User Guide

Getting Started

Installation and first launch

Data Sources

Connect to SAP and other systems

Rulesets

Load risk definitions

Browsing Data

Explore users and roles

Risk Analysis

Run user and role analysis

Simulation

Test access changes

Remediation

Generate remediation recommendations

Reports

Export analysis results

MCP Server

AI assistant integration

Getting Started

Installation

  1. Extract the ZIP file to any folder
  2. Launch MTC_Skopos.exe (Windows) or MTC_Skopos (macOS/Linux) - no installation required
  3. No administrator rights needed

System Requirements

RequirementMinimumRecommended
OSWindows 10, macOS, Linux (64-bit)Windows 11, macOS, Linux (64-bit)
RAM8 GB16 GB+
Disk500 MB20 GB

First Launch

  1. Open MTC Skopos
  2. Go to Data Sources to configure your first connection
  3. Load a Ruleset file
  4. Go to Analysis to run your first risk analysis

Data Sources

MTC Skopos supports three types of data sources:

SAP Remote Connection

Connect directly to a live SAP system via RFC (Remote Function Call).

  1. Click AddSAP Remote
  2. Enter connection parameters:
FieldDescription
NameDisplay name for this connection
HostSAP application server address
System NumberSystem number (00-99)
ClientClient number
LanguageEN, DE, FR, etc.

  1. Select authentication mode:

    • User/Password: Standard RFC authentication
    • SNC: Secure Network Communications with user/password
    • SNC + X.509 Certificate: SNC with certificate-based SSO

  2. For SNC modes, configure:

    • SNC Library Path
    • SNC Quality of Protection
    • SNC Partner Name

  3. Click Save

Required SAP Authorizations:

  • Read access to USR* tables (user master data)
  • Read access to AGR_* tables (role data)
  • Execute access to RFC-enabled function modules
  • Optional: Usage statistics tables

SAP File Import

Import data exported from SAP as CSV/TSV files.

  1. Click AddSAP Files
  2. Select folder containing the exported files
  3. MTC Skopos auto-detects the following tables:
TablePurposeRequired
USR02User master recordsYes
AGR_USERSUser-role assignmentsYes
AGR_1251Role authorizationsYes
AGR_1252Organization levelsYes
AGR_AGRSComposite role structureYes
AGR_DEFINERole definitionsYes
AGR_1016Role transactionsOptional
UST04Profile assignmentsOptional
UST12Authorization profilesOptional
UST10SUser profilesOptional
usageTransaction usage dataOptional
  1. Click Save

File Format Requirements:

  • CSV or TSV with header row (SAP technical field names)
  • UTF-8 or ANSI encoding
  • Configurable delimiter (comma, semicolon, or tab)

Generic File Import

Import data from non-SAP systems using a standardized format.

  1. Click AddGeneric Files
  2. Select folder containing:
FileRequired Columns
users.csvUser ID, Full Name, User Type, User Group, Valid From, Valid To, Deleted
roles.csvRole, Role Description, Authorization, Object, Field, Value From, Value To
composite_roles.csvComposite Role, Single Role
user_role.csvUser ID, Composite Role, Single Role, Valid From, Valid To
usage.csvuser_id, action, count, last_used
  1. Click Save

Managing Data Sources

  • Refresh: Re-import data from a remote SAP system
  • Edit: Modify connection settings
  • View Statistics: See row counts (total, effective, ignored, unparsable)

Rulesets

Rulesets define the risks that MTC Skopos analyzes. Each ruleset contains risk definitions, business functions, actions, and permission requirements.

Loading a Ruleset

  1. Click Load Ruleset
  2. Select a ruleset file (CSV/TSV format)
  3. Configure the file delimiter if needed
  4. The ruleset loads and appears in the available rulesets

Rulesets configured in settings are automatically loaded when MTC Skopos starts.

