SAP Authorization: Articles & Insights

Most access risk tools analyze SoD at the transaction code level: if a user has tcode A and tcode B, flag a conflict. Authorization-level analysis goes deeper. It checks whether the user's authorization object values actually overlap, so conflicts that share no company code, plant, or organizational unit are filtered out. The distinction matters: transaction-level analysis on a large SAP landscape typically produces 3-10x more false positives than authorization-level analysis.

Critical access is a category of access risk separate from Segregation of Duties: transactions that cause damage on their own, without needing a conflicting partner. This guide lists the critical transactions every SAP environment should monitor, explains how to detect them with access risk analysis, and shows how MTC Skopos catches them in the same pass as SoD.

Over-privileged users are the quiet third category of access risk, behind SoD and critical access. They hold authorizations that expand their fraud surface, inflate FUE licensing, and create audit findings, even though nothing about their daily work requires the access. This guide explains how privilege creep happens, how to detect it with access risk analysis, and how to remediate without breaking business operations.

A practical guide to SAP authorization design that holds up in production. Covers role architecture, naming conventions, organizational value strategy, least privilege enforcement, critical access monitoring, and the change governance process that keeps your landscape clean over time.

Payroll postings, treasury transactions, executive compensation - some G/L accounts need tighter access control. Here's how to configure authorization groups with F_BKPF_BES and F_BKPF_BLA in SAP S/4HANA, step by step.

Exploiting SAP used to require both system access and years of domain expertise. AI collapses that second requirement. An attacker with a basic SAP login and a language model can now navigate the system, understand authorization structures, and find exploitation paths that previously took specialists weeks to uncover. What does that mean for how you manage access risk?

A technical reference for SAP SoD conflicts: specific transaction code combinations, authorization objects that drive conflicts, and practical detection methods for SAP ECC and S/4HANA.

Your ECC SoD matrix won't work in S/4HANA. Learn how to build a ruleset that covers Fiori apps, OData services, and the new authorization architecture - without starting from scratch.