The Identity Blog

SAP Security: Authorization Risks

This blog describes the types of authorization risks that must be considered when framing a security strategy for the SAP system.


Authorizations should follow the principle of data minimization when it comes to security. Access beyond the purpose of processing is considered to be a violation of the minimization principle.

The risks in the authorization system are generally defined and evaluated. A classic approach is the principle of prohibition. It is based on the principle that the user should not be able to perform certain actions or a combination of actions.

The principle of minimization is a principle of requirement. The user must be allowed to only perform actions that relate to the purpose of processing.

Activity related risks

From the user authorization perspective, these risks can be categorized into three types of critical access in the system.

  1. SoD Conflicts

Segregation of duties conflicts is the result of a combination of two activities. 

For example, the supplier maintenance and order processing combination is critical.

Based on the rules, procedures, and customized settings, the SoD conflict can be displayed in a transaction in case the set of rules specifies and SoD between entering and releasing a posting. Technical control of these activities usually allows an operation-oriented SoD, i.e. separation of entry and release processes can be configured.

  1. Critical Actions

It may be defined as the connection of an application. For example, when a transaction is connected with an authorization object. These actions affect a single activity or execution which leads to risk. One of the critical actions is maintaining metadata preferences as it may result in the opening of the production system for unauthorized modifications. These actions do exist in data protection.

  1. Critical Authorizations

From the perspective of classic risk, these authorizations are critical in themselves. In technical terms, it may be defined as an authorization object that is not connected to a particular transaction.

For example, debugging in changing mode.

Some risks are based on the data protection law. When it comes to data protection, the SoD has extreme importance for system-related activities. 

They are the segregation of user administrator and authorization administrator. Also, SoD is in transportation management as the transport requests are between development and production systems. 

SoD requirements that are precisely linked to business management must be kept in mind.

Example: When the suppliers are customers are unblocked.

The risk of SoD in business management is the initiation of payment and the allocation of a special bonus. Also, it doesn’t have to be subjected to any data protection considerations. 

Hence the risks involved in the SoD play a marginal role in terms of volume in data protection. 

Purpose risk

It is a general and purpose-oriented risk that defines the usage of authorization objects that are assigned to each artefact for a purpose and also the LOAs and POAs of a purpose. As defined by the Data protection law concerning all artefacts of a processing purpose, the purpose risk is inclusive of a set of critical authorizations.


Data has huge importance in business. It is essential to protect and save it from any unauthorized access whether it is internal or external. 

Write a comment