TL;DR: SAP security is shifting from basic access governance to integrated, SAP-native controls as organisations modernise into S/4HANA and SaaS, according to Pathlock’s analyst report. Traditional role management alone no longer covers segregation of duties, firefighter access, and compliance demands across hybrid estates.
NHIMG editorial — based on content published by Pathlock: Leadership Compass for SAP Access Control and Security
Questions worth separating out
Q: How should teams govern SAP access in hybrid environments?
A: Teams should govern SAP access with SAP-aware entitlement models, SoD analysis, and privileged session controls rather than generic directory-based access rules.
Q: Why do role-based controls often fail to secure SAP properly?
A: Role-based controls fail when they stop at provisioning and do not evaluate conflicting business actions, emergency access, or process drift.
Q: What should organisations check before approving firefighter access in SAP?
A: Organisations should check the business justification, approval path, session logging, and post-use review for every firefighter request.
Practitioner guidance
- Re-baseline SAP access models around business processes Rebuild entitlement mappings so each role reflects the current SAP transaction set, SoD constraints, and business function it supports, especially after S/4HANA or SaaS migration.
- Make firefighter access fully auditable Require ticket reference, approval, session logging, and post-use review for every emergency access event, and tie it to the same governance workflow used for privileged access.
- Run SoD conflict reviews inside SAP context Do not rely on directory-level role checks alone.
What's in the full report
Pathlock's full analyst report covers the operational detail this post intentionally leaves for the source:
- Vendor-by-vendor evaluation criteria for SAP access control and security capabilities
- Detailed discussion of SoD, firefighter access, and role management features in SAP environments
- Market positioning language and analyst scoring that support procurement comparisons
- Capability breakdowns that help teams benchmark their current SAP security stack
👉 Read Pathlock's analyst report on SAP access control and security leadership →
SAP access control in hybrid environments: what changes now?
Explore further
SAP security has outgrown traditional access governance. The report reflects a broader market reality: modern SAP estates need application-aware security, not just identity administration. When organisations move into S/4HANA and SaaS, access governance alone does not capture SoD risk, privileged activity, or compliance evidence. The practitioner conclusion is that SAP must be treated as a specialised governance domain inside the wider identity programme.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly governance breaks when entitlement sprawl is not tightly controlled.
A question worth separating out:
Q: Who is accountable for SoD failures in SAP environments?
A: Accountability sits with the business owner of the process, the SAP security team that defines controls, and the governance function that validates exceptions. SoD failures are not only technical misconfigurations, they are control design and review failures. If conflicting access is allowed to persist, accountability must be traced to both the approver and the control owner.
👉 Read our full editorial: SAP access control in hybrid environments needs deeper governance