Managed Services for RISE with SAP: Gaps in the operating model

Executive Summary: The redefinition of ERP operational responsibility

The digital transformation of global companies is inextricably linked to the modernization of their enterprise resource planning (ERP) systems. With the introduction of RISE with SAP, SAP, the global market leader in this segment, has initiated a paradigm shift that goes far beyond mere technical migration. The offering, marketed as Business Transformation as a Service, promises companies a simplified path to the cloud by bundling software licenses, infrastructure hosting and technical managed services in a single subscription contract. This model, often summarized under the catchphrase One Hand to Shake, suggests a significant reduction in complexity for customers’ IT departments.

However, an in-depth analysis of the contractual realities, in particular the Roles and Responsibilities (RACI) matrix, reveals a critical discrepancy between the perceived “fully comprehensive insurance” and the operational reality. The standard offering of RISE with SAP is based on strict standardization, which is essential for the scalability of the cloud model, but inevitably leaves gaps in individual support. These gaps, technically classified as Excluded Tasks, include not only peripheral tasks, but also business-critical functions such as authorization management, validation of data backups, interface monitoring and in-depth application support.

This report examines the structural deficits of the standard RISE model and sheds light on how Axians, as a specialized ICT service provider, strategically closes these gaps with its portfolio of Additional Rise Services. The central thesis of this report is that the successful operation of an SAP Cloud ERP private(SAP S/4HANA Private Cloud Edition) cannot be guaranteed by the procurement of SAP resources alone, but requires the integration of a qualified service partner who transforms the gray areas of the RACI model into a robust service architecture. Axians is not positioning itself as a competitor to SAP, but rather as an essential enabler that ensures the operational security, compliance and innovative capacity of its customers through local expertise, certified Partner Center of Expertise (PCoE) structures and a deep understanding of hybrid architectures.

The paradigm shift: from on-premise to ‘Business Transformation as a Service’

The evolution of the SAP hosting market

Historically, the operation of SAP systems was the domain of internal IT departments or specialized hosting partners acting on behalf of the customer. In this classic “on-premise” or “managed cloud” model, the customer had full control – and therefore full responsibility – over the entire stack, from the data center floor to the graphical user interface (GUI). The customer determined the timing of maintenance windows, the granularity of backups and the security architecture down to the smallest detail.

RISE with SAP fundamentally changes this structure. SAP now acts as a general contractor itself and uses the infrastructure of the hyperscalers (AWS, Microsoft Azure, Google Cloud Platform) as an IaaS layer (Infrastructure as a Service). SAP is using its own “Enterprise Cloud Services” (ECS) stack, which covers the basic technical operation (PaaS – Platform as a Service). For the customer, this means a shift from CapEx (Capital Expenditures) to OpEx (Operational Expenditures) and a theoretical reduction in routine technical tasks.

The illusion of completeness: the “one hand to shake” principle

The marketing promise of “One Hand to Shake” addresses one of the biggest pain points of CIOs: the “vendor ping-pong” between hardware suppliers, hosting providers and software manufacturers in the event of performance problems. With RISE with SAP, SAP is contractually the only point of contact for the core infrastructure. However, this simplification brings with it a new level of complexity. As SAP has to serve thousands of customers globally on a standardized platform, the processes are extremely rigidly defined. Deviations from the standard process are not provided for in the core offering or are difficult to map.

The challenge arises where the standardized technical operation meets the highly individualized process world of the customer. An SAP system is not an isolated monolith, but the heart of a networked ecosystem. It communicates with warehouse management systems, web stores, banks and government authorities. For SAP, responsibility for these interactions and the logical integrity of the data streams often ends at the system boundary – precisely where the customer’s actual business begins.

Detailed analysis of the operational gaps (“Excluded Tasks”)

Analysis of the RACI matrix shows that a significant proportion of operational tasks are explicitly not performed by SAP. These so-called Excluded Tasks represent the greatest challenge in RISE operations, as they remain entirely the responsibility of the customer – regardless of whether sufficient resources are available internally.

1. security and authorization management

In the cloud context, security is a shared good (shared responsibility model). While SAP guarantees the “security of the cloud” (infrastructure, physical access), the customer is responsible for “security in the cloud”.

User and identity management (IAM)

Creating, changing and deleting users (User Lifecycle Management) is a classic Excluded Task.

• The risk: Without professional management, orphaned user accounts (e.g. of employees who have left the company) arise, which represent a security risk. In addition, the uncontrolled allocation of authorizations leads to violations of the principle of segregation of duties (SoD). An employee who can both create suppliers and approve payments poses a massive risk of fraud.
• The operational burden: Maintaining roles and profiles (transaction PFCG) requires in-depth technical knowledge of authorization objects. SAP only provides the technical tools, but not the logical concept or daily maintenance.
• Axians solution: Axians takes over the entire IAM as a managed service. This includes not only the ticket-based processing of user requests, but also the regular review of authorization concepts, the performance of SoD checks and the preparation of system audits.

