We can help you start over from scratch in authorization management or redesign your established concepts for optimal clarity – prior to your migration to S/4HANA, for example.

Our project models allow for a high degree of flexibility and they are tailored to your particular requirements.

In all of our authorization projects, we use modules of our proven SAST SUITE and can optimize automation to shorten project runtime by up to 70 %. Your project budget will thank us!

Meanwhile, is your next audit right around the corner? Once we show you your priority-one findings, you'll be able to relax as the big day approaches.

Analysis and project planning

Analysis of your SAP authorizations: Before you get started, an extensive analysis of the current situation and proactive project planning are essential to the success of your SAP authorization project. That’s why we support you from the very beginning and help you get an overview of the composition of your systems and concepts.

SAST Consulting: SAP Authorization Concepts
Analysis of strengths and weaknesses in authorization and identity management We believe it is very important to identify where the strengths and weaknesses of your existing authorization concept and identity management processes lie before you begin the conceptualization phase. What’s more, our analyses always focus on the general compliance requirements that auditors also find relevant.

In this process, we not only ask whether the compliance requirements are met, but also where there is potential for optimization. Our proprietary tool SAST SUITE provides ideal support here. Our software helps you reduce the required effort dramatically and save you a lot of time.

In addition to technical analyses, you also get recommended actions, including a project schedule that is custom-tailored to your systems, as well as a detailed expense estimate. This level of in-depth consideration means that every authorization project is destined to be a complete success.

Conceptualization and rollouts

Authorization concepts for SAP ERP and SAP S/4HANA systems: A well-conceived authorization concept is the cornerstone for protecting your SAP systems – and a major contributor to your business success. Our experts know exactly where more attention is needed in both SAP ERP and SAP S/4HANA systems.

Authorization concept and rollouts (ERP) During the redesign of your SAP authorizations, we give you the opportunity to try new ways of doing things and to introduce transparent authorization assignments from start to finish. Not only will this help keep your administrative expenses down, but also enable you to meet the legal requirements of today and tomorrow. Our motto is “as much as needed, as little as possible.”

The constant expansion of the number of users and authorizations means it is increasingly difficult to make the appropriate assignments. Over time, role content has changed and the wide variety of transactions and authorization objects has only become more sophisticated. Often, it is no longer possible to easily keep track of it all. Also consider that your identity management processes might no longer be up to date. This is in addition to increasingly strict compliance requirements with regard to critical authorizations and SoD (separation of duties) conflicts.

Our method is standardized and largely automated in the SAST SUITE. Workflows guide you through the project and lead you reliably to its conclusion.

Of course, we will also support you with the implementation and rollout of your new authorization concept.

Your benefits: Thanks to our experts’ years of experience and our Safe Go-Live approach, you do not have to worry about any constraints on your day-to-day business. The SAST SUITE supports you through all project phases and ensures a high level of quality. Whether project coaching or partial or complete assumption of your activities – our agile project models can be tailored to your individual needs.

Your advantages at a glance:

  • You will meet all requirements to the satisfaction of internal and external auditors
  • Automatic generation of roles saves you from deriving them manually
  • Authorization are granted based on tool-supported analyses of actual user behavior
  • Process-related, completely SoD-free template roles ensure the success of your project
  • Prefab concept templates give you a leg up on documentation
  • Our modular approach means you have the greatest possible flexibility in the project phases

For more information, see our Success Story: NORDWEST Handel AG. 

We can also execute projects using other, already available software solutions upon request.

SAP S/4HANA migration One of the greatest challenges currently facing all SAP administrators is the need to migrate authorizations to SAP S/4HANA. In our experience, we find that many companies don’t truly realize how many differences there are between SAP ERP and SAP S/4HANA until after the project kickoff.

SAP security is often ignored almost completely during a migration.

Why is an S/4HANA migration impossible without also redesigning your authorizations?

  1. SAP S/4HANA is an entirely new software solution, not an extension of SAP ERP.
  2. Familiar transaction codes have been eliminated as a result of change process flows, have different content, or have been replaced by new transactions or Fiori apps.
  3. The many new and announced Fiori apps have to be incorporated in the roles and SoD checking rules or deleted completely. The SAP Fiori App Library and Simplification Lists represent the foundation for this. At the same time, these information sources are very large and the time required to match needs is lengthy.

