SAP authorization management put to the test at Berliner Wasserbetriebe

SAP Authorization Management put to the test (©Berliner Wasserbetriebe)Berliner Wasserbetriebe, Berlin’s water supply and wastewater disposal company, is a public institution and is therefore subject to special legal requirements. High security standards apply to both business processes and its IT operations. As a consequence, setting up transparent SAP authorization management company-wide to meet all of these requirements was one of the water company’s most critical tasks.

Glass-Clear: Improving SAP Security & Compliance

The SAP authorization system at the Berliner Wasserbetriebe had grown over many years, offering great potential for holistic improvement to its SAP security & compliance. A number of processes were run manually, which was a constant stumbling block to daily operations and resulted in increased efforts for SAP admins or the Help Desk. And, audits of authorizations conducted afterwards uncovered SoD conflicts and critical authorizations.

Acting to ensure full audit security and transparency by harmonizing SAP Authorization Management

The aim was to achieve a group-wide and transparent standardization of authorization management as part of a reorganization of SAP authorization and user administration. In particular, the focus was on harmonizing the way authorizations are assigned and managed in all available SAP systems. All this took place against the backdrop of rising legal requirements and increasingly complex SAP landscapes. Here, there was a dual focus on increasing SAP Security & Compliance and on electronic and audit-proof documentation.

Furthermore, Berliner Wasserbetriebe wanted to optimize the process for assigning SAP authorizations. The idea was to identify SoD conflicts in advance as well as make the process understandable and intuitive for every employee.

Meeting all legal requirements using a GRC tool

The Berliner Wasserbetriebe management considered the deployment of a GRC audit tool a crucial part of creating a permanent map of business processes. The intent was to support the requirements from both internal and independent auditors. In addition, this audit software needed to support SAP user and authorization management.

One of the biggest challenges involved identifying which authorizations were actually needed in the various departments, coordinating unambiguous ownerships of data and communicating the process changes to the affected users. In addition, designing an optimized web-based form for assigning authorizations proved to be a complex task. In particular, the application needed to take masses of roles, naming conventions and many different systems into account.

Optimizing SAP authorizations and detecting vulnerabilities: All analyzed in real-time

Berliner Wasserbetriebe selected AKQUINET’s SAST SUITE for the implementation after putting out a public invitation to tender . This included the associated support and adapting action recommendations made by SAP experts to meet the requirements

Thanks to SAST SUITE, authorization and SoD analyses are available in real-time and ensure compliance with legal guidelines. The result is an improved ability to identify critical SAP access attempts in addition to early detection of potential SoD conflicts. Requests for users and changes to roles are documented electronically – and automatically. Documentation is equally important for both internal and independent auditors.

Critical authorizations and SoD conflicts are displayed and systemic security is monitored. Vulnerabilities are identified automatically and SAST SUITE offers appropriate solutions for remedying them.

The web form specially developed for Berliner Wasserbetriebe now permits all departments to assign roles that meet the particulars of their requirements. Users see only those roles for which they are respectively authorized.

SAP authorization management with SAST: All the advantages in one suite

All in all, authorization management at Berliner Wasserbetriebe was substantially simplified. Now, SoD conflicts are identified in advance and roles are assigned systemically according to predefined rule sets and SoD matrices. Of course, SAST SUITE also supports compliance with all legal requirements.

The modules in the suite build on each other and can be integrated into SAP, meaning no additional hardware is necessary. This facilitates both easy administration and supports logging and compliance for legal requirements.

Full monitoring of the emergency users or SAP guest users (external SAP consultants, auditors, etc.) is also possible. The SAST AT Display-Track makes it possible to identify read access attempts of personnel data in the HCM module by privileged users or emergency users.

“We chose SAST SUITE from AKQUINET because it is easy to use, offers real-time analyses and allows for a high degree of automation,” explained Martina Rosenfeld-Gauger, Team Manager for Business Administration & Central Applications at Berliner Wasserbetriebe. “Critical authorizations and SoD conflicts are displayed and systemic security is monitored. Vulnerabilities are identified automatically and SAST SUITE offers appropriate solutions for remedying them.”

Have you been tasked with reorganizing authorization management properly to ensure greater security at your company? Check out our SAST SOLUTIONS website or send us an e-mail us at

To the Success Story


About Berliner Wasserbetriebe

SAST BLOG: About Berliner Wasserbetriebe (©Jack-Simanzik)Berliner Wasserbetriebe have supplied drinking water and treated wastewater in Berlin for more than 160 years. Today, the company supplies drinking water to 3.7 million residents of Berlin and uses state-of-the-art innovative technology to treat and dispose of wastewater. Berliner Wasserbetriebe is one of the largest companies in the water industry, employing over 4,300 people and maintaining a 19,000 km network of pipes and canals.



This may also interest you:

Step-by-step: Bring your SAP compliance to a brilliant finish

Cut Down on Critical SAP Authorizations Without Interrupting Operations