Deep Dive

Shared Responsibility Model

Understanding exactly what SAP manages versus what you still own is critical to operational success. This guide breaks it down domain by domain.

9

domains to understand

IaaS

not application managed

You

own SAP application layer

SAP

manages infrastructure only

Foundation

The Core Principle

RISE is infrastructure-as-a-service, not application-managed-services.

SAP manages the infrastructure layer (compute, storage, database, OS patching, backups). You still own the SAP application layer (configuration, custom code, security, monitoring, interfaces, licensing).

Think of it like renting a house: SAP maintains the structure and utilities, but you furnish it and live in it.

Complete Guide

Domain-by-Domain Breakdown

Each operational domain has a clear division of responsibilities. Understanding these boundaries prevents surprises after go-live.

1. Infrastructure & Platform

SAP Manages
  • • Data center facilities and physical security
  • • Compute and storage provisioning
  • • OS installation and patching
  • • Database software (HANA) management
  • • Network infrastructure within cloud
  • • Backup execution and retention
  • • Disaster recovery infrastructure
You Own
  • • Sizing requirements and change requests
  • • Network connectivity (ExpressRoute, VPN)
  • • Backup testing and restore validation
  • • DR plan and testing coordination
  • • Third-party software installation (if allowed)

2. SAP Application Management

SAP Manages
  • • SAP software installation
  • • SAP Kernel patching (coordinated with you)
  • • SAP Support Pack application (you approve)
  • • System clones/copies (on request)
  • • Basic system monitoring (up/down status)
You Own
  • • All SAP configuration and customizing
  • • Custom ABAP code and enhancements
  • • Transport management and promotion
  • • Pre/post system copy configuration
  • • Application performance monitoring
  • • Business process monitoring and alerting
  • • Functional testing of patches/updates

3. Security & Access Control

SAP Manages
  • • Physical security of data centers
  • • Network perimeter security
  • • OS-level security patching
  • • Database encryption at rest
  • • Cloud infrastructure IAM
You Own
  • • All SAP user provisioning and de-provisioning
  • • Role design and authorization management
  • • Segregation of Duties (SoD) compliance
  • • Security audit logging and review
  • • Password policies and MFA configuration
  • • Sensitive data masking and redaction
  • • Compliance reporting (SOX, GDPR, etc.)
  • • Security incident response (app layer)

4. Monitoring & Operations

SAP Manages
  • • Infrastructure availability monitoring
  • • Database health checks
  • • OS resource monitoring
  • • Cloud platform alerting
  • • SAP system start/stop coordination
You Own
  • • Batch job monitoring and failure handling
  • • Interface monitoring and error resolution
  • • Application performance monitoring (ST03, ST06)
  • • Business process monitoring (order-to-cash, etc.)
  • • Custom alerting and escalation
  • • Capacity planning and sizing requests
  • • Application-level incident triage

5. Data Management

SAP Manages
  • • Database backups (execution)
  • • Database restores (on request)
  • • Storage management and expansion
You Own
  • • Data quality and master data governance
  • • Data archiving strategy and execution
  • • Data retention policies
  • • Data migration and conversion (for S/4)
  • • Backup validation and testing
  • • Legal hold and e-discovery
  • • Data privacy compliance (GDPR, CCPA)

6. Licensing & Compliance

SAP Manages
  • • License entitlement tracking (via contract)
  • • RISE subscription billing
You Own
  • • User type assignments (Professional vs Limited)
  • • Named user measurement and reporting
  • • Indirect access analysis and management
  • • License optimization (right-sizing user types)
  • • SAM (Software Asset Management) tool usage
  • • License audit responses

7. Support & Incident Management

SAP Manages
  • • Infrastructure incident response
  • • Database performance issues (infrastructure)
  • • OS and kernel-level defects
  • • SAP standard code defects (via OSS notes)
You Own
  • • Initial incident triage and categorization
  • • User-reported issues and helpdesk
  • • Custom code defects and fixes
  • • Configuration errors
  • • Business process issues
  • • Performance tuning (SQL, transactions)
  • • Workaround implementation
  • • End-user training and support

8. Integrations & Interfaces

SAP Manages
  • • Network connectivity (within cloud)
  • • BTP integration infrastructure (if included)
You Own
  • • All interface design and development
  • • Middleware configuration and management
  • • API development and testing
  • • Interface monitoring and error handling
  • • Third-party system integration
  • • EDI/IDoc configuration
  • • File transfer automation

9. Security Hardening

SAP Manages
  • • Infrastructure-level security patches
  • • HANA database security updates
  • • OS hardening and compliance
  • • Cloud platform security controls
You Own
  • • Security baseline configuration (profile parameters)
  • • SAP Security Notes review and application
  • • Code Vulnerability Analysis (CVA) scanning
  • • Gateway and RFC security configuration
  • • ICM and web dispatcher hardening
  • • Secure communication setup (SSL/TLS)
  • • Application firewall rules
  • • Penetration testing coordination
  • • Security baseline monitoring and drift detection

Practical Tools

Framework & Templates

Download ready-to-use templates to document and operationalize the shared responsibility model within your organization.

Security Responsibilities

RACI matrix for security controls, patching schedules, and incident response procedures.

Change & Release Management

Transport workflow, approval processes, and release coordination between customer and SAP.

Master Data Management

Data governance framework, quality standards, and MDM process ownership documentation.

User Support Model

Tiered support structure, escalation paths, and end-user communication templates.

Watch Out

Common Misconceptions

These are the assumptions that most often trip up teams moving to RISE.

"SAP monitors our batch jobs"

No. SAP monitors infrastructure. You need to monitor batch job completion, failures, and business impact.

"SAP handles our security audits"

No. SAP provides infrastructure compliance (SOC2, ISO). You handle SAP application-level audits (SOX, authorization reviews).

"SAP manages our licensing compliance"

No. You assign user types, measure usage, and respond to audits. SAP just tracks entitlements.

"SAP will fix our performance issues"

Depends. Infrastructure bottlenecks yes. SQL tuning, custom code optimization, configuration fixes? That's you.

Action Plan

How to Get Clear on Responsibilities

Follow these steps to eliminate ambiguity before and after your RISE go-live.

1

Request RACI Matrix from SAP

Ask your SAP account team for the detailed RACI (Responsible, Accountable, Consulted, Informed) matrix for your specific RISE contract variant.

2

Map Current Operations

Document who currently handles each operational task. Identify gaps where no one is clearly responsible.

3

Test Assumptions with Real Incidents

Open tickets to SAP for edge cases. Document what they will vs won't handle. Build internal runbooks for the rest.

4

Fill Gaps Proactively

Consider managed services partners, automation tools, or internal staffing for tasks SAP doesn't cover.

Downloadable Templates

Use these templates to document and communicate responsibilities across your organization.

Roles & Responsibilities Document
RACI Matrix Template
Operational Readiness Checklist
Incident Escalation Runbook

Map Your Responsibility Gaps

Take the RISE Responsibility Check assessment to identify operational blind spots and get a customized coverage plan.

Take Responsibility Check