Enterprise Security Architecture for SAP Landscapes: Complete Technical Guide

Sarah Chen, Lead SAP Architect — SAPExpert.AI Weekly Deep Research Series

Executive Summary (≈150 words)

Enterprise SAP security has shifted from “perimeter + ABAP roles” to identity-first, API-first, continuously assured architecture. In modern landscapes (S/4HANA, Fiori, BTP, SaaS, Integration Suite), the dominant failure modes are no longer exotic kernel exploits—they are identity compromise, over-privileged authorizations, unmanaged technical users, and uncontrolled integration trust (RFC/OData/API).

This report provides a reference architecture and implementation playbook aligned to Zero Trust principles while staying SAP-realistic: central IdP + MFA, SAP Cloud Identity Services (IAS/IPS) for brokering and provisioning, IGA-driven role lifecycle (GRC/IAG), hardened Fiori/Gateway exposure through WAF + Web Dispatcher + strict service enablement, and strict RFC governance (SNC, allowlists, trusted RFC minimization). On the platform side: HANA least privilege + auditing, encryption, and robust certificate/secret lifecycle automation. Finally, we operationalize security via Security Notes SLAs, baseline drift monitoring, SAP log ingestion to SIEM, and incident playbooks designed for SAP-specific attack paths.

Technical Foundation (≈400–500 words)

1) Reference SAP landscape and trust boundaries (what actually matters)

A typical enterprise SAP estate spans:

• Core ERP & apps: SAP S/4HANA (ABAP), ECC, BW/4HANA, Solution Manager / SAP Cloud ALM
• Presentation: SAP GUI, SAP Fiori Launchpad, SAP Gateway (embedded or hub), SAP Web Dispatcher
• Integration: RFC/CPIC, IDoc/ALE, SOAP, OData/REST, PI/PO, SAP Integration Suite (BTP), API Management
• Identity & governance: Enterprise IdP (Entra ID / Okta / Ping), SAP Cloud Identity Services (IAS/IPS), SAP GRC Access Control or SAP IAG, PAM, SIEM/SOAR

Hard boundary: the system (kernel/host/DB).
Soft boundary: the client (mandant) in ABAP—administrative partitioning, not equivalent to a separate system.

2) Core security model: Identity → Authentication → Authorization

• Identity: lifecycle + attributes (employee/contractor/service account)
• Authentication (AuthN): SAML 2.0 (browser SSO), Kerberos/SNC (SAP GUI), X.509, OAuth2/OIDC (APIs)
• Authorization (AuthZ) in ABAP: AUTHORITY-CHECK evaluates authorization objects assigned through PFCG roles and generated profiles. Troubleshooting uses SU53 and STAUTHTRACE; proposal maintenance uses SU24.

SAP’s ABAP authorization concept is powerful—but in 2025-era landscapes, most breaches still start with credential theft (or token theft), then privilege escalation through role creep / weak SoD / overbroad RFC users.

SAP baseline concepts and operational guidance are consolidated across Secure Configuration Guides and component security documentation. Start with: SAP Secure Configuration Guides (overview).

3) Modern SAP security architecture (layered)

A mature design aligns to a control stack:

1. Identity control plane: IdP + MFA + conditional access; IAS as broker; IPS provisioning
2. Access governance: GRC/IAG SoD, access requests, periodic reviews, firefighter
3. Connectivity plane: segmentation, DMZ, WAF/reverse proxy, Web Dispatcher, Cloud Connector/private connectivity
4. Workload security: ABAP hardening, Gateway/ICF minimization, RFC governance, HANA least privilege
5. Security operations: Security Notes SLAs, vulnerability mgmt, logging to SIEM, detection engineering

For SAP cloud/hybrid identity patterns, anchor on:

• SAP Cloud Identity Services – Identity Authentication (IAS)
• SAP Cloud Identity Services – Identity Provisioning (IPS)

Implementation Deep Dive (≈800–1000 words)

1) Identity-first: federation, provisioning, and “token hygiene”

1.1 SAML for Fiori (human access)

For S/4HANA 2022/2023+ Fiori browser access, standardize on SAML 2.0 to your enterprise IdP (often with IAS brokering).

