Examination of documents

SAP Access Control Management

SAP Access Control Management



SAP Authorization Management (Access Control Management) is a key element to ensure that the data that flows through your business processes flows remains intact, complete and delivers the right information to the right set of people working in your business. This means that the overall security of your SAP system significantly depends on the authorizations assigned and the access possibilities by the users.

We have brought all our many years of SAP experience into our products, automated everyday processes that take up a lot of time and resources in companies manually step by step and centralized them in one product. Thus, we can help companies to guarantee SAP compliance and to always keep an eye on SAP security by using the various parts of SAP-GRC. The whole topic is complex, and companies often act very differently. However, the result, a guaranteed SAP compliance, is the common goal.  

Making the life of end users simpler, faster and smarter.



An optimized SAP GRC concept allows you to improve your companies operating efficiency, which keeps you ahead of your competition and ensures that your customers get to enjoy products when they want them. The speed in which you can satisfy consumer demand makes the difference between a successful/growing company and one that gets left behind the competition.

What are the strategic factors behind ensuring an optimized SAP GRC?

The most important step is to react quickly to changes, which is what ultimately gives you the edge over the competition. However, it is only possible to react quickly if critical changes in the system landscape are made transparent as soon as they occur, and if they are eliminated immediately or the responsible persons are notified. This is exactly where a good authorization tool comes in with its various tools to make each individual risk area transparent, to prevent dangers and to provide employees with an instrument to permanently maintain SAP GRC and SAP Compliance or to restore them as quickly as possible.



All companies want to optimise their SAP GRC concept, but how can they do this when every time SAP brings a new product to market it comes with a new authorisations concept.

In the early days, companies just kept on adding applications into the SAP landscape without considering the long-term implication on SAP Authorizations. This has proliferated and now with the significant development of cloud applications even more authorization concepts are required.

The question SAP CIO’s are now asking themselves is how can we consolidate all of our SAP Authorisations into a single Authorisations concept?

These are the two most important effects that need tobe counteracted. Firstly, the permanent updating process in the operationalprocesses, which makes permanent adaptation of the authorization conceptsnecessary, and secondly, the sudden influence of completely new processes ortechnologies. A complete area moves to the cloud. How must the authorizationconcept and the entire SAP GRC react? Here you should also find tools that canrecord and recognize these changes and process them with minimal effort.



Business changes are occurring at a rapid rate, many external influences are changing the nature and way we do business. Remote working, workplace changes and company reorganisations are almost everyday occurrences. How does the CIO keep control of his SAP security administration this constantly changing environment?

A common challenge is to manage the “Movers Process” reducing or extending an employees SAP Authorisations to ensure that your business is able to operate a maximum efficiency.

Downtime on key employees is your enemy and you need to ensure that your workforce is able to execute their key processes with ease.

How does a CIO ensure that even with such changes they don’t break the security of the SAP Solution? We can show you how we ensure that this process is automated.



How much control do you really have over your costs within the SAP  GRC process?

A key benefit of having the right SAP security expertise helping your organization to implement best practice across your SAP Landscape, will ensure the identification of process that can be reduced and/or eliminated, saving costs.

SAP  GRC process automation is critical in your fast paced business environment. Unnecessary manual steps create delays costing your business the efficiency and cost effectiveness your customers deserve.

However, day-to-day business in most companies tends to point in a different direction. With the well-meaning goal of increasing or improving SAP compliance and SAP security in the SAP GRC processes, more and more processes are often introduced. In the worst case, these then begin to paralyze the business processes, delay important processes, because one is sure to intervene here in a regulatory manner. What often goes hand in hand with this is that the transparency of the processes and their control is lost, and one loses oneself in overregulation without really effectively establishing SAP compliance.

Take control using our setQ solution that automates the process of SAP GRC streamlining your cost control.

Here, all important audit processes are already automated in 500 queries and can of course be adapted to company-specific processes or even extended. Unnecessary or paralyzing processes are identified and can be eliminated. In this way, you quickly regain the transparency and straightforwardness of your SAP audit processes and always keep them up to date.

WHITE PAPER – enhance your knowledge!

SAP Access & Authorizations

Learn how to manage your SAP GRC Authorizations

Tablet showing the cover page of the document



Most SAP GRC concepts have grown historically creating an overbearing authorizations load on the business. SAP  authorizations have been enhanced or new SAP  authorizations have been added again and again. The result? Chaos. Its administration is not only very time-consuming, but also represents a great danger for your SAP system.

This chaos very often arises in the course of daily work, with the new SAP audit processes as already described above and through individual decisions that are often made, implemented and later forgotten under time pressure.

It is simply about the transparency of the daily work in the SAP GRC processes. This should be the core of a central platform because this is also where the greatest savings can be achieved. The authorization concept is made available centrally and globally for the entire landscape, roles are compiled here, monitored, updated if necessary and distributed. If this is done individually in the SAP systems, a corresponding benefit in SAP compliance and cost reductions will never be achieved.  

The solution is optimizing your SAP authorization administration, the time required for the management of SAP users and their authorizations is significantly reduced. In addition, your entire SAP system becomes more secure.

LESS IS MORE in the management of your SAP Security.



Four setQ managers to administer your SAP  Authorizations

Create SAP roles centrally

A secure SAP authorization concept accompanies a transparent SAP role concept. A central role Management enables simple and central administration of all roles in your SAP systems. It thus ensures transparency and comprehensiveness in your SAP role concept.

