SAP Access Design


Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue, users often copied, bottle necks in access request process due to numerous approvers being needed and lack of understanding of the role model​.

Problem metrics​

2 key systems, 6,000 users using SAP, 20,000+ single roles. Users in some departments required up to 200+ roles for their job


Pragmatic approach taken considering business processes were already operational. Organisational structure was confirmed with business, then Xendl leveraged transactional usage vs team structures (see accelerators) to redesign and deploy job roles. ​

Creating a business role (free from SoD) and named in line with job role, that followed the principle of least privilege​.

What was delivered​

  • Circa 250 business roles, mapped to 400+ positions​
  • Standardisation of access​
  • Simplification / streamlining of access request process​
  • Multiple workflows governed by organisation positions, including immediate provisioning for certain low-risk business units (as requested by client)​

Xendl apps/ accelerators​

  • Automated role design draft tool (based on usage)​
  • UAR / Role certification Fiori app​

Customer Comments

“SAP in reviewing our environment said they rarely see such well organised / structured roles. I wanted to pass on the positive feedback that those SAP subject matter experts gave to me. All the hard work in this space was recognised and appreciated”

“It has been a hard slog (and we are still not quite there yet) but an excellent piece of work completed by Xendl, Financial compliance and the SAP security team and I honestly feel we are approaching best in class.”


Xendll designed and deployed circa 250 global business roles related to job/ positions across our clients SAP environments, utilising GRC’s BRM functionality to introduce a 1-2-1 job / position-based role design

SAP Tech utilised

SAP GRC Business Role Management (BRM)


  • Financial / Operational / Compliance
  • Financial Operational – Huge reduction in time and effort for provisioning access requests. Which in terms means starters gain SAP access faster
  • Compliance – Per SAP’s licensing team, this exercise has greatly simplified the licensing process. Realised design principle of least privilege

These changes saved our client an estimated total of £136,808 annually

Client Information

Business vertical / type

FTSE 100 customer in the Luxury Retail sector

Business size & complexity

10k employees globally, 60% SAP users, 2 ERP systems, S/4 HANA, GRC, BW, Ariba and SuccessFactors

More Case Studies

Managing SOD Access Risks

Challenge Massive numbers of single, derived, composite roles, roles did not match positions, excessive access an issue.  Ruleset did not contain custom transactions and…