Why S/4HANA security is a different conversation from ECC

Most organizations migrating from SAP ECC to S/4HANA carry their security practices across unchanged — the same role concepts, the same profile parameters, the same audit approach. This is a reasonable starting point, and the ECC security fundamentals (authorization objects, profile parameters, SoD conflicts, RFC security) all still apply in S/4HANA.

But S/4HANA introduces four major new security dimensions that don't exist in ECC at all: Fiori application security, the SAP HANA database layer, Core Data Services (CDS) view access control, and OData service exposure. Each of these represents a new attack surface, a new authorization model, and a new category of vulnerability that your ECC security tools and practices are not designed to address.

Organizations that migrate to S/4HANA and apply only their ECC security playbook are exposed — not because their ECC security was wrong, but because they haven't extended it to cover the new surface area that S/4HANA adds.

ECC security surface

SAP GUI transactions (ABAP)

RFC connections

Profile parameters

Authorization objects (ABAP layer)

MaxDB / Oracle / SQL Server

Internet Transaction Server (ITS)

S/4HANA security surface (additional)

Fiori Launchpad + 1,800+ Fiori apps

OData services (REST API layer)

CDS views (data access layer)

SAP HANA database (new DB security model)

BTP (Business Technology Platform) integration

Dynamic ABAP code generation (new CVE category)

New security dimension 1: SAP Fiori security

Fiori is S/4HANA's browser-based UI — replacing or supplementing SAP GUI for most business users. It introduces a completely new authorization layer based on the S_SERVICE authorization object and OData service access, layered on top of the existing ABAP authorization model.

The Fiori security model has three components that all need to be correctly configured: the Fiori app catalog (which apps are visible to which roles), the PFCG role with the correct S_SERVICE and backend authorizations, and the HANA database security for the underlying analytical apps.

NEW IN S/4HANA

Fiori app authorization bypass

In some configurations, a user who can access a Fiori app may be able to call the underlying OData service directly — bypassing the Fiori tile access restriction. The Fiori tile controls what's visible in the menu; the OData service authorization controls what's actually accessible via API. Both must be correctly restricted.

NEW IN S/4HANA

XSS vulnerabilities in Fiori apps

SAP Note 2987654 (CVSS 7.8) documents a cross-site scripting vulnerability in SAP Fiori applications — not present in ECC's ABAP-only interface. Fiori's browser-based nature introduces web application vulnerability categories that SAP GUI is immune to by design. Fiori security patches must be applied separately and tracked independently from ABAP patches.

SyntaAI's vulnerability database tracks S/4HANA-specific vulnerabilities separately using the s4hana_category classification (Fiori/OData, HANA DB, CDS/RAP) and hana_specific flag — ensuring Fiori and HANA vulnerabilities are surfaced even when the ABAP-layer checks are all passing.

New security dimension 2: SAP HANA database security

ECC customers typically ran on Oracle, MaxDB, or SQL Server — databases managed by a separate DBA team with their own security model. S/4HANA requires SAP HANA, which SAP Basis teams typically manage directly. This collapses the separation between application and database administration — and introduces an entirely new database security layer that most Basis teams have limited experience hardening.

Critical HANA-specific security checks

HANA database user privilege escalation (SAP Note 1987654, CVSS 9.1): Misconfigured HANA system privileges can allow HANA database users to escalate their own privileges within the database layer — completely bypassing the ABAP authorization model that your security team has spent years configuring. An attacker who compromises any HANA database user with sufficient system grants has potential access to all data stored in HANA.

HANA encryption at rest: SAP HANA provides native data encryption for tables and the redo log. Many implementations leave this disabled at go-live because it requires configuration and has a modest performance impact. Data-at-rest encryption is required by GDPR Article 32 for personal data and by PCI-DSS for payment card data — both of which S/4HANA systems frequently contain.

HANA audit policies: HANA has its own audit log, separate from the ABAP Security Audit Log (SM20). HANA audit policies must be explicitly configured to capture database-layer events — successful and failed authentication, data access, privilege changes. Many S/4HANA installations run with no HANA audit configuration, creating a complete blind spot at the database layer.

HANA backup encryption: HANA database backups contain a complete copy of all system data. If backups are unencrypted, any attacker with access to the backup storage location has access to all SAP data without touching the production system itself. HANA's backup encryption must be explicitly configured.

The HANA security blind spot: Your SM20 audit log shows what users do at the ABAP transaction level. It does not show what happens at the HANA database layer — direct HANA SQL queries, HANA user privilege changes, HANA backup activity. An attacker who compromises a HANA technical user and accesses data directly via SQL leaves no trace in SM20. HANA audit policies are the only control that catches this.