Key architecture decisions:

• Assertion subject: use immutable enterprise identifier (e.g., personImmutableId) and map to SAP user (SU01) reliably.
• MFA policy: enforce at IdP for privileged and high-risk users; apply step-up for finance, basis, security roles.
• Session controls: token lifetime, re-auth, device compliance—drive via IdP conditional access, not SAP passwords.

SAP reference for ABAP SAML configuration:

• AS ABAP Security Guide – SAML 2.0 Authentication

1.2 OAuth2/OIDC for APIs and service-to-service

For modern integrations (BTP apps, Integration Suite, external apps), avoid “basic auth over HTTPS” and avoid long-lived SAP dialog credentials.

Preferred patterns:

• OAuth2 client credentials for system-to-system APIs with scoped access
• JWT validation at gateway/API mgmt plus backend authorization mapping
• mTLS where required for non-repudiation or regulated channels

ABAP supports OAuth2 flows for outbound/inbound scenarios depending on component configuration:

• AS ABAP Security Guide – OAuth 2.0

1.3 Provisioning via IPS (SCIM mindset)

Treat provisioning as a controlled pipeline (HR → IGA → IPS → SAP/SaaS), not as ad-hoc SU01 scripts.

A practical IPS strategy:

• Authoritative source: HR (SuccessFactors/Workday) → IGA
• Provisioning hub: IPS with connectors to ABAP, BTP, SaaS
• Entitlement model: business roles as entitlements; technical roles hidden

IPS documentation:

• Identity Provisioning – Source/Target Systems and Provisioning

Novel, high-impact practice: define a Canonical Person Key used everywhere (IdP, IAS, IPS, SAP user master reference field, SIEM correlation). This prevents M&A collisions and makes incident response dramatically faster.

2) Access governance: role engineering + SoD + emergency access

2.1 ABAP authorization engineering (S/4HANA reality)

S/4HANA role design is now a blend of:

• Fiori catalogs/spaces/pages (front-end exposure)
• ABAP authorizations (back-end enforcement)

High-risk objects to explicitly design and continuously review:

• S_TCODE, S_RFC, S_RFCACL, S_SERVICE, S_ICF, S_TABU_DIS, S_TABU_NAM, S_USER_*, S_ADMI_FCD

ABAP check example (what your custom code should do):

DATA: lv_actvt TYPE activ_auth VALUE '03'. "Display

AUTHORITY-CHECK OBJECT 'S_TABU_DIS'
  ID 'ACTVT' FIELD lv_actvt
  ID 'DICBERCLS' FIELD 'ZFIN'.

IF sy-subrc <> 0.
  MESSAGE e001(zsec) WITH 'Not authorized to display table group ZFIN'.
ENDIF.

Why this matters: many enterprises rely on “standard roles” but ship custom code that bypasses proper checks. Make ATC + secure coding reviews part of transport gating for custom developments.

ABAP authorization fundamentals are documented here:

• AS ABAP Security Guide – Authorizations and Roles

2.2 GRC/IAG operating model (don’t just “install the tool”)

Mature governance includes:

• Access requests with workflow and approvals
• SoD risk analysis as a release gate for role changes
• Periodic recertification (especially privileged + finance)
• Firefighter (EAM) with post-review and SIEM forwarding

If you’re modernizing, consider SAP IAG (BTP) for hybrid landscapes while keeping GRC for deep on-prem integrations where needed.

