Securing the Upgrade Path: Why SU25 Is Mission-Critical for S/4HANA

For many SAP customers, the transition from SAP ECC to SAP S/4HANA is more than just a technical upgrade. It offers a crucial opportunity to modernize security, improve user experiences, and maintain business continuity. Yet too often, organizations view security aspects as secondary, which increases risk of downtime and authorization errors.

At the core of these challenges lies SU25, also known as the Upgrade Tool for Profile Generator, a transaction code within the SAP Basis and SAP security components. Proper execution of SU25 ensures that roles and authorizations are correctly updated for the new system environment during migrations. According to Protiviti experts, overlooking or mishandling SU25 is one of the most common and costly mistakes organizations make during an upgrade.

SU25: The Cornerstone of Secure Upgrades

Protiviti says that SU25 is not just a checklist item but the foundation of a secure and stable upgrade. When SU25 steps are skipped or rushed, the impacts ripple across the entire enterprise.

End users and technical accounts may encounter authorization errors, which can prevent critical functions and frustrate teams. Roles might still hold outdated or deprecated objects, giving users either too many privileges or not enough access. This leads to more system warnings, errors, and inefficiencies. Even worse, new features in S/4HANA might stay inaccessible because roles are not updated to match the latest environment.

The ROI of an upgrade can quickly disappear if an organization becomes bogged down in an SAP S/4HANA migration or fails to fully leverage new features. Protiviti reports that many SAP administrators lack the experience, capacity, or organizational focus to properly execute SU25. To prevent these issues, they suggest creating a dedicated team of security experts to carefully manage SU25. This strategy not only protects system integrity but also helps enterprises realize the full benefits of their upgrade.

Security and User Experience Beyond SU25

• SAP Fiori, SAP’s modern user experience platform, provides role-based, intuitive access to applications and processes across devices, making it a central component of many SAP S/4HANA upgrades. When implementing Fiori as part of an upgrade, the choice of deployment model significantly shapes how security is handled. There are two major deployment models:
• Hub model – In this scenario, the Fiori front end and the SAP back end run on separate systems connected through Remote Function Call (RFC). While this option works, it adds complexity because administrators must duplicate user and role management across two environments. The extra maintenance increases effort and can create inconsistencies in access.
• Embedded model – By contrast, the embedded option merges the front-end and back-end components into a single instance. SAP identifies this as the preferred path, since it streamlines administration, reduces the chance of errors, and simplifies troubleshooting. Although the hub approach remains available in SAP S/4HANA 2025, Protiviti encourages customers to shift to the embedded model when upgrading to lower risk and improve efficiency.

Taken together, these decisions underscore that an SAP upgrade is not simply a technical exercise but a strategic opportunity. By adopting embedded deployment, aligning role architecture with business tasks, and preparing for Fiori Launchpad enhancements, organizations can reduce risk, improve user experience, and maximize ROI from their SAP S/4HANA investment.

What This Means for SAPinsiders

Upgrades provide direct opportunities to improve security and adoption. Treating migrations as more than technical milestones allows organizations to strengthen safeguards, streamline role management, and modernize processes. Enterprises that embrace this mindset position themselves for smoother transitions and stronger ROI. Strategic planning ensures long-term resilience in the evolving SAP S/4HANA landscape.

SU25 execution directly safeguards upgrades from costly access errors. For SAP professionals, this results in fewer business disruptions and smoother go-lives. Organizations that ignore SU25 often experience extended downtime and lower ROI. SAP leaders must prioritize SU25 at the executive level during upgrade planning.

Embedded Fiori deployment lowers risk and reduces the need for long-term maintenance. Moving away from hub models removes dual-role administration and simplifies complexity. Executives planning SAP S/4HANA 2025 upgrades should view this transition as part of their modernization efforts. Companies that adopt embedded deployment report quicker resolution times and improved governance results.