With the SAST SUITE, the technical migration of your authorizations to SAP S/4HANA is standardized. The solution is also capable of automated preparations, relieving you of a large part of the conversion work. Our experienced consultants will also look after your individual requirements and ensure a targeted, successful conversion of your authorizations.

We offer a variety of approaches to a successful SAP S/4HANA migration:

Brownfield approach: Transformation of existing roles from your legacy system

  • Compares your roles with the impact associated with SAP S/4HANA migration
  • Addition of Fiori apps (optionally in new front roles or existing roles)
  • Deactivation of obsolete transactions
  • Selective deactivation of unused transactions
  • Comparison with your current authorization proposal values (SU24)
  • Smooth go-live with SAST Safe Go-Live Management

Greenfield approach: Redesign your SAP authorizations based on changed processes

  • Create a process-role model based on our best practice approach in combination with the authorization trace in the SAST SUITE
  • Take your SoD rule set into account in the changed SAP S/4HANA business processes
  • Tailor-made redesign through use of the SAST SUITE
  • Support for audit-compliant design with our best-practice templates
  • Testing support and smooth go-live with SAST Safe Go-Live Management

Selective data approach: Redesign your SAP authorizations based on current processes

  • Analysis of transactions used in the legacy system as the basis for the new concept
  • Develop a new, custom-tailored, workplace-specific reference model with support by the SAST SUITE
  • Take the changed SAP S/4HANA business processes into account in your new roles and SoD rule sets
  • Support for audit-compliant design with our best-practice role templates
  • Smooth go-live with SAST Safe Go-Live Management

When designing your SAP S/4HANA authorization concept, the quality of your current roles and your internal objectives are the deciding factors for determining whether the brownfield, greenfield, or selective data approach is right for you. Talk to us about using a pilot authorization study to make your decision.

One advantage from your migration project with us: the SAST Safe Go-Live approach. This is how we ensure that the authorization structures behind the Fiori apps are transparent for your S/4HANA system, which intertwines both the SAP Fiori front end and the SAP back end server. When you execute the report, you gain a detailed record of user activities and a code analysis.

Your advantages at a glance:

  • We analyze your existing processes, roles, and authorizations with our SAST SUITE, checking for reusability, critical authorizations, and SoD risks
  • Full transparency of functions you use through the comprehensive analysis functions in the SAST SUITE
  • Concept proposal for transforming your current authorizations and/or creating new, tailor-made SAP S/4HANA roles
  • Update your SU24 values on SAP S/4HANA
  • Configure your SAP Fiori authorizations
  • Automated role generation with SAST Role Management
  • Smooth go-live

Our SAP Security Consultants help you identify and eliminate any security vulnerabilities on the application server, your operation system, and your databases.

SAST SUITE: SAP Role Management
SAP Solution Manager authorization design With its many features and tools, SAP Solution Manager supports enterprises in organizing both the structure and operation of their SAP landscapes. All business processes are taken into account. Due to its key position in the SAP system group at every enterprise, it requires an appropriate, long-term authorization design.

SAP Solution Manager can play a key role in shaping an SAP S/4HANA implementation project. Release 7.2 was designed to meet all the major challenges that can arise during an SAP S/4HANA implementation and adapt the business processes to the digital requirements. It unifies the design and documentation of business processes, for example, and supports with change and release management.

We’ll help you implement an extensive security concept that protects your system against unauthorized access at the database, network, and front end levels.

Your advantages at a glance:

  • Secure operation of your entire SAP landscape
  • Compliant handling of change management (cHARM)
  • Solution documentation
  • Processing of SAP S/4HANA implementation projects
SAST SUITE: Safe Go-Live Management for trouble-free authorization projects
SAP emergency user concept A good emergency user concept can safeguard your system in the case of unforeseen events. It gives you permanent access to an exclusive user ID with extended authorizations. Emergency users are also helpful for regular, everyday IT support, since all activities are logged audit-compliantly and are available for review at all times.

We have our own, proven project methodology to create and implement SAP emergency user concepts in SAP systems. SAST Superuser Management supports you with monitoring your emergency users in an efficient, audit-compliant manner.

Have you already implemented other solutions or even the SAP standard? Our consulting expertise covers these cases, too.

