Demystifying SAP security

  • Marc Sel
  • Kristof Van Der Auwera


This article attempts to demystify the feature-rich SAP security functions, to demonstrate how they can cooperate to build a strong security posture, and how to avoid some classic pitfalls.

ERP systems continue to gain importance in the developed world, and while there are many alternatives to choose from (including competitive vendors as well as OpenSource projects such as Compierre), SAP is a major force in this field. Over the years SAP established a rich security model, including infrastructure aspects such as secure net-working and separation of production and non-production environments, but more importantly they also included all relevant Identity and Access Management aspects, as well as electronic signature aspects. As a result, a SAP customer is today facing a wide range of potential safeguards to chose from, each with their own cost/benefit ratio. However, it is generally accepted that application level securty is in the end more important than infrastructure security. The SAP authorisation model is at the heart of application security in FI, CO, HR, MM etc. It evolved over the years from a fairly simple, profile-based model with capabilities towards today's model that includes identities, roles, profiles and fine-grained authorisation object management. Dedicated authorisation objects have been estab-lished for the different functional areas within SAP, and various additional software components both from SAP and from external vendors can assist with building and managing SAP authorisations. Those include e.g. Virsa FF/SAP GRC, Axl & Trax (ex-CSI) and more recent CA’s ERCM. PwC also still maintains their own ACE review tool. Under the scrutiny of the ever increasing regulatory compliance, a company has to make the right options, or will face expensive mistakes. We will in this article address both the theoretical aspects of the SAP security model, including the authorisation model, and the more practical aspects as how to organise a SAP security project and how to tackle undesired side effects when implementing a real project.


Smart Card Internal Control Model Authorisation Management Authorisation Check Federate Identity Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements (available from
  2. SAP Berechtigungswesen, IBM Business Consulting Services, ISBN 3-89842-312-3, 2003Google Scholar

Copyright information

© Vieweg+Teubner | GWV Fachverlage GmbH 2010

Authors and Affiliations

  • Marc Sel
  • Kristof Van Der Auwera

There are no affiliations available

Personalised recommendations