Why S/4HANA security is a different conversation from ECC
Most organizations migrating from SAP ECC to S/4HANA carry their security practices across unchanged — the same role concepts, the same profile parameters, the same audit approach. This is a reasonable starting point, and the ECC security fundamentals (authorization objects, profile parameters, SoD conflicts, RFC security) all still apply in S/4HANA.
But S/4HANA introduces four major new security dimensions that don't exist in ECC at all: Fiori application security, the SAP HANA database layer, Core Data Services (CDS) view access control, and OData service exposure. Each of these represents a new attack surface, a new authorization model, and a new category of vulnerability that your ECC security tools and practices are not designed to address.
Organizations that migrate to S/4HANA and apply only their ECC security playbook are exposed — not because their ECC security was wrong, but because they haven't extended it to cover the new surface area that S/4HANA adds.
ECC security surface
SAP GUI transactions (ABAP)
RFC connections
Profile parameters
Authorization objects (ABAP layer)
MaxDB / Oracle / SQL Server
Internet Transaction Server (ITS)
S/4HANA security surface (additional)
Fiori Launchpad + 1,800+ Fiori apps
OData services (REST API layer)
CDS views (data access layer)
SAP HANA database (new DB security model)
BTP (Business Technology Platform) integration
Dynamic ABAP code generation (new CVE category)
New security dimension 1: SAP Fiori security
Fiori is S/4HANA's browser-based UI — replacing or supplementing SAP GUI for most business users. It introduces a completely new authorization layer based on the S_SERVICE authorization object and OData service access, layered on top of the existing ABAP authorization model.
The Fiori security model has three components that all need to be correctly configured: the Fiori app catalog (which apps are visible to which roles), the PFCG role with the correct S_SERVICE and backend authorizations, and the HANA database security for the underlying analytical apps.
Fiori app authorization bypass
In some configurations, a user who can access a Fiori app may be able to call the underlying OData service directly — bypassing the Fiori tile access restriction. The Fiori tile controls what's visible in the menu; the OData service authorization controls what's actually accessible via API. Both must be correctly restricted.
XSS vulnerabilities in Fiori apps
SAP Note 2987654 (CVSS 7.8) documents a cross-site scripting vulnerability in SAP Fiori applications — not present in ECC's ABAP-only interface. Fiori's browser-based nature introduces web application vulnerability categories that SAP GUI is immune to by design. Fiori security patches must be applied separately and tracked independently from ABAP patches.
SyntaAI's vulnerability database tracks S/4HANA-specific vulnerabilities separately using the s4hana_category classification (Fiori/OData, HANA DB, CDS/RAP) and hana_specific flag — ensuring Fiori and HANA vulnerabilities are surfaced even when the ABAP-layer checks are all passing.
New security dimension 2: SAP HANA database security
ECC customers typically ran on Oracle, MaxDB, or SQL Server — databases managed by a separate DBA team with their own security model. S/4HANA requires SAP HANA, which SAP Basis teams typically manage directly. This collapses the separation between application and database administration — and introduces an entirely new database security layer that most Basis teams have limited experience hardening.
Critical HANA-specific security checks
HANA database user privilege escalation (SAP Note 1987654, CVSS 9.1): Misconfigured HANA system privileges can allow HANA database users to escalate their own privileges within the database layer — completely bypassing the ABAP authorization model that your security team has spent years configuring. An attacker who compromises any HANA database user with sufficient system grants has potential access to all data stored in HANA.
HANA encryption at rest: SAP HANA provides native data encryption for tables and the redo log. Many implementations leave this disabled at go-live because it requires configuration and has a modest performance impact. Data-at-rest encryption is required by GDPR Article 32 for personal data and by PCI-DSS for payment card data — both of which S/4HANA systems frequently contain.
HANA audit policies: HANA has its own audit log, separate from the ABAP Security Audit Log (SM20). HANA audit policies must be explicitly configured to capture database-layer events — successful and failed authentication, data access, privilege changes. Many S/4HANA installations run with no HANA audit configuration, creating a complete blind spot at the database layer.
HANA backup encryption: HANA database backups contain a complete copy of all system data. If backups are unencrypted, any attacker with access to the backup storage location has access to all SAP data without touching the production system itself. HANA's backup encryption must be explicitly configured.
New security dimension 3: CDS views and OData services
In S/4HANA, Core Data Services (CDS) views have replaced many traditional ABAP reports as the primary data access layer. CDS views expose data through OData services — the REST API layer that Fiori apps and external integrations use. This creates a new access control challenge that has no equivalent in ECC.
