SAP role authorizations have become a focal point of the user license audits in recent years due to a generational shift to S/4 HANA and cloud solutions. SAP is using their STAR (S/4 HANA Trusted Authorization Review) dataset of authorization objects in the audit process and even embedded this ever-growing dataset into their software asset management tool – SAM4U.

As roles are a collection of authorization objects, this prompts a more granular approach and finding the compromise between role authorizations, license and security. Being incentivised by the cost of user licenses, companies must adopt better practices to right-size the roles and perform the reviews much more frequently.

Without regular review, access business justification fails, and control over who can do what in the system weakens. From a security and compliance standpoint, poorly controlled SAP access is a big risk. The problem of excessive or inappropriate authorizations can create segregation of duties (SoD) conflicts, raise the risk of errors or fraud, and interfere with compliance with SOX, ISO 27001, SOC, and GDPR standards.

Why SAP Role Authorizations Create Risk

SAP access risks are generally not absent from control. It shows up when access is given reactively and without proper justification as responsibilities change over time. Eventually, this leads to an access model that is not transparent, sustainable, and defensible during audits.

 Common risks that seem to affect most are:

• Users accumulating multiple roles over time
• Roles created for temporary needs but never reviewed or retired
• Limited understanding of what specific roles allow users to do
• Segregation of duties conflicts embedded within roles
• Access reviews are treated as a compliance exercise rather than a true risk assessment
• Not understanding that SAP S/4 audit authorisation objects dictate the user’s license

The biggest threat is that the above-mentioned risks are present in very common scenarios such as – someone changing role within a company, being promoted/demoted, company having new functionality installed, undergoing system changes etc. All these actions have immediate impact on the user’s activities, leading to change in privileges and authorisations.

What “Right-Sized” Access Means

Right-sized SAP role authorisations are not about restricting users’ access to the minimum – it’s about setting appropriate and justified access for employees.

In practice, this means:

• Access corresponds directly with the business’s needs
• SAP’s user licensing is taken into consideration as some non-essential activities can lead to a need for a costlier license
• Roles have a clearly defined, documented purpose to serve
• Access is approved by the trusted entities, such as owners or administrators
• Segregation of duties is considered during role redistribution
• Access is periodically renewed and verified as still necessary
• Preferably, the rules are firmly set and the process is fully automated.

When these rules are respected, organisations can clearly explain why access is given and defend it in front of the auditors during the security audit. Similarly, when this exercise is properly executed, the licensing risk can be measured and reduced, so the licensing audit does not come with a shock.

Core Control: Segregation of Duties (SoD)

Segregation of duties (SoD) is one of the most important controls in SAP systems and commonly a matter of security audits. Badly assigned roles often result in conflicting activities that are difficult to spot and manage. Right-sized roles reduce risk by drawing clear lines between the appropriate duties and making the conflicts visible. In cases where conflicts can’t be fully prevented, they should be formally documented, explaining the reason for the specific role assigned. Moreover, some roles can contain various authorization objects to achieve nearly the same activities, with the only difference that some of these objects require a more expensive license. Therefore, the segregation of duties should be performed alongside the authorization object license review.

Conclusion

Role authorization of SAP roles is a fundamental part of system control; when it scales, uncontrolled access has a lot of operational, financial, and compliance risk. Right-sizing access allows organizations to re-establish control by aligning authorizations to business needs. And, with continued regulation, organizations need to be able to define who has access to what – and why. Keeping an eye on essential role design and understanding access governance can move SAP access concerns from an ongoing audit to a defensible and well-controlled area of risk.

Understand your SAP access risk before SAP does. Talk to us about reviewing roles, authorizations, and user licensing across your SAP landscape.

About the Author

Steve Narey, Multi-Vendor Services Director 

Steve brings decades of real-world business acumen latterly focusing on helping global companies optimize software license management, reduce risk, and cut costs, especially during cloud migrations. His expertise spans strategic relationship management, business development, project management, contract negotiation, cloud optimization, and program implementation.