3) Network & DMZ: minimize exposure, control chokepoints

3.1 Reference zone model (text diagram)

Internet
  |
[WAF / Reverse Proxy]  <-- bot protection, OWASP rules, rate limits
  |
[ SAP Web Dispatcher ] <-- SAP-aware routing, TLS policy, URL filtering
  |
(App Zone)
  |-- S/4HANA (ABAP) - Fiori/Gateway (ICM/ICF)
  |-- Integration endpoints (as required)
  |
(DB Zone)
  |-- SAP HANA
  |
(Management Zone)
  |-- Jump host / Bastion / PAM
  |-- Monitoring/SIEM collectors

Web Dispatcher guidance (placement, parameters, TLS posture):

• SAP Web Dispatcher – Documentation

3.2 TLS termination and certificate lifecycle

Decide one primary TLS termination strategy:

• Terminate at reverse proxy/WAF, re-encrypt to Web Dispatcher, then to ICM as needed
• Or terminate at Web Dispatcher, with centralized certificate automation

Example Web Dispatcher profile fragment (illustrative baseline):

# sapwebdisp.pfl (example)
icm/server_port_0 = PROT=HTTPS,PORT=443,TIMEOUT=600,PROCTIMEOUT=600
ssl/client_ciphersuites = 135:PFS:HIGH::EC_P256:EC_HIGH
icm/HTTPS/client_sni_enabled = TRUE
icm/HTTP/logging_0 = PREFIX=/usr/sap/WDP/D00/log/https_, LOGFILE=webdisp_https.log

Cutting-edge operational practice: manage SAP TLS certificates like any other enterprise workload:

• short-lived certs (where possible)
• automated renewal pipeline
• inventory + ownership tags
• alerting on expiration and on weak key parameters

4) Application surface reduction: ICF/Gateway and RFC governance

4.1 Fiori/Gateway hardening (stop “service sprawl”)

The most common Fiori risk pattern is ICF services left enabled indefinitely after testing.

Controls to implement:

• Default deny: disable unused ICF nodes; enable only required services
• Restrict service activation through change control
• Validate authorization for OData services (don’t rely on obscurity)

Gateway and OData administration concepts live in SAP Gateway documentation:

• SAP NetWeaver Gateway – Overview and Security

Practical checklist (production):

• Remove unused system aliases and test services
• Log OData requests at reverse proxy + Web Dispatcher + ICM
• Ensure S_SERVICE and related objects are role-restricted
• Apply WAF rules for common injection and path traversal patterns

4.2 RFC is the lateral movement superhighway—govern it like one

Inventory and rationalize:

• RFC destinations (SM59)
• RFC users (communication/system users)
• Trusted RFC relationships (only when required)

Baseline RFC controls:

• SNC for RFC (Kerberos or X.509) to prevent credential sniffing and reduce password use
• Tight authorization on S_RFC (function module allowlists where feasible)
• Strict policy for S_RFCACL and trusted RFC (avoid broad trust)

SNC and secure communications are covered in AS ABAP security topics:

• AS ABAP Security Guide – Secure Network Communication (SNC)

Novel technique (high leverage): “Interface identity fencing”
Create a unique technical user per interface, then enforce:

• no dialog logon
• no interactive GUI
• no broad authorizations
• secrets stored in vault with rotation
• SIEM detections for any interactive logon attempt

This converts “one compromised integration user = full ERP compromise” into a contained incident.

5) HANA security: least privilege, auditing, encryption

5.1 HANA role design: separate duties by design

For SAP HANA 2.0 SPS07-era operations, enforce separation:

• DB platform admins (no schema ownership)
• Schema owners (deployment-time)
• Runtime technical users (least privilege)
• Auditors (read-only audit access)

Example (illustrative) HANA SQL for auditing and minimal grants:

-- Create an application runtime role (illustrative)
CREATE ROLE Z_APP_RUNTIME;
GRANT SELECT ON SCHEMA SAPABAP1 TO Z_APP_RUNTIME;

-- Create an audit policy for privileged actions (illustrative)
CREATE AUDIT POLICY Z_AUD_PRIVILEGED
  AUDITING ALL PRIVILEGES
  LEVEL INFO
  TRAIL SYSLOG;
ALTER SYSTEM ALTER CONFIGURATION ('global.ini','SYSTEM')
  SET ('auditing configuration','global_auditing_state') = 'true' WITH RECONFIGURE;

HANA security and auditing references:

• SAP HANA Security Guide – Auditing
• SAP HANA Security Guide – Data Encryption

5.2 Protect backups, replication, and admin channels

Most “HANA compromise” incidents are operational:

• backup files exposed
• replication links weakly protected
• admin credentials reused

Treat backup locations as Tier-0 assets; encrypt and restrict access; monitor exfiltration.