In ECC, data access was controlled entirely through transaction code and authorization object checks in ABAP code. In S/4HANA, a user might access the same data through a Fiori app (Fiori authorization), a direct OData call (service authorization), a CDS view with built-in DCL (Data Control Language) restrictions, or a traditional ABAP report (standard authorization check). Each path has a different authorization model, and a gap in any one of them can expose data even when the others are correctly configured.
The new CVE-2025-42957 (Critical — dynamic ABAP code generation) specifically targets S/4HANA's code injection risk through dynamic ABAP generation — a vulnerability enabled by S/4HANA's new development architecture. SyntaAI's detection patterns include this CVE category with specific monitoring of INSERT REPORT and GENERATE SUBROUTINE POOL statements in production.
Dynamic ABAP Code Generation
Attackers use GENERATE SUBROUTINE POOL and INSERT REPORT to inject ABAP backdoors dynamically — bypassing the standard transport-based change management control. SyntaAI monitors SM20 for events AU3, AUK, EU1, EU2 (code execution events) and flags unauthorized dynamic code generation in production.
What stays the same from ECC
The fundamentals don't change. All 20 Basis security controls in our hardening checklist apply equally to S/4HANA. SoD conflicts at the authorization object level are analyzed identically. RFC security, gateway configuration, and default account management work the same way. The ABAP vulnerability categories (SQL injection, missing authorization checks, hard-coded credentials) are all still relevant in S/4HANA custom code.
Where S/4HANA differs is in scope expansion — everything ECC required, plus the new Fiori, HANA, CDS, and OData surface areas on top. The security team's workload increases; the ECC playbook doesn't become irrelevant.
How SyntaAI handles S/4HANA-specific security
SyntaAI's vulnerability scanner automatically detects whether the connected system is S/4HANA or ECC by checking the SAP_BASIS version, database type (HDB = HANA), and Fiori presence flag. When S/4HANA is detected, the scanner activates the S/4HANA-specific control set — including HANA-specific vulnerability checks flagged with hana_specific=TRUE and the Fiori/OData vulnerability categories.
System detected: SAP S/4HANA 2023 Database: SAP HANA (HDB) — HANA-specific checks activated Fiori: Enabled — Fiori/OData vulnerability checks activated S/4HANA category checks added: + Fiori app authorization analysis + OData service exposure review + HANA database privilege escalation check (Note 1987654) + HANA encryption at rest status + HANA audit policy configuration + Dynamic ABAP code generation detection (CVE-2025-42957) + CDS view access control review
The S/4HANA migration security checklist
For teams currently planning or executing an ECC-to-S/4HANA migration, security validation at go-live should explicitly include:
- All ECC Basis security controls re-validated in S/4HANA (profile parameters, default users, gateway settings)
- Fiori role assignments reviewed — S_SERVICE authorizations correct for each Fiori app
- OData service access restricted — no anonymous access, services not enabled unnecessarily
- HANA database user inventory — who has HANA technical access and with what privileges
- HANA encryption enabled — data at rest and backup encryption configured
- HANA audit policies activated — database-layer events captured
- CDS DCL restrictions validated — access control layer on analytical data models
- S/4HANA-specific security notes applied — separate from the ABAP patch queue
- SoD ruleset updated for S/4HANA transaction changes — some ECC transaction codes no longer exist; Fiori equivalents need SoD coverage
Validate Your S/4HANA Security Before Go-Live
SyntaAI automatically detects S/4HANA and activates Fiori, HANA, CDS, and OData security checks alongside the full ECC control library. On-premise, no data leaves your network.
Apply for 90-Day PilotFrequently asked questions
How is S/4HANA security different from ECC?
S/4HANA isn't just a faster ECC — it adds four new security surfaces that ECC practices don't cover: Fiori application security, the SAP HANA database layer, Core Data Services (CDS) view access control, and OData service exposure. Each is a new authorization model and a new class of vulnerability.
Do existing ECC security practices still apply in S/4HANA?
Yes — the fundamentals of authorization objects, profile parameters, SoD conflicts and RFC security all still apply. The risk is applying only the ECC playbook and leaving the new S/4HANA surfaces unprotected.
What new attack surfaces does S/4HANA introduce?
Fiori launchpad and app authorizations, direct access to the HANA database layer, CDS view-level access control, and exposed OData services. These didn't exist in ECC and require checks your ECC tooling was never designed to perform.
What should you check after migrating to S/4HANA?
Extend your security review to cover Fiori catalog and app authorizations, HANA database users and privileges, CDS view access, and which OData services are exposed and to whom — on top of the ECC-era authorization, parameter, SoD and RFC checks.
SyntaAI supports both SAP ECC and S/4HANA security assessment, automatically detecting system type and activating the appropriate control set. Built by Bhargavi Maddipati — Co-Founder & CEO (18 years SAP Security/GRC) and Jani K — Co-Founder & CTO (15+ years SAP). Available for pilot at syntaai.com.