SAP Authorisation Recertification: Process, Tools & Automation

Authorisations in SAP systems have a natural tendency to accumulate: employees change departments, take on additional tasks or are given temporary authorisations for projects – which nobody removes afterwards. Without regular recertification, risk grows continuously. This article describes how to establish an effective recertification process.

Why Recertification Is Essential

Authorisation recertification is the regular review of whether assigned authorisations are still appropriate. Compliance frameworks such as SOX, ISO 27001 and GDPR explicitly require this. But beyond compliance, there are good reasons: reducing SoD conflicts, minimising the attack surface and identifying orphaned user accounts. Studies show that in typical SAP systems, 15–25% of authorisation assignments are no longer needed.

Process Design: Frequency and Scope

The optimal frequency depends on risk assessment: critical authorisations (SAP_ALL, emergency users, administrative roles) should be recertified monthly or quarterly. Standard authorisations typically require an annual review. Technical users (RFC, batch) should be reviewed semi-annually.

The scope includes: user-role assignments, role assignments to business functions, critical individual authorisations and technical users. Start with the highest risks and expand gradually.

Defining Responsibilities Clearly

A common mistake: the IT department recertifies authorisations it cannot actually assess. Define clear responsibilities: department heads recertify the authorisations of their employees, role owners review role definitions, and IT manages the process and provides technical analyses. This three-tier approach ensures the right people make the right decisions.

Tool Support

SAP GRC Access Control provides an integrated recertification workflow (User Access Review). This automates notifications, escalations and documentation. Without GRC, you can support the process with the following tools: SUIM reports for user-role assignments, AGR_USERS queries for role assignments with validity periods, RSUSR002 for critical authorisation combinations and USR40 for unused authorisations (access data).

Automation Options

Even without GRC, parts of the process can be automated: automatic identification of users with changed roles since the last recertification, automatic detection of users who have not logged on for 90+ days, automatic lock lists for departed employees through HR integration and automatic reports for department heads with their employees' authorisations.

AI-supported approaches go further: by analysing actual usage, unused authorisations can be automatically identified and suggested for removal.

Handling Findings

What happens when recertification reveals findings? Define a clear process: surplus authorisations are revoked after confirmation by the business department. Open findings are given deadlines and escalated. Compensating controls are documented for cases that cannot be resolved immediately. All results are archived in an audit-proof manner. Important: set realistic deadlines. A finding that has been open for three quarters demonstrates an ineffective process.

KPIs for Recertification

Measure the effectiveness of your recertification process with KPIs: response rate (proportion of reviews completed on time), change rate (proportion of authorisations changed or revoked), throughput time (days from notification to completion) and open findings (overdue actions). Report these KPIs regularly to management – transparency promotes discipline.

Conclusion

Authorisation recertification is not a one-off project but a continuous process. Start with the most critical authorisations, define clear responsibilities and automate step by step. The effort is worthwhile: less risk, better compliance and a clean authorisation system.

Get in touch →

Related Articles

Need support with this topic?

We help you with implementation – from analysis to go-live.

Get in touch

← All articles