Implementing SAP Access Control

SAP Access Control is a software suite designed to help organizations manage their governance, risk, and compliance (GRC) needs to mitigate the risks associated with access to sensitive data and business processes.


The suite includes capabilities for managing user access, enforcing segregation of duties (SoD), and monitoring access activity to detect and avoid risks and fraud. Implementing SAP Access Control means organizations can enhance their security postures and their compliance with regulatory requirements.


Implementation Phases

There are three phases to follow when implementing SAP Access Control: getting clean, staying clean, and staying in control. Let’s take a look at each.

Getting Clean

Getting clean begins with identifying the existing risks. SAP Access Control’s risk analysis and management features identify SoD and critical risks. Business teams are responsible for adjusting their processes to reduce potential risks.

Staying Clean

Once risks have been mitigated and rectified, enterprises must maintain clean systems, which is referred to as “stay clean.” This goal can be achieved through business role management, user provisioning, and privilege management.

Staying In Control

To keep the system clean, periodic reviews of user access, SoD, and firefighter IDs (FFIDs) can be conducted. The process is referred to as compliance recertification.


Supported Systems

SAP Access Control can be integrated with all SAP NetWeaver systems. To utilize the various components, you must install the GRCPINW plug-in (SAP NetWeaver plug-in for SAP GRC solutions). As of version 12.0, SAP Access Control supports both v1100 and v1200, but not v1000.


RFC connections can be established once the plug-ins are installed. Additionally, SAP Access Control 12.0 supports HR integration with SAP ERP and SAP S/4HANA for configuring HR triggers. To use this feature of SAP Access Control, the GRCPIERP plug-in must also be installed.


SAP Access Control 12.0 also supports SAP Identity Management and non-SAP identity management applications, which you can integrate with web services. Cloud applications like SAP Ariba, SAP Concur, and SAP SuccessFactors Employee Central can be connected using SAP Cloud Identity Access Governance/SAP Business Technology Platform (SAP BTP) cloud connectors. Pathlock adapters can be used when an application lacks a standard connector or integration capability.



SAP Access Control 12.0 offers a variety of updated components. Let’s take a look at each:.

Access Risk Analysis

Access Risk Analysis has an enhanced ruleset that includes SAP S/4HANA, SAP Fiori, SAP HANA database, and SAP SuccessFactors Employee Central rules. It can perform cross-system analysis for enterprise applications in real time or offline, prevent access risks directly using access requests, and perform risk analysis asynchronously upon request submission and at the request approval stage. In addition, the action usage sync program has been updated to capture the information of the Web Dynpro component and Business Server Page (BSP) applications executed in the system–not just in transaction codes.

Emergency Access Management

The Emergency Access Management feature can now be implemented for applications that use a web GUI. Integrating it with the SAP HANA database means users can get access to critical privileges in the database in a controlled environment through FFIDs.

Access Request Management

Access Request Management now includes embedded risk analysis simulations and mitigation options for “staying clean.” It also features automated provisioning to enterprise applications.

Business Role Management

Business Role Management offers management of SAP HANA database privileges and the ability to integrate business roles between SAP Identity Management and SAP Access Control.

Compliance Reviews

Compliance reviews now contain enhanced user access reviews and SoD reviews. This functionality allows users to certify role content and role assignment, automate the review of mitigating control assignments, review user and role-transaction usage details, and receive proactive notifications about conflicting or sensitive action usage.


SAP Access Control can be integrated with SAP S/4HANA (on-premise), SAP SuccessFactors, the SAP HANA database, SAP SuccessFactors Employee Central Payroll, SAP Process Control, and SAP Cloud Identity Access Governance, among others.

Other Enhancements

Additional enhancements made to SAP Access Control include the availability of overview pages for SAP Access Control dashboards and customizable dashboards and reports.


Implementing SAP GRC solutions alone will not make you compliant. For success, compliance must be continuously monitored and analyzed. An essential task is to review processes regularly to gain visibility into your environment and to evaluate risks, including all known scenarios that could be breached. With SAP Access Control, you can establish a security baseline on which you can build a holistic solution to prevent potential risks and proactively defend against undiscovered vulnerabilities across your SAP assets.


About The SAP Access Control Book

It’s essential for organizations to protect themselves against security breaches and compliance violations. An effective approach is the key to managing these risks. Our SAP Access Control book will help enterprises with their governance, risk, and compliance needs to mitigate potential threats.


Start this journey with answers to two important questions: What is SAP Access Control and how does it relate to the field of GRC? Get the fundamental basics of the solution and insight into its architecture and capabilities.


Once you learn the prerequisites required for configuration, you’ll also need to understand the post-installation requirements, like activating different components of the application and defining initial configuration, which are conveyed through step-by-step instructions. Then, learn about the different integration scenarios to define the SAP Access Control environment.


Explore the various features of SAP Access Control, like the Access Risk Analysis module, the Emergency Access Management application, Access Request Management, Business Role Management, access review and SoD review functions, MSMP workflows, BRFplus, and the SAP Fiori add-on. You’ll also gain insight into HR triggers and their importance for effective user management.


The final chapter discusses various enhancements that can be implemented in SAP Access Control. It covers a range of scenarios including email notifications, screen enhancements, and automations, providing guidance on how to implement them effectively.


Who Is This Book For?

This book serves a range of professionals who are looking to manage security and compliance risks. Security and business analysts, auditors, business process owners, and consultants will benefit from a deep understanding of the features and functionalities of SAP Access Control.


About the Authors

Raghu Boddu is the managing director of ToggleNow Software Solutions. He has more than 25 years of experience with SAP security, GRC, audits, and automation. Raghu is a certified information systems auditor (CISA), a certified fraud examiner (CFE), a certified data privacy solutions engineer (CDPSE), and a certified SAP security professional and GRC associate. He has served on the Information Systems Audit and Control Association state board and contributed articles, blog posts, automation stories, and vlogs to the security community. He was named a Microsoft Most Valuable Professional (MVP) for three consecutive years in the Windows Shell space. He has published more than 30 Microsoft Knowledge Base articles.


How to Purchase

If you’re interested in purchasing SAP Access Control, follow this link and choose the format that works best for you: e-book, print edition, or bundle (both e-book and print).


If you want to continue learning about GRC, or if you want information on other upcoming books or special offers, make sure to sign up for our topic newsletters or our weekly blog recap.


SAP Access Control
SAP Access Control

Manage on-premise user access with this comprehensive guide to SAP Access Control. Begin with step-by-step installation and configuration instructions. Then implement key SAP Access Control modules, including access risk analysis, emergency access management, and access request management. Learn to manage business roles, review user access, evaluate segregation of duties risks, and configure automation workflows. This is your all-in-one guide to SAP Access Control!

Learn More

SAP PRESS is the world's leading SAP publisher, with books on ABAP, SAP S/4HANA, SAP CX, intelligent technologies, SAP Business Technology Platform, and more!