A Communication Arrangement is the S/4HANA Cloud construct that binds an application scenario to a communication user and communication system. It is effectively the identity and access wrapper for API-level access, so it must be treated as a governed entitlement rather than a technical integration setting.
Expanded Definition
A Communication Arrangement in SAP S/4HANA Cloud is the control point that links a communication scenario to a communication user and a communication system. In NHI terms, it functions as a governed entitlement that determines which non-human identity can call which API, under what trust relationship, and with what scope.
Although it is often treated as an integration configuration, its security role is closer to a privileged access wrapper. The arrangement defines the execution path for machine-to-machine communication, so its lifecycle, ownership, and review cadence matter as much as the payload being transmitted. In practice, this aligns with the broader NHI governance concerns described in Ultimate Guide to NHIs and with access governance expectations in NIST Cybersecurity Framework 2.0.
Definitions vary across vendors on whether the arrangement itself is the identity boundary or merely the binding layer, but for security governance it should always be assessed as an access-bearing object. The most common misapplication is treating the arrangement as a one-time setup task, which occurs when teams create it during integration and then fail to review its privileges, ownership, or credential dependencies after go-live.
Examples and Use Cases
Implementing Communication Arrangements rigorously often introduces lifecycle overhead, requiring organisations to weigh fast integration delivery against tighter entitlement control and periodic review.
- An order-processing API is exposed through a Communication Arrangement that binds the service endpoint to a dedicated communication user with only the permissions required for order creation.
- A finance integration uses a separate communication system for invoice posting, allowing security teams to trace API activity back to a single governed NHI path rather than a shared technical account.
- A change to the communication scenario triggers reassessment of the arrangement so that newly exposed operations are approved before the integration is promoted.
- During offboarding of a third-party connector, the arrangement is removed and the linked credentials are revoked, reducing residual access risk described in Ultimate Guide to NHIs.
- Security reviewers map the arrangement to API governance and least-privilege expectations using NIST Cybersecurity Framework 2.0 to confirm that access is intentionally constrained.
Why It Matters in NHI Security
Communication Arrangements matter because they are often the point where SAP integrations become hidden privileged access. If the arrangement is overbroad, stale, or shared across systems, the organisation loses clarity over which NHI can reach which business function. That creates entitlement sprawl, weak revocation discipline, and poor incident traceability.
This is especially important because NHI risk is rarely theoretical. NHI Mgmt Group reports that only 5.7% of organisations have full visibility into their service accounts, and 97% of NHIs carry excessive privileges, which makes governed access wrappers like Communication Arrangements a practical control surface rather than a documentation detail. The same visibility gap applies when arrangements are left active after projects end, or when multiple teams reuse the same communication user for convenience.
For governance teams, the arrangement should be reviewed alongside secret storage, rotation, and offboarding, not in isolation. A sound approach aligns the arrangement with identity lifecycle controls, so access changes are deliberate and auditable. Organisations typically encounter the urgency of Communication Arrangements only after an integration compromise or failed deprovisioning event, at which point the entitlement boundary becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Treats machine identities as governed access objects, not just integration settings. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access governance applies directly to API-bearing communication bindings. |
| NIST SP 800-63 | Digital identity assurance concepts help frame trust in non-human communication identities. |
Apply equivalent assurance and lifecycle controls to communication users as to high-value credentials.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
