Further articles on S/4HANA migration:

Interview with Ralf Kempf: Secure transformation to SAP S/4HANA

Starting a migration project? Consider these things when converting SAP ERP authorizations to SAP S/4HANA