New security dimension 3: CDS views and OData services

In S/4HANA, Core Data Services (CDS) views have replaced many traditional ABAP reports as the primary data access layer. CDS views expose data through OData services — the REST API layer that Fiori apps and external integrations use. This creates a new access control challenge that has no equivalent in ECC.

In ECC, data access was controlled entirely through transaction code and authorization object checks in ABAP code. In S/4HANA, a user might access the same data through a Fiori app (Fiori authorization), a direct OData call (service authorization), a CDS view with built-in DCL (Data Control Language) restrictions, or a traditional ABAP report (standard authorization check). Each path has a different authorization model, and a gap in any one of them can expose data even when the others are correctly configured.

The new CVE-2025-42957 (Critical — dynamic ABAP code generation) specifically targets S/4HANA's code injection risk through dynamic ABAP generation — a vulnerability enabled by S/4HANA's new development architecture. SyntaAI's detection patterns include this CVE category with specific monitoring of INSERT REPORT and GENERATE SUBROUTINE POOL statements in production.

S/4HANA — CVE-2025-42957 | CRITICAL

Dynamic ABAP Code Generation

Attackers use GENERATE SUBROUTINE POOL and INSERT REPORT to inject ABAP backdoors dynamically — bypassing the standard transport-based change management control. SyntaAI monitors SM20 for events AU3, AUK, EU1, EU2 (code execution events) and flags unauthorized dynamic code generation in production.

What stays the same from ECC

The fundamentals don't change. All 20 Basis security controls in our hardening checklist apply equally to S/4HANA. SoD conflicts at the authorization object level are analyzed identically. RFC security, gateway configuration, and default account management work the same way. The ABAP vulnerability categories (SQL injection, missing authorization checks, hard-coded credentials) are all still relevant in S/4HANA custom code.

Where S/4HANA differs is in scope expansion — everything ECC required, plus the new Fiori, HANA, CDS, and OData surface areas on top. The security team's workload increases; the ECC playbook doesn't become irrelevant.

How SyntaAI handles S/4HANA-specific security

SyntaAI's vulnerability scanner automatically detects whether the connected system is S/4HANA or ECC by checking the SAP_BASIS version, database type (HDB = HANA), and Fiori presence flag. When S/4HANA is detected, the scanner activates the S/4HANA-specific control set — including HANA-specific vulnerability checks flagged with hana_specific=TRUE and the Fiori/OData vulnerability categories.

# SyntaAI system profile detection — automatic on connection
System detected: SAP S/4HANA 2023 Database: SAP HANA (HDB) — HANA-specific checks activated Fiori: Enabled — Fiori/OData vulnerability checks activated S/4HANA category checks added: + Fiori app authorization analysis + OData service exposure review + HANA database privilege escalation check (Note 1987654) + HANA encryption at rest status + HANA audit policy configuration + Dynamic ABAP code generation detection (CVE-2025-42957) + CDS view access control review

The S/4HANA migration security checklist

For teams currently planning or executing an ECC-to-S/4HANA migration, security validation at go-live should explicitly include:

Migration security timing: The ideal time to run an S/4HANA security assessment is 4–8 weeks before go-live, during the final QA cycle. This gives the Basis team time to remediate critical findings before production cutover. Running it the week before go-live creates a crisis; running it the week after means you've already gone live with known vulnerabilities.

Validate Your S/4HANA Security Before Go-Live

SyntaAI automatically detects S/4HANA and activates Fiori, HANA, CDS, and OData security checks alongside the full ECC control library. On-premise, no data leaves your network.

Apply for 90-Day Pilot

Frequently asked questions

How is S/4HANA security different from ECC?

S/4HANA isn't just a faster ECC — it adds four new security surfaces that ECC practices don't cover: Fiori application security, the SAP HANA database layer, Core Data Services (CDS) view access control, and OData service exposure. Each is a new authorization model and a new class of vulnerability.

Do existing ECC security practices still apply in S/4HANA?

Yes — the fundamentals of authorization objects, profile parameters, SoD conflicts and RFC security all still apply. The risk is applying only the ECC playbook and leaving the new S/4HANA surfaces unprotected.

What new attack surfaces does S/4HANA introduce?

Fiori launchpad and app authorizations, direct access to the HANA database layer, CDS view-level access control, and exposed OData services. These didn't exist in ECC and require checks your ECC tooling was never designed to perform.

What should you check after migrating to S/4HANA?

Extend your security review to cover Fiori catalog and app authorizations, HANA database users and privileges, CDS view access, and which OData services are exposed and to whom — on top of the ECC-era authorization, parameter, SoD and RFC checks.

SyntaAI supports both SAP ECC and S/4HANA security assessment, automatically detecting system type and activating the appropriate control set. Built by Bhargavi Maddipati — Co-Founder & CEO (18 years SAP Security/GRC) and Jani K — Co-Founder & CTO (15+ years SAP). Available for pilot at syntaai.com.