Draft procedure is work in progress.

1. Purpose 

This is a comprehensive Procedure document for SyWay SAP systems Patch Maintenance, covering both On-Premise and SaaS/Cloud (Public and Private) deployments. This procedure defines the standardized process for planning, assessing, applying, testing, validating and documenting SAP patches (Support Packages, Security Notes, Kernel patches, Hotfixes etc.) across the landscape. The goal is to minimize security risks, ensure system stability and compliance, reduce downtime, and maintain business continuity while adhering to the shared responsibility model in cloud environments.


1.1 Key Objectives


2. Scope 

The process mentioned in this document is applicable to following categories of Applications for both ROW and China specific instances.

CategoryApplication Series - 1Application Series - 2
SAP Rise

SAP S/4HANA

Kinaxis Maestro

SAP Web Dispatcher

SAP Cloud Connector
SAP Data Provisioning Agent
SAC Agent
OpenText Connector
SAP TM Optimizer
AzureSAP WWI Server
NextLabs Policy Server
OpenText xECM		Syniti Replicate (China)
Syniti Connector (China)
AWS

Syniti Replicate (ROW)

Syniti Connector (ROW)


SAP BTPAsset Performance Management
Profitability and Performance Management
Build Work Zone
Task Center
Cloud Identity Services (IPS+IAS)
Identity Access Governance
Datasphere
SAP Analytics Cloud (SAC)
Integration Suite
Forms Service by Adobe

Business Network Freight Collaboration

Risk and Assurance Management

Business Network Global Track and Trace
Sustainability Footprint Management
Sustainability Control Tower
Group Reporting Data Collection
Advanced Financial Closing
Document Reporting Compliance

SaaS

SuccessFactors

Ariba 

ICertis

Salesforce

Syniti Knowledge Platform

BlackLineWalkMe
OpenText Cloud (Core Capture & Archiving)
Bloomberg
Vertex
EDICOM


3. Guiding Principles


4. Maintenance Procedure 

4.1 SAP Rise


4.2 Public Cloud (SaaS)


4.3 Azure/AWS dependent components

5. Roles and Responsibilities

5.1 Shared Responsibility Model

Under RISE with SAP, security responsibilities are divided between SAP Enterprise Cloud Services (ECS) and the customer. That means SAP do not handles all patching automatically

SAP ECS — Infrastructure Layer

Customer — Application Layer

•       OS-level security patching (hyperscaler VMs)

•       Database (HANA) patching & administration

•       Network, compute & storage maintenance

•       HotNews/Emergency notes with no manual steps

•       JAVA component patches (standard contract)

•       System reboots for infrastructure patches

•       24×7 infrastructure monitoring

•       Key management for data at rest

•       Review & risk-assess all SAP Security Notes

•       Request application patches via Service Request

•       Provide downtime windows for scheduled patches

•       Test all implemented notes in DEV and QAS

•       Authorise transport to Production

•       User administration, roles & authorisations

•       Custom ABAP/code security & SoD management

•       RFC access restriction & security configuration

5.2 RACI Matrix

Below is the RACI matrix to be followed for applying the Security Notes on a monthly basis

Activity

SyWay Platform Team

Security

Functional Owner

SAP ECS

Download/Review Security Notes 

R, A


I

I

Perform Impact Assessment

R

R, A

C

C

Note Prioritisation

A

R

C

I

Raise Jira

R


I

I

Implement note — application layer

R


I

I

Testing

R


R

I

Approve & deploy via Active Control

R


C

I

R = Responsible  |  A = Accountable  |  C = Consulted  |  I = Informed

6. Patch types and Frequency

Include Security Notes, SPS, Hotfixes, Kernel, Infrastructure OS/DB and component specific (ST-PI, ST-A/PI etc.)


7. Schedule

7.1 SAP Rise


7.2 Public Cloud (SaaS)


7.3 Azure/AWS dependent components


8. Testing

9. Compliance & KPIs