Draft
Draft procedure is work in progress.
1. Purpose
This is a comprehensive Procedure document for SyWay SAP systems Patch Maintenance, covering both On-Premise and SaaS/Cloud (Public and Private) deployments. This procedure defines the standardized process for planning, assessing, applying, testing, validating and documenting SAP patches (Support Packages, Security Notes, Kernel patches, Hotfixes etc.) across the landscape. The goal is to minimize security risks, ensure system stability and compliance, reduce downtime, and maintain business continuity while adhering to the shared responsibility model in cloud environments.
1.1 Key Objectives
- Apply security patches regularly on monthly basis (especially SAP Security Notes released on Patch Day).
- Manage functional corrections, support packages, Hotfix Collections (HFC), Kernel updates and other Infrastructure patches.
- Coordinate maintenance across SAP Rise Private Cloud Edition (PCE), BTP, SaaS and components deployed in Azure/AWS CSPs, which are part of SyWay program.
2. Scope
The process mentioned in this document is applicable to following categories of Applications for both ROW and China specific instances.
| Category | Application Series - 1 | Application Series - 2 |
|---|---|---|
| SAP Rise | SAP S/4HANA SAP Cloud Connector SAP Web Dispatcher | SAC Agent OpenText Connector SAP TM Optimizer |
| Azure | SAP WWI Server NextLabs Policy Server OpenText xECM | Syniti Replicate (China) Syniti Connector (China) |
| AWS | Syniti Replicate (ROW) Syniti Connector (ROW) | |
| SAP BTP | Asset Performance Management Profitability and Performance Management Build Work Zone Task Center Cloud Identity Services (IPS+IAS) Identity Access Governance Datasphere SAP Analytics Cloud (SAC) Integration Suite Forms Service by Adobe | Business Network Freight Collaboration Risk and Assurance Management Business Network Global Track and Trace |
| SaaS | SuccessFactors Ariba ICertis Salesforce Syniti Knowledge Platform | BlackLine Kinaxis Maestro WalkMe |
3. Guiding Principles
- Prioritize security notes and aim to complete installation across the landscape within the same month
- Plan support pack upgrade for applicable systems once a year. Avoid patching before Major release.
- Always test in non-production environments first.
- Use SAP Cloud ALM for unified visibility across hybrid landscape.
- Maintain uniform patch levels across landscape where possible.
- Maintain detailed documentation of all changes for future reference (i.e., SOX and GDPR compliance).
- Define clear rollback plans in production (backups + transport rollback).
- Schedule regular Patch Day reviews with relevant stakeholders at regular intervals.
- For SaaS, subscribe to product community pages and cloud service status for schedule and plan.
4. Maintenance Procedure
4.1 SAP Rise
4.1.1 Support Package Stack (SPS)
Refer to Upgrade process outlined here. All environments in the landscape as per Upgrade plan. Refer to below best practices when planning SPS upgrade
- Side Effect Notes - Review side effects notes released with SPS, assess and take a decision on scope
- Component Version Notes - Review the notes released with component versions and known bugs released via notes
- Kernel Patches - Always include Kernel patch along with SPS upgrade
- Client Tools - Assess and include client tools such as DB clients or SAP GUI client etc.
- Add-on components - Assess and include add-on components
4.1.2 Kernel Updates
The frequency of Kernel updates is a balance between maintaining a stable system and staying protected against security threats. Kernel updates should be part of quarterly update cycle (every 3 months) and should be part of maintenance window on a quarterly basis.
Refer to below key points when planning Kernel update
- Monitor the "New" Kernel - Do not download the patch immediately after it is release. It is often a good practice to wait at least 2 weeks after a patch is released.
- Kernel version - Maintain same kernel version across the landscape
- Side Effect Notes or Known Bugs - Kernels are usually released with central note listing known bugs or pre-requisite OS patches. Check and take a decision on scope
- Database client - Kernel update is the best time to refresh DB clients.
4.1.3 ST-PI and ST-A/PI Plugins
The best practice is to maintain these plugins at the latest or second-latest Support Package to ensure the data collection modules match the latest cloud ALM features. Unlike Kernel or SPS upgrades, ST-PI and ST-A/PI are "low-risk" plugins, which does not require a system restart. These plugins can be included in quarterly update cycle along with Kernel updates.
4.1.4 Hot News
SAP releases a "Hot News" Security Note (specifically for vulnerabilities with a CVSS score of 9.0 or higher), these Hot News notes will bypass the quarterly/monthly cycles and should be applied immediately in next available maintenance windows. Hot News will usually affect components such as Internet Communication Manager (ICM) or the SAP Gateway
4.1.5 Application add-on Components & Others
In general, SAP application add-on components (such as Open Text, TM Optimizer etc.) and other components (DP Agent, Cloud Connectors, Web Dispatcher) are subjected to SAP Application Life Cycle Maintenance approach and SAP Security Patch Day every month. However, some of these components may have different patching rhythm. The best practice is to include these components into Quarterly Cycle Patch maintenance scope and perform latest or second-latest patch upgrade as of that quarter.
4.1.6 Security Notes
4.2 Public Cloud (SaaS)
4.3 Azure/AWS dependent components
5. Roles and Responsibilities
5.1 Shared Responsibility Model
Under RISE with SAP, security responsibilities are divided between SAP Enterprise Cloud Services (ECS) and the customer. That means SAP do not handles all patching automatically
SAP ECS — Infrastructure Layer | Customer — Application Layer |
• OS-level security patching (hyperscaler VMs) • Database (HANA) patching & administration • Network, compute & storage maintenance • HotNews/Emergency notes with no manual steps • JAVA component patches (standard contract) • System reboots for infrastructure patches • 24×7 infrastructure monitoring • Key management for data at rest | • Review & risk-assess all SAP Security Notes • Request application patches via Service Request • Provide downtime windows for scheduled patches • Test all implemented notes in DEV and QAS • Authorise transport to Production • User administration, roles & authorisations • Custom ABAP/code security & SoD management • RFC access restriction & security configuration |
5.2 RACI Matrix
Below is the RACI matrix to be followed for applying the Security Notes on a monthly basis
Activity | SyWay Platform Team | Security | Functional Owner | SAP ECS |
Download/Review Security Notes | R, A | I | I | |
Perform Impact Assessment | R | R, A | C | C |
Note Prioritisation | A | R | C | I |
Raise Jira | R | I | I | |
Implement note — application layer | R | I | I | |
Testing | R | R | I | |
Approve & deploy via Active Control | R | C | I |
R = Responsible | A = Accountable | C = Consulted | I = Informed
6. Patch types, Frequency and Schedule
6.1 SAP Rise
| Patch type | Frequency | Duration | Remarks |
|---|---|---|---|
| Hotfixes | On Demand | Immediate | Assess and deploy immediately |
| Security Notes | Monthly basis | within month of Patch day | Apply based on assessment and priority. |
| Kernel | Quarterly | Within the same month of a quarter | Quarterly updates can be planned in April, July, Oct and Jan |
| ST-PI and A/PI | Quarterly | Within the same month of a quarter | Quarterly updates can be planned in April, July, Oct and Jan |
Application add-on Components & Others | Quarterly | Within the same month of a quarter | Quarterly updates can be planned in April, July, Oct and Jan |
| Support Pack Stack | Yearly | As per project plan | Follow guidelines specified in section 4 above. |
6.2 Public Cloud (SaaS)
6.3 Azure/AWS dependent components
7. Testing
8. Monitoring, Compliance & KPIs
EWA