Ruleset Structure

A ruleset defines:

ElementDescription
RisksRisk ID, name, level (Critical/High/Medium/Low), type (SoD/Critical Access)
FunctionsBusiness functions that group related actions
ActionsTransaction codes or activities
PermissionsAuthorization object and field value requirements

Included Rulesets

MTC Skopos includes pre-built rulesets:

RulesetCoverage
SAP Business Risks200+ rules covering Finance, Procurement, HR, Basis
SOX ComplianceSarbanes-Oxley aligned segregation of duties rules

Custom Rulesets

To use custom rulesets, prepare a CSV/TSV file following the ruleset format and load it into MTC Skopos. The ruleset file can be opened and maintained directly in Microsoft Excel.

Multiple Rulesets

Multiple rulesets can be imported. Select the appropriate one before running your risk analysis.

Technical Considerations

  • System: This field identifies the system where the function is expected to be triggered.

    Note: The system value must match exactly with the one defined in the corresponding data source(s).

  • Action: The Action field acts as a permission group; permissions with the same action are evaluated together to trigger a function.

    Note: An action is not bound to a specific Tcode. If a transaction is involved, the authorization object S_TCODE must be included separately.

  • Object: Represents the authorization object. All objects assigned to the same action are considered during evaluation.

  • Field: The authorization field within an object. All fields under the same object are taken into account.

  • Value From / To: A string range used for value matching. Values will be considered if they fall within the specified range, starting with special characters (e.g. /) and ending with a letter (e.g. Z).

  • Condition (AND / OR): Operators define how multiple values for the same field of the same object are interpreted:

    • AND requires the value to be met.
    • OR requires at least one value to be met.

    Note: Combining AND and OR is technically possible. In that case all values with condition AND are required in combination with at least one value with condition OR.

  • Wildcard (*) – ANY vs ALL:

    • To trigger the function by any value: use *
    • To trigger the function by all values: use ' * ' (quoted with a space)

Example Explained

Note: The examples shown are not functionally correct, they're simply meant to explain how the tool processes and interprets technical input.

FunctionActionAuthorization ObjectFieldValue FromValue ToCondition
Table MaintenanceSM30_NAMS_TABU_NAMACTVT01OR
Table MaintenanceSM30_NAMS_TABU_NAMACTVT02OR
Table MaintenanceSM30_NAMS_TABU_NAMACTVT03AND
Table MaintenanceSM30_NAMS_TABU_NAMTABLEZ*OR
Table MaintenanceSM30_NAMS_TABU_NAMTABLEA*BKPFOR
Table MaintenanceSM30_NAMS_TCODETCDSM30AND
Table MaintenanceSM30_DISS_TABU_DISACTVT01OR
Table MaintenanceSM30_DISS_TABU_DISACTVT02OR
Table MaintenanceSM30_DISS_TABU_DISDICBERCLS'*'AND
Table MaintenanceSM30_DISS_TCODETCDSM30AND

To trigger the Table Maintenance function, a user or role must be provisioned with either of the following sets of authorizations:

Option 1: Using S_TABU_NAM

  • Transaction code: SM30
  • Authorization Object: S_TABU_NAM
    • Field ACTVT must include: 03 AND (01 OR 02)
    • Field TABLE must include: Any table starting with Z OR any table from A to BKPF

Option 2: Using S_TABU_DIS

  • Transaction code: SM30
  • Authorization Object: S_TABU_DIS
    • Field ACTVT must include: 01 OR 02
    • Field DICBERCLS must include: All table groups

Browsing Data

Each data source provides browsing capabilities to explore users, roles, and system information.

Data Source Information

Select a data source and view:

Info Tab:

  • Connection type and configuration
  • System name and type
  • Table statistics (rows loaded, ignored, errors)

Users Tab:

  • List of all users with filtering
  • User details: ID, Type, Group, Valid dates, Lock status
  • Role assignments (single and composite)
  • Click a user to see detailed action usage

Roles Tab:

  • List of all roles
  • Role contents and structure
  • User assignments

User Detail View

When viewing a specific user's usage:

InformationDescription
Composite RolesComposite roles assigned to the user
Single RolesSingle roles within each composite
ActionsTransactions available through each role
Execution CountNumber of times each action was used
Last UsedMost recent execution date
Other RolesAlternative roles providing the same action

Exporting Data Source Information

Export detailed data source information for external tools:

  1. Select a data source
  2. Click Export
  3. Choose output directory
  4. Multiple JSON files are created for use with Power BI, AI tools, or custom analysis

Risk Analysis

MTC Skopos provides two analysis modes: User Analysis and Role Analysis.