Here's what we can offer:

  • Analysis of existing documents (emergency user concepts)
  • Definition of emergency user scenarios and responsibilities
  • Creation and enhancement of an emergency user concept
  • Technical realization
  • End user training

Your benefits with SAST Superuser Management:

  • Flexible configuration of emergency user scenarios
  • Flexible access methods (possibly including approval procedure)
  • Full transparency of activities performed
  • Audit-compliant method
  • Self-explanatory, user-friendly tool

Optimization and cleansing

Optimize your SAP authorizations: In some cases, the redesign of authorizations is not possible. At the same time, companies often face the need to mitigate risks in existing roles and processes, as well as the desire to minimize their SAP license fees. No matter what your motivation, we’ll be happy to support you with optimizing and cleansing your SAP authorizations.

Cleansing of SoD (separation of duties) risks SoD conflicts in your authorizations can enable fraud, such as the embezzlement of company funds. The internal control system is responsible for controlling and managing authorization risks. Due to their high level of complexity, however, these tasks pose a major challenge. Herausforderung dar.

We are specialists in supporting our customers with managing SoD risks. We focus primarily on minimizing them from the start and then managing the residual risks through process monitoring. In our experience, user authorizations often grow over time. As a result, unnecessary authorizations can be reduced by around 75 percent in most cases, without even coordinating with specialist departments or the users themselves.

The SAST SUITE offers an extensive, certified SoD rule set to eliminate separation-of-duty conflicts. We will be happy to support you no matter what software solution you use.

Overview of our project methodology:

  • Definition of the review scope
  • Identification of SoD risks at the user and role level
  • Analysis of transactions and roles used
  • Developing a cleanup proposal
  • Reduction of risks at the user level
  • Establish a periodic control process
  • Identify process checks to mitigate residual risks*
  • Documentation of process risks*

*Optional/recommended project steps

We have standardized the elimination of SoD risks in a project methodology. Of course, this methodology also allows maximum leeway for your individual requirements.

Your advantages at a glance:

  • Minimize the likelihood of fraudulent activities
  • Meet all requirements to the satisfaction of internal and external auditors
  • Standardized, efficient project methodology
  • Use of an extensive SoD rule set if the SAST SUITE is used
Elimination of critical authorizations (auditor findings) For many companies, the next step after an audit or the annual audit acceptance is often to redesign their authorization management. Frequently, authorization objects or transactions that are defined to be too comprehensive are identified – whether they arose due to unawareness of their criticality or an intentional decision to avoid disruption of daily operations.

Our customers' requirements regarding quality, the time involved, and of course, their project budget often differ greatly when it comes to planning this kind of cleanup project. No matter what your own priorities are in authorization projects, we offer solutions designed to meet every requirement to the letter.

All these projects have one thing in common: Our experienced consultants use the solutions from our SAST SUITE to cleanse your critical authorizations. For you, this means we achieve a cleansing rate of up to 95 percent – and we can also analyze the actual use of critical object values across all users.

One of the biggest challenges faced in a redesign project is ensuring the continuity of normal business operations. With our SAST Safe Go-Live Management approach, this concern is now a thing of the past. If unintended error situations occur, we enable your users to help themselves in just seconds, through a fallback user process.

Your advantages at a glance:

  • Standardized project methodology to cleanse critical authorizations, taking your individual requirements into account
  • Meet all requirements to the satisfaction of internal and external auditors
  • Authorization requirements are based on tool-supported analyses of actual user behavior
  • Our modular approach means you have the greatest possible flexibility in the project phases
  • Smooth conversion of authorizations thanks to the SAST Safe Go-Live method
SAST SUITE: SAP Vulnerability Assessment
Cleansing of technical SAP users (RFC/batch) In practice, technical users such as RFC users or system users for background (batch) processing are equipped with extensive authorizations. In our experience, this often leads to significant risks, even including abuse of RFC interfaces if the technical SAP users are not protected sufficiently.

For this reason, auditors are increasingly insisting that technical users not be granted blanket authorizations such as SAP_ALL. Ideally, users will have only the minimum needed authorization objects and values, and an ongoing process will verify this. There are also dynamic use cases, however, in which it is unclear which objects will be needed in the future. With our standardized methodology, we can support you with analyzing the authorizations of your technical system users and defining them in line with your specific needs. To do so, we recommend using the SAST SUITE for analysis, implementation, and a smooth go-live.

