Access risk analysis evaluates SAP user permissions and authorization objects against a risk ruleset to detect segregation of duties (SoD) violations, critical access exposure, over-privileged users, and organizational scope breaches. It is the foundation of access governance, a SOX/ITGC control requirement, and the core capability MTC Skopos delivers — at authorization-object depth, in minutes, on-premise.
Most SAP access risk problems are not "we don't know what to do" — they are "we cannot get answers fast enough to do anything about it." Enterprise GRC suites take hours to run an analysis. By the time the report lands, the role catalog has already moved. MTC Skopos was built to close that gap.
What is SAP Access Risk Analysis?
Access risk analysis (ARA) in SAP is the systematic evaluation of user permissions to identify access-related risks. It answers four questions:
- Who can violate segregation of duties? Which users hold combinations of authorizations that let them perform two conflicting business functions?
- Who has critical access? Which users can execute sensitive transactions (SU01, SE38, SCC4, SM59, debug, table maintenance) where a single action carries high risk?
- Who is over-privileged? Which users have access they never use — privilege accumulation that creates audit exposure and license cost?
- Are organizational scopes respected? Are users acting outside their assigned company codes, plants, profit centers, or purchasing organizations?
A complete access risk analysis tool answers all four. A SoD-only tool answers only the first.
Authorization-Level vs Transaction-Level Analysis
| Approach | What it checks | Catches |
|---|---|---|
| Transaction-level | Whether a user can launch a transaction code (e.g., FB60) | Coarse access |
| Authorization-level | The full authorization object check (e.g., F_BKPF_BES with BUKRS, ACTVT) | Real effective access |
Transaction-level analysis is fast but produces false positives — a user who can launch FB60 may be locked out at object level for the company codes that actually matter. Authorization-level analysis evaluates the actual SAP check logic, so the conflicts it surfaces are the ones a fraudster could exploit. MTC Skopos performs authorization-level analysis natively, which is why our results are actionable rather than noisy.
What MTC Skopos Detects
Segregation of Duties Violations
Users who can perform two or more incompatible business functions. Detection runs against your ruleset (or the Skopos template ruleset) and produces conflict lists at user, role, and risk level.
Critical Access Exposure
Users with access to sensitive single transactions where one action carries audit or fraud risk. Examples: user master maintenance, ABAP debug, RFC destination configuration, client copy.
Over-Privileged Users
Users holding authorizations they have never executed. Combines authorization data with did-do analysis of usage history (ST03N / STAD) to separate theoretical risk from realized risk.
Organizational Scope Violations
Cross-company-code, cross-plant, cross-profit-center, and cross-purchasing-org access where authorization values exceed the user's assigned organizational scope.
Did-Do Evidence
Which conflicts were actually executed vs which remain dormant. Critical for prioritizing remediation: a SoD pair capable of fraud is different from one active in fraud.
Read the access risk report deep dive →
Why Specialized Access Risk Analysis Beats GRC Suites for Detection
Enterprise GRC suites (SAP GRC Access Control, Pathlock) bundle access risk analysis with provisioning, firefighter management, and access request workflows. If you need those workflow capabilities, a specialized tool will not replace them.
For detection specifically, specialized access risk analysis tools have three structural advantages:
- Speed. Minutes per full analysis run vs hours. Iterative remediation becomes practical.
- Depth. Authorization-object-level analysis is the default, not an upgrade.
- Portability. Desktop deployment means consultants, auditors, and security teams can analyze any SAP system without provisioning a GRC server.
Many organizations combine the two: Skopos for fast detection, ruleset development, and S/4HANA migration prep — SAP GRC for production provisioning. The Skopos ruleset converts to SAP GRC format, so the work is not duplicated. See Planning SAP GRC or Pathlock? Start With MTC Skopos for the full integration playbook.
Access Risk Analysis Workflow with MTC Skopos
- Export SAP authorization data. Standard tables:
USR02,AGR_USERS,AGR_1251,UST12. Plus usage history fromST03NorSTADfor did-do analysis. - Load into Skopos. No server, no agent, no upload — the desktop application reads the export directly.
- Run analysis. Full SAP environment scanned in minutes against your ruleset.
- Review findings. SoD conflicts, critical access, over-privilege, scope violations, and did-do evidence in one consolidated view.
- Remediate. The Advanced Remediation engine generates concrete steps — remove role X from user Y, split role Z, reassign users — prioritized by least disruption.
- Export to BI. CSV, JSON, Parquet outputs feed Power BI, Tableau, or any reporting layer for ongoing monitoring.
Beyond SAP: Multi-ERP Access Risk Analysis
Modern landscapes are not single-ERP. Cross-application access risk — a user who creates a vendor in SAP and approves the payment in Oracle — is invisible to single-system tools. MTC Skopos supports SAP access risk analysis natively and extends to Oracle, Microsoft Dynamics, NetSuite, Odoo, and custom systems through generic data-source connectors. One ruleset, one analysis run, all systems.
Pricing
Transparent flat-rate licensing: $6,718/year base + $650 per additional seat (USD). No per-user fees, no per-system fees, no per-transaction charges. The price does not scale with the size of your SAP landscape.
Get Started
See your real SAP access risk landscape in under an hour. Export your authorization data, run Skopos against it, and review the findings — no installation, no commitment.
Try MTC Skopos for Access Risk Analysis
Authorization-level SoD and critical access detection. Minutes per run. Runs on your laptop.
Related Resources
- SAP Access Risk Report: What to Include and How to Build One — the report deliverable produced from ARA
- Best SAP SoD Tools & Solutions Compared (2026) — full vendor comparison
- Advanced Remediation: AI-Powered SAP Access Risk Resolution
- Did-Do Analysis: Theoretical vs Realized Risk
- Building an SoD Ruleset for S/4HANA
- Critical Access in SAP: What to Monitor and Why
- Over-Privileged Users in SAP: Detection and Cleanup
- Authorization vs Transaction-Level Analysis