Running User Analysis

Analyze risks at the user level to identify which users have conflicts.

  1. Go to Analysis
  2. Select Users mode
  3. Select one or more data sources
  4. Select a ruleset
  5. Configure filters (optional):
FilterEffect
UsersAnalyze only specified users
User GroupsFilter by SAP user group
User TypesDialog, System, Service, Communication, etc.
Single RolesOnly users with these single roles
Composite RolesOnly users with these composite roles
Risk LevelsCritical, High, Medium, Low
Risk TypesSoD, Critical Access, or both
  1. Enable Cross System to analyze risks spanning multiple systems
  2. Click Run Analysis

Running Role Analysis

Analyze risks at the role level to identify inherent conflicts in role design.

  1. Go to Analysis
  2. Select Roles mode
  3. Select data sources and ruleset
  4. Configure filters (optional):
FilterEffect
Single RolesAnalyze only specified single roles
Composite RolesAnalyze only specified composite roles
Risk LevelsCritical, High, Medium, Low
Risk TypesSoD, Critical Access, or both
  1. Click Run Analysis

Understanding Results

Results are displayed in a table with the following information:

ColumnDescription
User/RoleAffected user or role name
Risk IDRisk identifier (e.g., F001)
Risk DescriptionHuman-readable risk name
Risk LevelCritical, High, Medium, or Low
Risk TypeSoD (Segregation of Duties) or Critical Access
FunctionBusiness function(s) involved
ActionTransaction codes providing the access
RoleRole(s) granting the access
Composite RoleParent composite role (if applicable)
Business ProcessBusiness process category

Filtering and Sorting Results

  • Click column headers to sort
  • Use the filter row to search within results
  • Results load incrementally for large analyses

Simulation

Simulation allows you to test "what-if" scenarios before making changes in your SAP system.

User Simulation

Test the impact of role assignment changes on a specific user.

  1. In Analysis, select Users mode
  2. Go to the Simulation panel
  3. Use the Roles tab to simulate role changes:
ActionHow
Add roleSelect a role to add to the user
Remove roleSelect an assigned role to remove
  1. Run the analysis with simulation enabled
  2. Results show:
    • Added: New risks that would be created
    • Removed: Risks that would be eliminated
    • Unchanged: Existing risks unaffected by the change

Role Simulation

Test the impact of authorization changes within a role.

  1. In Analysis, select Roles mode
  2. Go to the Simulation panel
  3. Use the Authorizations tab to simulate changes:
ActionHow
Add authorizationAdd a new permission to the role
Remove authorizationRemove an existing permission
  1. Use the Composite Roles tab to simulate structure changes:
ActionHow
Add to compositeAdd a single role to a composite
Remove from compositeRemove a single role from a composite
  1. Run the analysis to see the impact on all affected users

Remediation

The remediation engine analyzes your risks and generates recommendations for resolving them.

Generating Recommendations

  1. Run a user analysis first
  2. Go to Remediation
  3. Configure remediation parameters
  4. Click Generate

Remediation Phases

The algorithm evaluates remediation options in order of impact:

  1. Remove user role assignments - Safest option when user has alternative access
  2. Remove single role from composite - Modify composite role structure
  3. Remove action from role - Last resort, may affect other users

Understanding Recommendations

For each risk, the remediation report shows:

FieldDescription
RiskRisk ID and description
FunctionBusiness function involved
ActionTransaction code
UserAffected user
Execution CountTimes the action was executed
Last ExecutedDate of last use
Single Role AssignmentRoles directly assigned to user
Composite Role AssignmentRoles assigned via composite roles
RecommendationSuggested remediation action

Prioritization

Recommendations are prioritized based on:

  • Risk severity (Critical risks prioritized)
  • Usage frequency (unused access easier to remove)
  • Collateral impact (changes affecting fewer users preferred)

Exporting Recommendations

Export remediation reports for further analysis or to share with stakeholders:

  • Export for a specific risk
  • Export all recommendations

Reports & Export

Exporting Analysis Results

All analysis results can be exported for audit evidence, further processing, or integration with other tools.

