SAP Role and User Administration: what are the metrics?

Posted by Marta Ortona on Apr 8, 2022 8:15:00 AM
Marta Ortona


How does one know if you have set up a good authorization concept in SAP??

02 Infografica


What are the metrics and how to best exploit them? Does a SAP Security Score exist? 

Let’s start with professional figures

What does it mean?


When reviewing or designing authorisations in SAP systems, you should think for professional figure or job role


The aim is to avoid the creation of roles or qualifications which are:

  • exclusive for each user, ad personam
  • presence of unjustified duplication, photocopy roles
  • limitation of redundancy of SAP transactions. They should be in as few roles as possible 
  • the number of professional figures should be between 10% and 30% of users defined by system


The authorization objects

What are they and how should one reason?


They’re used to segregate specificities within SAP transactions.


Let's make an example


Through the transaction to create sales orders I would segregate who can manage or see certain types of sales document from others. Can I do that? 


Yes, through the authorization objects. There are more than 3000 authorization objects that control the various SAP transactions. They are often in common with other transactions.

It is therefore important that they are properly managed in order to avoid improperly assigning permissions to users.


But how to think then? Do I have to know them all? Do I have to manage them all anyway?

No. Often there are few objects to handle.


You have to focus on what you really need. The management of these objects involves a significant maintenance.


The average of the authorizing objects actually used is 15 on more than three thousand


Segregation of duties management

What is this about? Learn more here 


How and how many? Let’s start from the number of risks. On average 114 risks are recorded within the risk matrix.

Attention, this, as the various present metrics, depends on the structure of the company, on how many modules and systems it has active. 

It can certainly be useful to start with few risks and increase thereafter, after tackling all the various phases of a segregation of duties management project: 

  • Risks definition
  • Risk analysis
  • Remediation
  • Mitigation
  • Continous Compliance


Often the phase of Mitigation and Continous Compliance are underestimated. Actually these phases could be separate projects.


Also the number of SAP transactions involved is definitely an indicator. Of course it depends on how many modules you are using, how many systems involved, and so on... but on average SoD matrix can have 600 transactions. In SAP ECC the number of transactions defined is more than one hundred thousand.


All custom transactions are aspect related to transactions not to be underestimated. These must also be considered. Very often it's possible to find situations where a custom transaction is more critical than one or more standards.  


Why this? 


At the request of the various business departments or to make life easier for users, are defined transactions that allow more operations


Unfortunately the union of more activities (which in the standard could fall into different transactions) can lead to the generation of custom transactions "self conflicting": who possesses that transaction becomes automatically at risk.  


In such cases, it must be consider therefore such situations that may arise.


Within Sod all custom transactions that have an impact on the SoD relevant processes shall be included. So in writing or editing.


SAP custom transactions

It could be analyzed from different points of view. Let’s start with the volumes in the absolute sense. It goes from customers with 500 custom transactions to more than 5000.


We are talking about transactions that are actually used, not just those that are defined by system. In the latter case the number could be even greater. 


The following graph shows for a subset (20) of the companies analysed above, divided by sector (Automotive, Bank, Betting, ICT, Manufactoring, Media, Pharma, Utility) the number of:

  • SAP defined and active custom transactions (all the transactions that begin with Z* o Y*)
  • used custom transactions
  • used standard transactions



If the orange column is equal to the blue column it means that all the defined custom transactions are in use. Otherwise, if the Orange column is higher, many of the active custom transactions are not actually used.


Have you blocked the custom transactions defined but not in use? 


Blog post originally translated from:


Iscriviti al blog se ancora non lo hai fatto!









Topics: User Access Management, sap custom, autorizzazioni sap, Statistiche security SAP

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all