Security is a fundamental component throughout the entire lifecycle of SAP products, including development, planning, and quality assurance. For SAP S/4HANA Cloud Public Edition, SAP manages infrastructure-level security such as network protection, operating system security, and patch management. Security responsibilities requiring business-specific decisions—such as user and authorization management—are handled by the customer. In certain cases, SAP provides secure default configurations, which customers can adjust to suit specific business or integration requirements. Overall, SAP covers key security domains at the platform level, while customers are responsible for application-level security and configuration.

We have now added new Security and Data Protection Guidelines within the SAP Activate for SAP S/4HANA Cloud Public Edition (3-system landscape) Roadmap.

As an introduction to SAP Activate Methodology, The SAP Activate Roadmaps is a comprehensive, phase-based guide designed to support implementation, conversion, and upgrade projects by defining tasks, deliverables, responsibilities, and accelerators across six key phases: Discover, Prepare, Explore, Realize, Deploy, and Run. It provides methodology guidance, clear role and task allocation, and a rich set of accelerators such as templates and checklists to streamline activities like system provisioning, data migration, and cutover planning. Regularly updated to align with SAP’s quarterly cloud releases, the roadmap also offers specialized paths for system conversions and upgrades, and integrates with SAP Cloud ALM to enable real-time task management, progress tracking, and agile project execution, ensuring efficient and best-practice-driven project delivery.

Here is an overview of the topics and guidelines covered in each of the phases from a Security & Data Protection perspective

Prepare:

• Review the recommendations that help you evaluate the security of the configuration of SAP S/4HANA Cloud Public Edition in your landscape. As part of the cloud shared responsibility model(restricted access), you're responsible for determining if any of these recommendations are relevant to your environment and to what extent.
• Integrate security recommendations into the overall implementation strategy, ensuring that the security plan comprehensively covers the following areas:
  • Implementation Aspects – including evaluation of integration security posture, frontend protection planning, and authentication design;
  • Recurring Topics – such as certificate management planning, security monitoring setup, user lifecycle management design, and planning for the security and patching of external software.

These topics are critical to establishing a secure, compliant, and well-governed SAP S/4HANA Cloud environment.

Explore:

• Conduct Data Protection Workshop

Define and confirm the implementation scope and configuration settings related to data protection and privacy, ensuring compliance with both general and industry-specific legal requirements. The workshop focuses on understanding SAP’s data protection concepts, identifying relevant project areas such as application design, extensibility, integration, testing, data management, and analytics, and determining where data protection measures must be applied. Key outcomes include clarifying responsibilities, reviewing system configurations, defining data retention policies, and ensuring transparency over personal data processing. The result is a comprehensive plan that outlines required actions for data protection experts and stakeholders to ensure secure and compliant system operations.

• Plan and Design Identity and Access Management

Plan and design the Identity and Access Management (IAM) framework for SAP S/4HANA Cloud, ensuring proper authorization and secure access to applications. This involves consolidating business requirements captured during fit-to-standard workshops, defining a clear authorization concept with naming conventions, specifying required workplaces, and mapping SAP applications and business catalogs to these workplaces. All technical IAM details must be collected, documented, and approved by the customer. The authorization concept should ensure data integrity, protection against misuse, and be transparent enough for third-party verification. The finalized IAM framework also supports test planning and execution.

Realize:

• Initial access to SAP S/4HANA Cloud Tenants

Setup Integration to Corporate IdP if needed by setting up the SAP Cloud Identity Authentication Service as a proxy. Configure password policies and multi-factor authentication (MFA) in your IdP (Identity Authentication service or corporate IdP)

• Configure data protection and privacy features based on the design defined during the Fit-to-Standard workshop. Key steps include defining data controllers, setting retention and residence policies for transactional and master data, managing security audit log retention, and maintaining purposes for information retrieval. Additionally, configure read access logging and consent administration if applicable.
• Implement Frontend Security settings focusing on web client protection measures
• Review and adapt existing Business Catalogs and Business Roles resulting from the addition of new scope items or an upgrade
• Configure Identity and Access Management

This task involves creating, configuring, and testing custom business roles based on approved identity and access management requirements. It includes assigning business catalogs and restriction field values according to the Application-Workplace List, creating test users, and ensuring roles cover all necessary access through completeness and negative testing. Authorization testing is coordinated across business areas, with roles refined and validated based on feedback.

Deploy:

• Finalize and validate all security configurations and data protection measures before the system goes live

Run:

• Security Operations

Maintain system security, compliance, and audit readiness through continuous activities defined in the Prepare phase. Key ongoing operations include regular log monitoring (covering business data changes, user and role changes, and security audits), periodic reviews of Identity and Access Management for business and communication users, and proactive certificate management to prevent expirations and manage trust lists. Additionally, configuration monitoring is performed to ensure system integrity, collectively supporting a secure and compliant SAP environment.

Use the tag Security-Data Protection-IAM to access Security, Data Protection and IAM content in SAP Activate for SAP S/4HANA Cloud Public Edition (3-system landscape) Roadmap

You can explore more SAP Activate resources in SAP Community using tag  #sapactivate, we also encourage you to consider following our sister communities SAP S/4HANA Cloud and SAP Cloud ALM. Let us know your thoughts in the comments to this blog post or via questions in the SAP Activate community.