SAP system entitlement and role audit

We offer solution that enables analysis and security audit of entitlements and roles within the organization’s SAP system. These functions help to enforce security rules, decrease overall number of roles and refactor existing entitlements. The solution may also contribute to supporting user-roles assignment approval process with predefined workflows.

Customers would benefit from large auditing capabilities that allow performing SAP audits on regular basis. Similarly to SAP GRC tool, our solution can be used to prepare organization for an internal audit. Using the automatic checks and defined set of security rules maintains the SAP environment in compliance with organization policies.

To implement our solution, we use CA GovernanceMinder (GM) application that reads SAP entitlements including roles, authorization object values and transactions. The application also loads user data and user-roles assignments and then creates consistent analytical model.

GM Application consists of web portal server and also thick client for data analysis. SAP endpoint is connected for read-only querying via standard SAP BAPI interface. Using this interface eliminates additional SAP configuration costs or transporting data through SAP XI. All solution components would be located on your site.

Data analysis

Data imported to GM from your local SAP system can be inspected and analyzed using the advanced algorithms. Analysis includes:

  • Various data views and perspectives across all imported entities including links, hierarchy and time validity of the assignments.
  • Ability to find users with same or similar set of entitlements.
  • Ability to find users with excessive amount of entitlements.
  • Unused roles or objects can be reported.
  • New roles creation or refactoring of existing roles is possible with statistical algorithms support.
  • Finding duplicate roles with same/similar links to authorization objects and transactions.

Segregation of duties

Our solution offers the ability to define and enforce set of security rules based on your role model entities. These logic constraints can help in preparing your organization for SAP audit.

  • Rules based on users – some users are not allowed to possess certain roles, authorization objects or transactions. That can help organization to scope the usage of their roles – certain roles are limited for defined departments for instance.
  • Exclusive rules may define that some entitlements may never be assigned together to a single person. This is powerful tool to segregate responsibilities in your organization (SoD).
  • Apart from restrictive rules, it is possible to define logic that assigns users to their roles based on user attributes. That way, you can easily suggest mandatory roles for certain user groups.

SAP system entitlement and role audit

Defined rules are applied to the data imported from your SAP within the audit process. Consequently, the audit card is created in the GM application. Audit card contains all the violations found during the import. Violations can be handled in many different ways – apart from fixing the problem in the SAP (e.g. removing role from user), each entry in the audit card can be commented, mitigated or ignored within the given time frame. Every action done in the GM audit process is logged and responsible approver can be tracked back in time. The GM import process can be set up to make periodical audits automatically and you only need to check the resulting card for new violations. This is especially helpful in organizations where SOX, SoD or unbundling regulatory rules are applied. 


Certification allows organizations to put their roles and assignments into approval process to ensure that no user has excessive or unapproved entitlements. GM application offers bult-in workflows in which responsible approvers decide over the endpoint entities:

  • User-Role assignment can be certified from user or role perspective
  • Role-(Authorization Objects/Transactions) links
  • Role-Role hierarchy

SAP system entitlement and role audit

Certification is usually periodic process that can take place e.g. every 6 months. Also GM can be configured to receive and approve user request for role assignment. The result of certification and approver decisions are saved within the GM application and used to export changes to SAP or Identity Management product.


Solution based on CA GovernanceMinder application helps organizations in achieving better SAP security auditing, as well as in efficient role modelling and analyzing. The level of analysis goes as deep as SAP authorization object values and transactions. Thanks to many features such as SoD rules or certification campaign, this solution helps organizations to maintain compliance with regulatory requirements, prepare critical infrastructure for internal audit and optimize existing role model. User friendly interface in web portal and individual settings are great advantage of the product. While using the standard SAP interface, application can be installed and configured easily so first benefits come soon.

Products and solutions

  • CA GovernanceMinder

Request form

Fields marked * are required

Přejít na začátek stránky


© Copyright 1998-2011 AMI Praha a.s., powered by AMIGO CMS