Cleaning Up SAP Authorisations: A Pragmatic Guide
A step-by-step approach to bringing order to historically grown authorisations.
Read more →In almost every SAP system that has been in operation for more than five years, there are hundreds – sometimes thousands – of roles that nobody fully oversees any more. Which ones are actually used? Which contain critical authorisation combinations? Where do SoD conflicts lurk? The classic answer has been: a manual review that takes weeks and produces an Excel spreadsheet that’s already outdated by the next change.
We do it differently.
The Problem: Complexity That Overwhelms Humans
A typical SAP production system has 500 to 3,000 roles. Each role contains dozens to hundreds of authorisation objects with various field values. The combinatorics are enormous: to check all possible SoD conflicts between all roles, millions of combinations must be evaluated.
A consultant can do this manually – for a handful of roles. For the entire system, it takes either months or a different approach.
Our Approach: AI as an Analysis Tool
We don’t use AI to make decisions – but to structure the data flood, recognise patterns and suggest priorities. Specifically, this works in three steps:
1
Data Extraction
Automated export of all roles, authorisation objects, field values, user assignments and usage data (transaction traces). No manual Excel exports – standardised extraction via SAP standard tables.
2
AI Analysis
The AI searches the data for defined patterns: SoD conflicts against a configurable rule set, oversized roles (wildcard authorisations, unused authorisation objects), duplicates and near-duplicates, unusual authorisation combinations that indicate copy-paste errors.
3
Prioritised Report
The result is not a 200-page PDF report but a prioritised action list: critical findings (act immediately), important findings (plan) and optimisation potential (when convenient). Each finding includes the affected roles, users and a solution suggestion.
What AI Finds – And What It Doesn’t
Typical results of an AI-powered role analysis:
30–40%
of roles are unused or duplicates
60–80%
reduction of SoD conflicts through prioritisation
Hours
instead of weeks for the initial analysis
Important: AI delivers analysis and suggestions – not decisions. Whether an SoD conflict is resolved through role separation, a compensating control or a conscious acceptance is always decided by humans. That’s not a disadvantage – it’s the core of our approach.
What AI Does Not Replace
- Business evaluation: AI recognises patterns but not business context. Whether a user actually needs their authorisations depends on their role in the organisation – only the business department knows that.
- Process design: A new authorisation concept requires understanding of business processes, organisational structures and regulatory requirements.
- Change management: The best roles are useless if they’re not accepted by users.
Data Protection and Transparency
- Analysis can be performed on-premise at the customer’s site – no data needs to leave the organisation
- Where cloud analysis is used: only pseudonymised data, no personal information
- All results are traceable – no black-box approach
- On request, we provide the complete analysis path for every single finding
Conclusion
AI-powered role analysis is not a future topic – it’s available today and proven in practice. It doesn’t replace the experience of an authorisations consultant, but gives them a tool that accelerates manual analysis by a factor of 10–50. The result: faster results, better decision bases and audit-ready documentation.
Related Articles
SAP Security Hardening 2026
The 10 most important measures for your SAP security.
Read more →Need support with this topic?
We help you with implementation – from analysis to go-live.
Get in touch