Your advantages at a glance:

  • Meet all requirements to the satisfaction of internal and external auditors
  • Automatic generation of roles saves you from creating them manually
  • Authorization are granted based on tool-supported analyses of actual object usage
  • Our modular approach means you have the greatest possible flexibility in the project phases
Minimizing transactional access with SAST Self Adjusting Authorizations Do you want to minimize authorization accesses, particular the execution of highly critical transactions, but lack the time and budget for this type of redesign? SAST Self Adjusting Authorizations let you do so in nearly no time at all, giving you clean authorizations with custom-tailored roles – without impacting your day-to-day operations.

To begin, all you need is the SAST Self Adjusting Authorizations and a brief introduction to their use. Our experts support you with the installation and concept, make sure they are configured in accordance with the concept, and remain available for questions at all times after the tool is activated. The software takes care of all the rest for you: During the learning phase, the novel technology logs the transactions used by defined users. In the subsequent production phase, the execution of additional transactions is blocked and requires approval (via electronic workflow) for activation. You can set up a blocklist to prevent the execution of especially critical transactions, such as SE16, SM30, SA38, and others, immediately for certain groups of users.

The procedure is flexible and can be implemented in a very short time. Please feel free to contact us with any questions you might have.

SAP license optimization The annual SAP license fees result in large part from the number of purchased user licenses. Yet experience shows that many of the purchased user licenses aren’t needed at all. Deactivate inactive users and reduce your SAP license fees to unleash enormous potential savings.

The SAP standard features a number of options for analyzing user activities. The information is widely distributed, however, and not optimized for this kind of analysis. With our proprietary SAST SUITE, we have optimized the procedure and are capable of generating comprehensive analyses that take all data sources into account. As a result, we can quickly identify users and recommend actions for restricting users, so they don’t pose an undue burden on your IT budget.

Overview of our project methodology:

  • Preliminary coordination with the customer
  • Installation of the SAST SUITE
  • Evaluation of system activities by user master records
  • Data aggregation and recommended actions
  • Locking user master records that are no longer needed

This procedure pays off twofold, because both the effort required and expenditures are very low compared to the license fee savings. In other words: Your expenditures usually pay off by the next SAP system measurement at the latest.

SAST Consulting: SAP system hardening
Optimize authorization default values (SU24) Are you monitoring the maintenance of your central administration transaction, SU24? If not, you’re in good company. Many companies face creeping vulnerabilities in the development process over time when it comes to maintaining authorization default values (SU24) for customer developments.

While the necessary authorization objects are added to roles, after the functional tests and findings regarding their necessity, but ongoing maintenance of transaction SU24, which is the foundation for smooth, efficient authorization management, is often lacking. As such, optimizing these values is essential to ensuring the consistent quality of your SAP roles.

Why is it so important to maintain these values?

Missing authorization default values will inevitably result in recurring errors during transaction execution. In turn, this results in process disturbances and delays, long response times, and increased effort by everyone involved. Last but not least, program terminations during processing can result in inconsistent data.

With the SAST SUITE and the expertise of our consultants, you can get your processes running smoothly again in nearly no time at all. Our software supports you with analyzing the required objects and values, together with the resulting implementation in transaction SU24.

Your advantages at a glance:

  • Automated analysis of required objects based on actual use
  • Evaluation and transformation of the dataset for transfer to the SU24 database
  • Automatic filling of SU24 tables

Monitoring and controlling

SAP security monitoring: Thanks to a variety of measures, you have lifted your authorization concepts up to a good, secure level. That’s an important first step. But it’s just as important to implement SAP security monitoring, to maintain this secure status for critical authorizations in the long term.

SAST SUITE Software-Tool for SAP Access Risk Analysis
Establish a stay clean process While risk monitoring has been established at many companies, our experience shows that it often plays a subordinate role. Day-to-day business is dominated all too often by security-relevant topics. Without periodic monitoring of authorization risks and the corresponding measures, however, you will quickly drop back to an insecure level.

To prevent this from happening, we will be happy to support you in establishing a stay clean process.