6) Security operations: notes, logs, detections

6.1 Security Notes as an SLA-driven product

Implement:

• severity-based patch SLAs (internet-facing first: Web Dispatcher/ICM/Java stack)
• automated reporting to risk owners
• exception process with compensating controls

Official SAP entry point for security notes and update processes:

• SAP Security Notes and Updates – Support Portal

6.2 SAP-to-SIEM telemetry pipeline (must-have sources)

Ingest and correlate:

• ABAP Security Audit Log
• HANA audit logs
• Web Dispatcher / reverse proxy logs
• OS logs (Linux auditd / Windows events)
• IdP logs (MFA events, risky sign-ins)

ABAP logging reference:

• AS ABAP Security Guide – Security Audit Log

Detection engineering ideas (SAP-specific, high value):

• Firefighter assignment + privileged transaction execution within same session window
• New RFC destination created + first use within 60 minutes
• Technical user interactive logon (SU01 type = system/communication) → critical
• Sudden spike in S_RFC failures (probing) followed by success (breakthrough)
• OData calls for atypical entity sets or mass extraction patterns

Advanced Scenarios (≈500–600 words)

1) Internet-facing Fiori with Zero Trust controls (without breaking SAP UX)

When Fiori is exposed externally (partners, mobile workforce), do not rely on “VPN makes it internal.” Build a policy stack:

• WAF: OWASP core rules + SAP-specific allowlists for Fiori paths
• IdP Conditional Access: device compliance, geo restrictions, impossible travel, phishing-resistant MFA for admins
• Session binding: shorter session lifetimes for privileged roles; step-up MFA for sensitive apps
• Granular exposure: publish only /sap/bc/ui5_ui5/, required OData services, and FLP routes; deny everything else

A practical pattern is: reverse proxy/WAF handles global policies; Web Dispatcher handles SAP routing; ABAP handles authorization.

2) Secure BTP connectivity: “outbound-first” with Cloud Connector

For hybrid integrations, avoid opening inbound ERP firewall rules for cloud callbacks. Prefer SAP Cloud Connector to establish controlled tunnels from on-prem to BTP subaccounts, scoped to specific resources.

Reference:

• SAP BTP Connectivity – Cloud Connector

Advanced control: map Cloud Connector exposure to application-level identity (OAuth client scopes) rather than network reachability alone. Network reachability should not imply authorization.

3) API Management policies that prevent “integration abuse”

If you use SAP Integration Suite API Management, enforce:

• OAuth2 client credential rotation and scope minimization
• schema validation and threat protection (JSON/XML)
• rate limits per client to reduce extraction blast radius
• payload logging with masking for secrets/PII

Reference:

• SAP Integration Suite – API Management

Performance insight: do TLS termination and WAF inspection where it’s cheapest/most scalable (often edge proxy), but keep SAP-aware routing close to SAP. Avoid double-decryption/re-encryption chains that add latency unless mandated.

4) ABAP CDS/DCL and “data-level least privilege” (often missed)

Enterprises frequently secure transactions but forget data services. For S/4 analytics and Fiori elements, enforce CDS access controls (DCL) so that OData/UI5 cannot leak cross-org data via generic services.

Practical guidance: treat CDS views as APIs. If a view is consumable, it requires:

• an owner
• classification
• access control design
• logging expectations

(Use your S/4HANA release’s ABAP CDS/DCL documentation as the canonical reference set in your internal standards library.)