With central role management, the company has a tool in hand to design and create an authorization concept tailored to the company using standard roles that have been predefined once. Then nothing stands in the way of central distribution to all SAP systems.

Example: The entire authorization concept of a company must be permanently adapted to the changing company processes and the changing SAP security conditions. This permanently consumes resources and is only carried out sporadically or not at all in most companies because of the large time burden. Then, after a certain period of time, it has to be started all over again because "role proliferation" has torn huge SAP compliance holes over time and the auditor mercilessly uncovers this.

A central role management allows to develop a fast and transparent new basis for the company and this centrally from one place, without having to work in every single SAP system.

Reference Management

Most activities in SAP are recurring and are subject to only minor changes or adjustments over time. For this reason, consideration should be given to developing appropriate standard roles, adapted to the company-specific circumstances, and making them permanently available. In this way, reference roles are available at all times and transparency can be established more quickly and repeatedly in accordance with SAP compliance.

The biggest enemy of SAP compliance is the changes made to individual authorizations over time as a result of individual adjustments. These always occur directly in an individual SAP system and are therefore difficult or impossible to prevent. Central reference management provides an effective tool to counter this. If something does not fit the authorized role concept, it can either be prevented immediately or the desired changes are transparently included in the standard roles.

Central Extension Management

Often, a change in production, changes in the SAP security process or other influences require the adjustment of roles that are currently in use. The more widespread the role in question, the higher the potential risk of interfering with the production process in the event of an adjustment or reallocation. It is therefore of great importance to have a defined process for this, which runs as unnoticed as possible in the background and highlights conflicts for correction without any disruptions. Only when it has been ensured that the adjustment made can be used without problems should distribution or replacement take place.

To ensure this process, central extension management is unavoidable and important. This is the only way to centrally prevent small changes in individual SAP systems from resulting in confusing minor or major errors, which then have to be corrected afterwards in a very time-consuming manner, often accompanied by disruptions to company processes.

Reduction Management

Reduction Management checks the authorizations used by a user and creates a proposal as to which authorization assignments could be deleted. This removes unnecessary authorizations and, if necessary, saves licenses or reduces risks. Optimization suggestions are displayed in a clearly arranged cockpit.

SAP roles have a tendency to distribute authorizations that do not necessarily violate SAP compliance and SAP security but have contents that are never used. Furthermore, such unused authorizations can also very quickly lead to a compliance risk. Reduction Management eliminates this problem, automatically identifies unused authorizations, and allows you to adjust SAP roles without interfering with the production process. Updated roles run in parallel in the background until it is ensured that the update does not cause any problems with usage for the affected employees.

Example: Over time, the processes for a group of employees have gradually changed in such a way that additional warehouses have been added, in which the material flow of withdrawal and put away is organized. Two problems arose in this process. On the one hand, SAP compliance could no longer be maintained because of combination conflicts between the individual warehouses, and on the other hand, employees now had authorizations that they no longer needed. With a reduction management, the employees are divided into new organizational groups and it is determined which authorizations were no longer used. The result is SAP-Security compliant new roles, with significantly less content and now freed from unnecessary authorizations. This way, SAP compliance can be better supported through reduction.

Automated authorization assigment via web processes

The request for authorizations in SAP comprises at least two important pillars. Firstly, the functional requirements that enable the employee to work in SAP. Second, these requirements must be translated into roles and authorizations so that SAP compliance and SAP security are not violated. The first part is handled by the business department, while the second part is in the hands of system administrators, who often know little about the business requirements.

With an automated web process, transparency can be introduced into the entire application and authorization process, the application processes are accelerated, and the workload shrinks immensely.

Example: Approvers are defined centrally. These approvers are limited in their scope of authorization so that they can only approve what falls within their area of responsibility (e.g., a ward physician who is only allowed to assign authorizations to ward staff for his ward area). In this way, processes can now be automated. In the Web Manager, the approver can see which authorizations the person currently has. SAP compliance violations are displayed immediately if there are any unauthorized combinations. Procedures for such violations can be stored, as well as documented, or are completely excluded. In this process, the system administration area is initially involved once in the definition, after which regular operation takes place without their intervention and only the task of the "trouble shooter" remains here to maintain SAP security in SAP GRC.



SAP Access Control becomes all the more difficult the more extensive the SAP landscape is and the more different processes interlock.

The workload and the thicket in terms of SAP security and SAP compliance are becoming increasingly impenetrable. Here, help and automating technology is simply necessary to maintain or establish said SAP compliance and to minimize the effort required for this.

Exactly this task is taken over by setQ in various facets and depending on what is needed most urgently in the company, setQ can be installed or then extended later as it suits the company and according to what is needed for a robust SAP GRC.

All this with minimal effort and a very high level of automation.

Tablet showing the cover page of the document
WHITE PAPER – enhance your knowledge!

SAP Access & Authorizations

Learn how to manage your SAP GRC Authorizations


Businessman with a floating clock, calendar, chart and gears

It's all about good communication.

Whether you are already a customer, would like to become one, have a technical question, would like to work with us, or are interested in an investment: we are here for you!

Technical support:

We’ll help you out. Get connected with our support team at supq(at)voquzlabs.com or call us directly at one of the numbers below.

- American Customers: +19176364290
- All other regions: +4989925191260