Overview of our methodology:

During the definition phase, all necessary check parameters are defined:

  • Check levels and suitable analysis tools
  • An enterprise-wide check policy for SAP
  • Periodic monitoring process for authorization risks and technical risks
  • Definition of responsibilities such as risk owners, data owners, and auditors

We use the subsequent implementation phase for the following:

  • Map the risks defined in the check policy in the corresponding evaluation tools
  • Configuring a periodic audit with the new check policy
  • Sensitizing the persons responsible to their future tasks in the new process

During the go-live:

  • We support you with the initial check runs
  • We work with you to resolve identified security-critical cases

Our SAST SUITE features a check policy with more than 2,000 checks in the areas of SAP authorizations, database, operating system, SAP configuration, and much more – helping you to implement the stay clean process quickly. And even if you use a different solution, our competent SAP experts will be happy to advise you on its use.


Bring your SAP authorizations to a new level! Arrange a non-binding consultation.

Get deeper into the topic by watching our webinar recordings!

That’s what our customers say:

"Instead of repeatedly ironing out unevennesses in the roll administration, we’ve used SAST SUITE to put our authorization structures on an entirely new basis. Besides saving time and money over the long term, we no longer have to worry about our legal compliance."

Success Story "Authorization Management - legal certainty and correctness"

— Stefan Lendzian

"With the help of the SAST experts and the Safe Go-Live approach, around 50% of the users that were created could be identified as inactive and easily deactivated. At the same time, the authorization project reduced the risks by up to 70% and thereby significantly improved security."

Logo SAST SOLUTIONS customer Stadtwerke Essen
— Stadtwerke Essen

Further SAST CONSULTING Services

Privacy settings

Click »Info« to see a list of the used cookies. You can give your consent to the required cookies or statistic cookies. The selection is optional. You can change these settings or delete the cookies in the browser at any time. If you select the »Statistics« option, your opt-in consent also extends to processing in the USA, which is considered by the European Court of Justice as a country with an insufficient level of data protection. Please find further information in our privacy statement.

In this overview you can select and deselect individual cookies of a category or entire categories. You will also receive more information about the cookies available.
Group external media
Name YEXT -Search
Technical name yext
Provider Yext GmbH
Expire in days 0
Privacy policy https://www.yext.de/privacy-policy/
Use Enables intelligent search via YEXT.
Group statistics
Name Google Repcatcha
Technical name googleRepcatcha
Provider Google LLC
Expire in days 0
Privacy policy https://policies.google.com/privacy
Use Protect from spam.
Name Google Maps
Technical name googleMaps
Expire in days 6491
Privacy policy
Use Enables the use of Google Maps.
Name ClickDimensions
Technical name cuvid,cusid,cuvon,cd_optout_accountkey
Provider ClickDimensions
Expire in days 730
Privacy policy https://clickdimensions.com/solutions-security-and-privacy/
Use Cookie from ClickDimensions for website analysis. Generates anonymous statistical information about how the visitor uses the site.
Name YouTube
Technical name youTube
Expire in days 0
Privacy policy
Use Enables the use of the Youtube video player.
Name Google Analytics
Technical name _gid,_ga,1P_JAR,ANID,NID,CONSENT,_ga_JT5V6CR8ZH,_gat_gtag_UA_133169400_1,_gat_gtag_UA_141664271_1,_gat_gtag_UA_127185455_1,_gat_gtag_UA_127561508_1,_gat_gtag_UA_194226577_1
Provider Google LLC
Expire in days 730
Privacy policy https://policies.google.com/privacy
Use Cookie by Google for website analysis. Generates anonymous statistical data about how the visitor uses the website.
Group essential
Name Contao CSRF Token
Technical name csrf_contao_csrf_token
Expire in days 0
Privacy policy
Use Serves to protect the website from cross-site request forgery attacks. After closing the browser, the cookie is deleted again.
Name Contao HTTPS CSRF Token
Technical name csrf_https-contao_csrf_token
Expire in days 0
Privacy policy
Use Serves to protect the encrypted website (HTTPS) against falsification of cross-site requests. After closing the browser the cookie is deleted again
Technical name PHPSESSID
Expire in days 0
Privacy policy
Use PHP cookie (programming language), PHP data identifier. Contains only a reference to the current session. There is no information in the user's browser saved and this cookie can only be used by the current website. This cookie is used all used in forms to increase usability. Data entered in forms will be e.g. B. briefly saved when there is an input error by the user and the user receives an error message receives. Otherwise all data would have to be entered again
Technical name FE_USER_AUTH
Expire in days 0
Privacy policy
Use Saves information of a visitor as soon as he logs in to the frontend.
Copyright akquinet enterprise solutions GmbH. All Rights Reserved.