SoD-Free User Management via Web Services

SAST User and Access ManagementManaging a large number of user accounts often presents companies with a major challenge. It’s particularly difficult when user identities need to be maintained in several systems, directory services, or databases. This frequently results in a lack of transparency, conflicts in the segregation of duties (SoD), and an increase in the effort required to address them.

In the past, SAP environments provided access to the Central User Administration (CUA) as a means of managing users in a central system. For years, CUA was the only system that made it possible to manage users centrally in SAP. These days, however, this feature has been designated for gradual replacement by SAP Identity Management (SAP IDM). Customers are being advised to switch to the new system, as SAP has discontinued the further development of CUA (the final version is based on SAP NetWeaver 7.1).

Of course, the need to keep one’s systems up-to-date would already be a good reason to make the move. For those who want to be prepared for the innovations ahead and stay on the cutting edge, the transition to SAP IDM is practically a matter of course.

Assignments without SoD conflicts already possible when requesting new users

Many of our customers are switching to IDM systems in user management, and offerings from providers other than SAP are also in use.

One key challenge in this regard involves assigning authorizations without causing SoD conflicts. SAST SUITE gives our customers the ability to identify the SoD conflicts a given situation would cause right when a new user or authorizations are requested. The roles to be assigned are handed over to SAST via a web service and tested against a proven set of checking rules. The requester then receives an overview of all the SoD conflicts that can be expected for the user in question.

Real-time checking of critical authorizations

 SAP IDM driven process with SAST UAM

SAST makes it possible to assess risks and identify when critical authorizations are being assigned in real time – even early on in the request process. It supports all scenarios involving SAP IDM and SAP Access Control. SAST interfaces with these solutions via web services or its own API; we can easily accommodate customer-specific scenarios, as well. Our SoD checking rulesets detect SoD conflicts in a fast, direct manner, which reduces the overall amount of time required to assign authorizations. Plus, the checks involved can be integrated directly into your IDM workflow.

Would you like more information on our SAST SUITE or would you like to find out more about ALL ROUND protection of your SAP systems? Check out our SAST SOLUTIONS website or send us an e-mail us at

Andreas Leisegang (SAST SOLUTIONS)
Andreas Leisegang, SAST SOLUTIONS


Related articles in the SAST BLOG

Authorizations for batch processing in NetWeaver and S/4HANA environments

How can I quickly migrate SAP custom code to S/4HANA?