Application security and security audit logs

SAP monitors the infrastructure for external attacks (DDoS, intrusion detection at network level). Attacks that take place within the application (e.g. misuse of RFC interfaces, debugging in the production system, download of sensitive HR data) are invisible to infrastructure monitoring.

• The risk: The analysis of SAP Security Audit Logs (SM20) is explicitly a customer task. If these logs are not proactively monitored, security incidents often remain undetected for months.
• Axians solution: Integration of the SAP system logs into an Axians Security Operations Center (SOC). By using SIEM (Security Information and Event Management) systems, anomalies are detected and correlated in real time. Axians experts assess whether a failed login is a harmless typing error or a brute force attack.

2. basic technical services and system maintenance

The term “basic operation” is often misunderstood. SAP provides the “basic technical operation” (server running), but not the “basic application operation”.

Output and print management

An often overlooked but business-critical area is printing. Delivery bills, labels and invoices need to be physically printed.

• The gap: SAP does not manage local print servers or the connection of end devices in the customer network. The configuration of spool servers, device types and drivers in SPAD (Spool Administration) is the customer’s responsibility.
• The scenario: When the label printer in the dispatch warehouse stops on Friday afternoon, the truck stops. A ticket to SAP (“Server is running”) does not help here.
• Axians solution: Axians manages the output landscape, coordinates the connection of local print servers via VPN/Cloud Connector and monitors the spool jobs for errors.

Job control and process automation

SAP systems thrive on background processing (batch jobs). Material requirements planning (MRP), payment runs, dunning – all this runs in the background.

• The gap: SAP provides the scheduler (SM36/SM37), but does not monitor the logical success of the jobs. A job can technically be “green” (completed), but have not processed any data in terms of content or have been canceled due to missing master data. The analysis of job logs and spool lists is an Excluded Task.
• Axians solution: Proactive job monitoring. Axians defines threshold values and alarms not only for termination, but also for runtime overruns or delays. Critical jobs (e.g. payroll) are monitored separately.

Transport management and change control

The path from development to production leads via the transportation system (STMS).

• The gap: SAP carries out the technical import (often automatically or on request). Logical integrity – checking whether transport A must be imported before transport B (dependency check) or whether a transport leads to a downgrade (overwrite check) – is the responsibility of the customer.
• Axians solution: Axians acts as a “gatekeeper”. Strict change management and technical pre-checks (import checks) prevent faulty or incomplete transports from destabilizing the production system.

3. data management and recovery

Data is the most valuable asset. The assumption that data is “automatically secure” in the cloud is a dangerous fallacy.

Backup validation and restore tests

SAP carries out backups. But a backup is only as good as the restore.

• The loophole: The validation of backups (“Validation of backed-up or restored data”) is explicitly an Excluded Task. SAP does not guarantee that the backup is logically consistent if the database had corrupt blocks that were not recognized at the time of the backup.
• Axians solution: Regular, scheduled restore tests. Axians requests temporary systems, restores backups and performs consistency checks (DBCC – Database Consistency Check) to guarantee recoverability in an emergency.

Data anonymization for system copies

Copies of the production system are regularly required for testing and training purposes.

• The gap: SAP technically copies 1:1, with real data (salaries, addresses) in the test system. This violates the GDPR, as developers and consultants often have far-reaching authorizations in the test system. Anonymization is a customer task.
• Axians solution: Integration of anonymization routines (e.g. with SAP TDMS or Axians’ own add-ons) into the refresh process. Sensitive data is anonymized so that realistic but non-personal data can be used for testing.

4. interfaces and integration (connectivity)

No SAP system is an island. The connection to the outside world is often the most complex part of the migration.

Axians solution: Axians contributes its expertise in the field of enterprise networks. You design and operate the network infrastructure, configure the SAP Cloud Connector for high availability and monitor the interfaces from an application perspective. Hanging IDocs are analyzed and (after consultation or rules) rebooked.

The gap: SAP delivers the endpoint in the cloud. How the customer gets there (MPLS, VPN, Internet) and how on-premise systems are securely connected (Cloud Connector) is largely a customer risk. The monitoring of IDocs (Intermediate Documents) and RFC connections is also an Excluded Task.

The Axians “Additional Rise Services” portfolio

The operational gaps identified are not a marginal phenomenon, but systemic. They cannot be closed by the standard RISE offering, but require an extended managed services model that specifically addresses where SAP’s responsibility ends. Axians has developed a portfolio that is precisely tailored to the gaps identified above. This offering transforms the standardized “RISE” product into a tailor-made enterprise solution.

