ECC and HANA application architectures are different at a fundamental level and the bottom line is that you need to re-architect your security approach in HANA.
Legacy authorization management architectures and techniques (namely: RBAC (role-based access controls) and Derived Roles) will not translate directly to the new S/4HANA Applications, starting with Simple Finance.
Since you have to re-architect your access control security model this would be a great time to move to an enhanced access control model, ABAC, attribute-based access control -- SAP GRC’s most advanced technology to re-architect your application security layer -- will end role explosion and semi-regular role-redesign projects once and for all!
Read the National Cybersecurity Center of Excellence, (NCCoE), NIST has released draft Practice Guide executive summary. BTW, you can no longer do business with the US Gov't unless you move to enhanced access control framework. It is a long read, but Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations goes into detail on the security requirements. ABAC is a fundamental approach to handle the new requirements, read the full NIST Guide to ABAC here.
Need to learn more? Let me know.
Message was edited by: Ron Wessels, clarified gov't requirements statements. I can give a lot of background info on this, but I talked directly with a Director in the Public Affairs Office at NIST. She said, “gov't money requires compliance to guidelines, for example 800-53r4. Special circumstances require working through the FedRAMP process if you are trying to get an exception.”