Why Implementing SAP Access Control Alone Is Not the Panacea to Your SAP Security Issues

  • by Alex Joseph, SAP GRC Practice Manager, itelligence Group
  • August 21, 2012
See how a railroad company redesigned its SAP security roles to ensure that these roles align with its internal controls pertaining to segregation of duties.


Many companies implement SAP Access Control to address concerns they have around rampant segregation of duties (SoD) issues across their enterprise. Companies hope to remediate these SoD issues by analyzing the current violations and mitigating access risks by redesigning their SAP security roles, mitigating access risks with adequate compensating controls, and preventing future violations by proactively monitoring changes to user access in the future. Companies also are looking at streamlining their user provisioning process by automating the process while monitoring access risks and ensuring proper approvals are obtained.

What many companies do not realize is that these efforts might be stymied because of a suboptimal role design in their SAP systems. If companies don’t address the underlying role design, remediating existing violations and implementing an automated tool for user provisioning become a Sisyphean effort.

I illustrate via a case study how a major railroad company redesigned its SAP security roles and implemented the full suite of SAP Access Control in 16 weeks to get to a clean state.

Alex Joseph

Alex Joseph is an SAP GRC practice manager at itelligence. He has more than 11 years of broad SAP experience across multiple industry verticals and SAP applications, including SAP security, GRC, logistics, and SAP Global Trade Services.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.