Access Governance in SAP Systems

  • by Meta Hoetjes, SAP Security Expert, CSI-tools
  • December 31, 2013
Follow a brief primer on what access governance is and how it should be implemented in organizations using SAP systems.

Access governance is defined as how to be in control and keep being in control of access to data. Access governance is very critical, especially for SAP systems because SAP systems store and manipulate highly confidential and business-critical data.

Companies are aware of the need to have adequate access governance implemented for their SAP systems because of laws, rules, audit results, or lessons learned. Recognizing this need for access governance is the first step, but how do companies implement good access governance? A good starting point can be the annual audit report.

Most companies start their access governance by dealing with the segregation of duty (SoD) conflicts and structuring the access request process because these items seem to be most important in the report. I agree that these items should definitely be covered within access governance, but SoD reporting and enforcing access request procedures do not make up for access governance.

SAP access governance is managing people’s access to SAP data using users, enterprise roles, composite roles, single roles, transaction codes, authorizations, reference users, SU24 settings, operating company values, derived roles, security base lines, critical access rights, and SoD. Different layers within a company, such as corporate management, business management (and subsidiaries), internal control, corporate IT, local IT, internal audit, and external audit, need to manage these items. These various departments within a company also need to remember to include the change drivers such as rollouts, upgrades, support tickets, new access rights, review access rights, new compliance rules, mergers and de-mergers. Last but not least, defining the management processes must include ownership, communication channels, and policies.

This is what makes access governance so difficult. The SAP security concept is very complex, and there are many doors (both front and back) that lead to access and manipulation of critical and confidential data.


Meta Hoetjes

Meta Hoetjes is an SAP security expert at CSI-tools. She has been active on the SAP auditing field since 2002 and supports clients and users with knowledge and training. CSI-tools provides companies with easy-to-use and easy-to-implement security and audit applications for SAP to maintain and to monitor their SAP authorizations independently.


See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.