SAP S/4HANA Public Cloud Edition is a modern, fully managed cloud ERP system provided in a Software-as-a-Service (SaaS) model. It allows organizations to benefit from the latest SAP innovations without having to maintain their own technical infrastructure, providing regular updates and best industry practices. Twice a year, every organization working in the SAP S/4HANA Public Cloud environment faces a mandatory system update. For security and authorization teams, this is not just a routine formality – it is a moment to verify how well the entire structure of roles, catalogs, Spaces & Pages, and restrictions has been built and maintained.

Changes in the system can affect virtually all aspects related to role management. Each new version of SAP S/4HANA Public Cloud brings many changes in the area of authorizations. Some are minor, while others can directly affect the availability of specific system functions or license costs. These changes can be grouped according to the objects they affect:

1. Applications, target mappings, and tiles – during an update, the software vendor usually introduces new applications, removes or deprecates existing ones. Additionally, existing application and tile names may change, which impacts end users and may require updates to documentation and user instructions.
2. Business catalogs – in new versions, the vendor also modifies business catalogs, which can significantly impact the availability of applications for end users. Typical changes include creating new catalogs, removing or deprecating existing ones, modifying dependent catalogs, or changing the pricing category. The latter can affect the price category of roles, and consequently lead to higher FUE consumption per user.
3. Business role templates – in new updates, the vendor may also update business role templates by creating new templates, removing or deprecating existing ones, or modifying the business catalogs assigned to those roles.
4. Restriction types – changes in the business logic of applications also imply the need to adjust restrictions assigned to individual catalogs. These restrictions can be removed, modified, or added. In the latter case, it requires defining values for these restrictions in the roles currently in use. Otherwise, users may lose access to applications they previously used.

When to start preparing authorizations and roles for a new SAP S/4HANA Public Cloud release?

The SAP public cloud environment does not allow postponing or delaying the update date – the organization must be ready on time. Since there is no option to delay the update, all changes to roles should be implemented and tested within a short period between the test and production system updates. For this reason, even before updating the test system, it is recommended to review current roles, adjust them, and complete any outstanding role modifications. In this regard, it is very important to:

1. Analyze the changes described in the SAP “What’s New?” document for the specific release. This document contains a list of modifications that are important from both a business and technical perspective, including authorizations. An example document for version 2508 can be found here. It is also worth reviewing the list of changes for authorization objects, linked in SAP Note 2975653.
2. Accept the changes proposed by SAP in the standard business role templates.
3. Verify the settings of all restrictions, especially those in the “Phase-In” stage. These are restrictions introduced in a previous release that may have been optional until now but are now becoming mandatory. Lack of configuration or incorrect settings for these restrictions can result in loss of access to applications that previously worked correctly.
4. Check roles for the presence of catalogs marked as deprecated. These are catalogs planned for removal in future system updates and should be replaced with new business catalogs. Skipping this step may result in users losing access to all applications included in the deprecated business catalog.
5. Complete all role changes and move them to the production system before the planned update date. This approach makes it much easier to distinguish errors resulting from the update from those that arose due to other changes. Additionally, it prevents the deployment of untested role changes during the system update.

Keep in mind that the above steps should be carried out before any of the systems are updated. Organizations that handle these cyclical changes best are those that do not postpone tasks until the last moment and include the release schedule in project plans – both in terms of system changes and key people’s availability. It is worth starting preparations even 2 months before the actual system update to have enough time to prepare the system and maintain a time buffer.

What’s new in version 2508?

Version 2508 introduces a range of significant changes that directly affect the area of authorizations and require appropriate action by the team responsible for IAM in S/4HANA Public Cloud. Below is a brief summary of the number of changes for individual objects in just this release:

• Applications – 2,071 new IAM applications added, 97 marked as deprecated, 352 removed, and 1,096 renamed.
• Catalogs – 114 new catalogs, 22 marked as deprecated, 285 removed, 7 renamed, 186 dependent catalogs added, 85 dependent catalogs removed, pricing category changed for 30 catalogs.
• Business role templates – 9 new templates, 128 catalogs added to templates, and 88 removed.
• Restriction types – 2,199 restrictions added to catalogs, 691 removed.
• Tiles – 589 added, 203 marked as deprecated, 1,166 removed, 122 renamed.

One of the most important changes in version 2508 is the extended use of the Company Code (BUKRS) restriction for Value Help, the search windows for field values in Fiori application forms. This restriction allows administrators to precisely define which organizational units a user can see and use. This minimizes the risk of unauthorized access to other companies’ data within the group. The solution works at the CDS view level (I_CompanyCodeStdVH and I_CompanyCodeVH), which filter value help results. Failure to properly implement this restriction in a role may broaden access to all companies in the system or completely block selection – the Value Help Dialog will return an empty list. According to the documentation, this change affects as many as 99 applications where Company Code fields use Value Help. It is recommended to review each role that grants access to any of these applications for restrictions introduced for this object. The full list of affected applications is described in SAP Note 3613012 – it is worth consulting it when planning changes.

Preparing authorizations for the new SAP S/4HANA Public Cloud release does not have to mean stress and surprises. The key is advance planning, testing changes, and close cooperation of the entire IAM team with process owners. A well-organized cycle ensures that changes are supportive rather than problematic – even in a cloud environment where the schedule cannot be changed.