On-Premise

S/4HANA OP

ABAP Cloud

Full Flexibility

On-Premises Extensions

Extensibility for S/4HANA On-Premise deployments — the most flexible but most governance-intensive environment. All three tiers are available, but Clean Core compliance requires deliberate enforcement via ATC, governance processes, and architectural discipline.

Architecture Overview

On-Premises Extension Architecture

Rendering diagram…

Executive Summary

S/4HANA On-Premise gives the most extension flexibility — all three tiers are available, including full ABAP developer access. However, this flexibility is also the biggest risk: without enforced Clean Core governance, on-premise systems accumulate technical debt (modifications, unreleased API usage, direct table access) that makes upgrades expensive. The on-premise Clean Core journey requires more deliberate process enforcement than PCE or Public Cloud.

On-Premise Clean Core Journey

Phase	Activity	Timeline
1. Assess	Run Clean Core Assessment tool. Count modifications, violations, custom objects. Classify each.	4-8 weeks
2. Freeze	Stop all new non-clean-core development. Set ATC transport gate.	Immediate
3. Migrate	Convert existing custom code to ABAP Cloud (CDS views, released APIs, RAP).	12-36 months
4. Enforce	ATC in CI/CD. Cloud ALM tracking. Quarterly Clean Core health report.	Ongoing
5. Upgrade	S/4HANA 2025 OP with minimal regression effort.	Every ~2 years

Cloud Connector — BTP Connectivity

Cloud Connector is installed in the DMZ and creates a secure reverse-proxy tunnel between the BTP Connectivity Service and the on-premise S/4HANA system. Access control defines an explicit allowlist of exposed paths — all other paths are denied by default.

bash

# Cloud Connector Access Control — expose S/4HANA OData APIs to BTP
# Configured in Cloud Connector Admin UI (https://localhost:8443)

# Virtual host mapping:
# Virtual: s4hana-prod (virtual hostname visible from BTP)
# Physical: actual-s4h.dewa.local:44310 (internal hostname)

# Allowed resources (explicit allowlist — deny by default):
# Path: /sap/opu/odata/sap/
# Accessible: Yes — all subpaths
# (This exposes all OData V4 APIs from S/4HANA standard namespace)

# Path: /sap/opu/odata4/sap/
# Accessible: Yes — OData V4 services

# Block all other paths (default behaviour):
# Direct table access: NOT accessible
# Internal RFC paths: NOT accessible (use released RFCs only if needed)

ABAP Migration Example — Classic to ABAP Cloud

Replace Direct Table Access with Released CDS Views

The most common migration pattern is replacing direct SELECT on SAP tables (VBAK, EKKO, etc.) with the corresponding released CDS views (I_SalesOrder, I_PurchaseOrder, etc.) and replacing BAPI/RFC calls with EML or OData V4 consumption.

abap

" ❌ BEFORE — Classic ABAP (non-clean-core):
" Direct SELECT on SAP table + CALL FUNCTION

SELECT vbeln soldto netwr waerk
  FROM vbak                    " Direct table SELECT — forbidden
  INTO TABLE @lt_vbak
  WHERE vkorg = '1000'
    AND audat >= @lv_from_date.

LOOP AT lt_vbak INTO DATA(ls_vbak).
  CALL FUNCTION 'BAPI_SALESORDER_GETDETAIL'  " RFC — forbidden
    EXPORTING salesorderid = ls_vbak-vbeln
    IMPORTING order_header_in = ls_header.
ENDLOOP.

" ✅ AFTER — ABAP Cloud (clean core):
" CDS view + EML (Entity Manipulation Language)

SELECT SalesOrder, SoldToParty, TotalNetAmount, TransactionCurrency
  FROM I_SalesOrder            " Released CDS view
  WHERE SalesOrganization = '1000'
    AND SalesOrderDate >= @lv_from_date
  INTO TABLE @DATA(lt_sales_orders).

" For single-record deep read:
READ ENTITIES OF i_salesorder_api01
  ENTITY SalesOrder
    ALL FIELDS
  WITH VALUE #( ( SalesOrder = lv_so_id ) )
  RESULT DATA(lt_detail).

Migration Prioritisation Framework

Priority 1 (Immediate)

Modifications to SAP standard objects — these directly block upgrades

Priority 2 (This release cycle)

Custom code using unreleased APIs with BLOCKER ATC findings

Priority 3 (Next release cycle)

Custom code using deprecated APIs (CRITICAL-level ATC)

Priority 4 (Long-term)

Custom code using MAJOR-level ATC findings (functional but may break in 2+ releases)

Accept (Document)

Legacy reporting programs rarely upgraded — document and monitor

Enterprise Example — DEWA S/4HANA 2023 OP Migration

Initial custom objects (2023): 8,247
ATC BLOCKER findings (start): 2,341
SAP modifications (start): 47
ATC BLOCKER findings (current): 23 (99% reduction)
SAP modifications remaining: 0 (all removed)
Cloud Connector version: 2.17 (HA pair)
Access control rules: 23 (explicit allowlist)
Target: 0 BLOCKERs before 2025 OP upgrade (Q3 2025)

Best Practices

Activate ATC transport gate immediately

Stop accumulating new debt while migrating old. Every new BLOCKER finding added during migration extends the timeline.

Prioritise modification removal first

Modifications to SAP standard objects are the highest upgrade risk — they receive priority over unreleased API usage (C0).

Build a migration backlog in Cloud ALM

Each legacy object needs an owner, effort estimate, and deadline. Untracked migration work stalls at the upgrade gate.

Run Clean Core Assessment before and after each sprint

Trend data (BLOCKER count over time) is the most effective way to demonstrate progress to management and justify continued investment.

Negotiate retirement over migration

Some legacy Z-reports can be retired instead of migrated. High-effort, low-business-value objects are prime retirement candidates.

Common Pitfalls

Migrating without first freezing new development

Starting migration without the ATC transport gate is like pouring water into a leaking bucket — new debt is created faster than old debt is cleared.

Migrating rarely-used programs first

Prioritise by upgrade impact, not ease of migration. Rarely-used programs have low upgrade risk even if they have MAJOR ATC findings.

Not documenting retired custom objects

Future teams wonder "where is program ZX_OLD_REPORT?" Document every retirement with business justification in Cloud ALM.

Treating modifications as too complex to remove

SAP modifications are always the highest upgrade risk. "Too complex" is a prioritisation problem, not a technical impossibility.

Security Considerations

Security Debt Often Accompanies Technical Debt

On-premise systems frequently have accumulated security debt. Legacy Z-programs may bypass authorisation checks. Conduct a security review of all high-risk custom objects as part of the Clean Core migration.

Review all batch jobs and programs with AUTHORITY-CHECK #01 bypass — common in legacy custom code

Remove SE16N production access — a frequent security violation in on-premise systems

Cloud Connector access control: use explicit allowlist, never allow wildcards on /sap/ paths

References

Clean Core On-Premise Guide

SAP Help Portal — clean core guidance specific to on-premise deployments

ABAP Cloud Migration Guide

Step-by-step guide to migrating classic ABAP custom code to ABAP Cloud

Cloud Connector for On-Premise

Installation, configuration, and access control for Cloud Connector

SAP Note — Clean Core Assessment Tool

SAP Note 3355369 — Clean Core Assessment tool for on-premise systems