Real-World Case Studies (≈300–400 words)

Case Study 1 — Regulated manufacturing (validated change + SoD)

Context: S/4HANA 2022 on-prem, BW/4HANA, shop-floor integrations (MES/LIMS).
Problems found: broad table access (S_TABU_DIS), emergency access used as “normal admin,” insufficient audit correlation.
What worked:

• Rebuilt roles around job functions; removed broad table groups; introduced org-level restrictions.
• Implemented Firefighter with mandatory reason codes, auto-expiry, and SIEM alerting on sensitive tcodes.
• Moved evidence collection to continuous monitoring: Security Audit Log + HANA audit forwarded daily to SIEM. Outcome: audit findings reduced sharply; change validation became repeatable and faster because controls were consistently evidenced.

Case Study 2 — Banking (RFC containment + privileged monitoring)

Context: ECC → S/4 migration, heavy RFC estate, multiple vendors.
Problems found: shared RFC users, trusted RFC sprawl, unmanaged vendor access.
What worked:

• “One interface, one technical user” + vault rotation + non-interactive enforcement.
• SNC rollout for RFC between tiers; eliminated password-based RFC where feasible.
• Vendor access moved to ZTNA + jump host + PAM session recording; SAProuter access strictly time-bound. Outcome: lateral movement paths collapsed; incident response became feasible because interface identities were attributable.

Case Study 3 — Retail (API scale + data leakage controls)

Context: high-volume eCommerce, Integration Suite, API Management.
Problems found: inconsistent API auth, payload logging leaking PII, no rate limiting.
What worked:

• OAuth2 scopes per client + throttling + schema validation.
• Central masking policy for logs; tokenized PII fields in non-prod. Outcome: fewer incidents, lower blast radius, and improved performance predictability under peak load.

Strategic Recommendations (≈200–300 words)

A pragmatic roadmap (optimize for risk reduction per unit effort)

0–90 days (stabilize high-risk exposure)

1. Inventory: internet-facing endpoints, ICF services, RFC destinations/users, privileged roles
2. Enforce MFA at IdP for admins + finance; disable direct internet access to SAP where not required
3. Implement Security Notes SLA and patch the edge first (reverse proxy/WAF/Web Dispatcher/ICM)
4. Turn on ABAP Security Audit Log + HANA auditing; forward to SIEM
5. Begin technical user cleanup: remove shared accounts, vault secrets, rotate credentials

3–6 months (governance + segmentation)

1. Standardize SAML for Fiori; reduce SAP local passwords
2. Establish IGA workflows (GRC/IAG), SoD gating for role changes
3. RFC governance: SNC rollout plan, trusted RFC minimization, allowlists and ownership
4. DMZ redesign where needed: WAF → Web Dispatcher → SAP; tighten firewall rules between zones

6–12 months (continuous assurance + modernization)

1. IPS-driven provisioning with canonical identity key
2. API Management standard policy pack (OAuth, schema validation, throttling, masking)
3. Baseline-as-code for SAP security parameters + drift monitoring
4. Detection engineering program: SAP-specific use cases with SOAR playbooks

Resources & Next Steps (≈150 words)

Official SAP documentation (start here)

• SAP Secure Configuration Guides (overview)
• SAP Security Notes and Updates – Support Portal
• AS ABAP Security Guide – SAML 2.0 Authentication
• AS ABAP Security Guide – OAuth 2.0
• AS ABAP Security Guide – Security Audit Log
• SAP HANA Security Guide – Auditing
• SAP Integration Suite – API Management
• SAP BTP Connectivity – Cloud Connector

Action items

1. Document your Top 15 architecture decisions (IdP, MFA scope, IAS/IPS, IGA model, RFC policy, Fiori exposure, TLS automation, logging/retention).
2. Build a 90-day control backlog tied to measurable outcomes (reduced shared accounts, reduced exposed services, patch SLA compliance).
3. Stand up an SAP security design authority (IAM + Basis + app owners + SOC) to keep security and delivery aligned.