Structure of Axians Services

The offer is divided into modular components that can be flexibly added to the RISE contract:

Service module	Contents (excerpt)	Addressed RISE gap (RACI gap)
Managed Security	User mgmt, role design, SoD checks, SIEM integration, patch advisory	Excluded Tasks: Security user management, Audit logs, Compliance
Technical Operations	Spool mgmt, job scheduling, transport mgmt, health checks, sizing monitoring	Excluded Tasks: Configuration of peripherals, Batch job validation
Application Management (AMS)	Incident Mgmt, Interface Monitoring, Custom Code Maintenance, Functional Support	Excluded Tasks: Interface monitoring, Custom code adaptation
Connectivity & Network	Cloud Connector Operation, VPN/WAN Mgmt, Firewalling, SD-WAN Integration	Customer Responsibility: Network size and architecture 11
Strategic Advisory	Roadmap planning, release strategy, innovation workshops (BTP)	Lack of strategic advice in standard support

The “human touch”: Axians as a service broker

A key differentiating factor is the “ICT with a human touch” approach. In the RISE model, customers often interact with anonymous support teams in offshore locations, which can lead to language barriers and cultural misunderstandings.

• The Service Desk as an anchor: Axians offers a local Service Desk (Germany/Austria), which acts as the primary entry channel (Single Point of Contact – SPOC).
• The broker model: The customer reports a problem (“transaction not working”). Axians analyzes: Is it an operating error (solution immediately), a customizing error (solution by Axians AMS) or a technical infrastructure error (forwarding to SAP).
• Advantage: The customer does not need to know the RACI matrix by heart. Axians takes over the triaging and directs the tickets to the right place, monitors SAP’s SLAs and escalates via partner channels if necessary.

Certified excellence: the Partner Center of Expertise (PCoE)

Axians is certified as a PCoE. This is an SAP quality seal that sets strict requirements for processes, tools and employee qualifications.

• Significance for the customer: It guarantees that Axians has access to the same support backbones and knowledge databases as SAP. In the event of complex problems (“very high incidents”), there are established escalation paths that ensure a quick solution without the ticket getting stuck in “level 1 support”.
• Auditing: PCoE certification is renewed regularly, which ensures continuous quality assurance of Axians services.

Strategic and economic added value (value proposition)

Why should companies invest in “additional services” if the aim of RISE was to reduce costs? The answer lies in looking at the total cost of ownership (TCO) and the risk costs.

Risk minimization as a business case

The costs of a single production downtime (e.g. due to expired certificates, full file systems or unrecognized interface errors) often exceed the annual costs of the Additional Services.

• Proactive vs. reactive action: SAP’s standard approach is often reactive (ticket is processed when an error is reported). Axians uses proactive monitoring to act preventively before the error disrupts operations.
• Compliance security: Avoiding fines (GDPR) or problems with audits through clean authorization management is a direct monetary advantage.

Economies of scale and shortage of skilled workers

Setting up an internal team that can cover the “excluded tasks” 24/7 is hardly economical for medium-sized companies.

• Skill availability: SAP Basis experts and security specialists are extremely rare and expensive on the labor market.
• Shared service model: Axians spreads the costs for these experts across many customers. The customer only pays for the service required, but benefits from the availability of a large pool of experts.
• Vacation and sickness cover: Responsibility for staff availability is transferred to the service provider.

Enablement for innovation (Business Technology Platform)

The relief from administrative “basics” creates scope for innovation.

BTP expertise: Axians supports customers in using the SAP Business Technology Platform (BTP) to develop innovations “side-by-side” and to keep the SAP core clean (“Clean Core Strategy”)^.2 This is crucial for long-term upgrade capability.

Shift in focus: When internal IT is no longer struggling with printer drivers, it can focus on the digitalization of business processes.

Conclusion: Strategic partnership instead of mere hosting

The scenarios presented make it clear that although RISE with SAP provides a modern technical basis, it does not represent a complete operational approach. A strategic addition to the standard model is essential for stable, secure and future-proof SAP operations.

The introduction of RISE with SAP is the right step into the digital future for many companies. It modernizes the platform and makes costs more flexible. However, the belief that signing the RISE contract transfers all operational concerns to SAP is a dangerous mistake. The gaps in the RACI model are real, substantial and business-critical.

Axians fills these gaps not as a “stopgap solution”, but as a strategic architect of a robust hybrid cloud reality. The Additional Rise Services are the link that turns a technical infrastructure (SAP RISE) into a functioning, secure and human-centered business solution. They bring back the necessary flexibility that is lost in the standardization process of the cloud and ensure that IT does what it is supposed to do again: Not just keep the business running, but drive it forward.

For companies moving to the SAP S/4HANA private cloud, the question is therefore not whether they need additional services, but how they can integrate them intelligently into their operating strategy. Axians’ answer is: with a holistic approach, local proximity and technical excellence that leaves no gaps.