  1. Run an analysis
  2. Click Export
  3. Select output location

Export Format

Reports are exported as TSV (Tab-Separated Values) files, which can be opened in Excel or any spreadsheet application.

Report Types

Detailed Report - Complete risk listing with all columns:

ColumnDescription
User IDUsername (user analysis)
User GroupUser's group assignment
Access Risk IDRisk identifier
Risk DescriptionRisk name
Risk LevelCritical/High/Medium/Low
Risk TypeSoD or Critical Access
FunctionBusiness function
Function DescriptionFunction name
SystemSource system
ActionTransaction code
Action DescriptionTransaction name
ResourceAuthorization object
Resource ExtnAuthorization field
Value FromField value start
Value ToField value end
Role/ProfileRole providing access
Role/Profile DescriptionRole name
Composite RoleParent composite (if applicable)
Composite Role DescriptionComposite role name
Business ProcessProcess category
SimulationAdd/Remove/unchanged (if simulation)

Summary Report - Aggregated view of risks

Execution Log - Audit trail including:

  • Version and build information
  • Licensed customer
  • Execution timestamp

Importing Previous Results

To re-analyze or review previous results:

  1. Go to Import Results
  2. Select a previously exported report file
  3. The results load with their original execution log

MCP Server

The MTC Skopos MCP Server enables AI assistants (Claude, ChatGPT, Copilot) to interact with your risk analysis data using the Model Context Protocol (MCP).

Configuration

The MCP server requires a mtc-skopos.data configuration file in the same directory as the executable. This file contains:

  • Datasource configurations
  • Analysis criteria and save directory paths

Integrating with AI Assistants

Claude Code CLI:

claude mcp add skopos /path/to/mcp-server

Claude Desktop: Configure in Claude Desktop settings under MCP servers.

Other AI tools: Configure the MCP server path in your tool's MCP configuration.

Available Tools

The MCP server exposes the following tools to AI assistants:

ToolDescription
init_sessionInitialize session and load available datasources
list_analysis_logsList analysis log files with optional filters (date, system, user/role mode)
summarize_analysisGet summary of one or more analysis logs (risk counts, impacted users/roles)
get_analysis_detailRetrieve detailed report rows for specific users/roles or risks
get_users_or_roles_triggering_risksFind users/roles impacted by specific risks
get_remediation_reportGenerate remediation JSON for a specific risk
find_roles_by_criteriaFind roles assigned to a user matching permission criteria
find_single_roles_by_permission_criteriaFind single roles matching permission criteria
describe_roleGet comprehensive description of a role (single or composite)

Typical Workflow

  1. Initialize: Call init_session to load datasources
  2. Find analysis: Call list_analysis_logs to locate relevant analyses
  3. Summarize: Call summarize_analysis for overall risk picture
  4. Deep dive: Call get_remediation_report or get_analysis_detail for specific risks
  5. Role analysis: Call find_roles_by_criteria or describe_role for role-level details

Learn More

For detailed information about MCP integration, see our blog article: AI Meets SAP Security: How MCP Transforms MTC Skopos

Reference

Troubleshooting

Connection Errors

ErrorSolution
RFC connection failedVerify host address, system number, and credentials
TimeoutCheck network connectivity; SAP system may be slow
Authorization errorVerify RFC user has required table read permissions
SNC configuration errorCheck SNC library path and partner name settings

Analysis Issues

IssueSolution
No risks foundVerify ruleset contains rules matching your system's transactions
Missing usersCheck that USR02 table was exported/imported correctly
Missing rolesCheck that AGR_DEFINE table was exported/imported correctly
Slow analysisUse filters to reduce scope; close unused data sources

File Import Issues

IssueSolution
File not detectedVerify file names match expected table names
Parsing errorsCheck file encoding (UTF-8) and delimiter settings
Missing columnsVerify export includes all required fields with SAP technical names