SAP SoD checks in ECC and S/4HANA: where manual methods fail

TL;DR: Manual SAP segregation of duties checks break down when PFCG roles, derived roles, organizational values, and cross-system access combine to create conflicts that spreadsheets cannot keep current, according to SafePaaS. Sustainable governance depends on rule logic tied to SAP authorization paths, preventive checks before provisioning, and repeatable evidence for audit.

NHIMG editorial — based on content published by SafePaaS: Without Losing Control or Living in Spreadsheets, how to check segregation of duties in SAP

Questions worth separating out

Q: How should teams check segregation of duties in SAP without spreadsheets?

A: They should use repeatable analysis tied to SAP authorization logic, not static exports.

Q: Why do SAP SoD conflicts keep reappearing after remediation?

A: They reappear because the root cause often sits in role design, copied templates, organizational values, or access combinations across systems.

Q: What do security teams get wrong about SoD in S/4HANA?

A: They often over-focus on what users see in the interface and undercount backend execution paths.

Practitioner guidance

• Define SoD rules from SAP authorization logic Base rules on authorization objects, organizational values, and derived role behaviour so the analysis reflects actual execution power rather than transaction names.
• Include non-transactional access paths in review Assess Fiori catalogs, OData services, CDS views, background jobs, and APIs alongside classic transactions so hidden execution routes do not escape the control.
• Run preventive checks before provisioning Simulate role assignments and role redesigns before they reach production, and block combinations that would create toxic access at go-live.

What's in the full article

SafePaaS's full blog covers the operational detail this post intentionally leaves for the source:

• How SafePaaS structures centralized SoD rule governance across SAP authorization logic and security snapshots
• How preventive SoD simulation works during provisioning and role redesign before access reaches production
• How cross-system SoD visibility is handled when business processes span SAP and non-SAP environments
• How audit evidence is produced from normal operations rather than from a separate spreadsheet exercise

👉 Read SafePaaS's analysis of SAP segregation of duties governance →

SAP SoD checks in ECC and S/4HANA: where manual methods fail?

Explore further

View Full Forum →  |  NHI Foundation Course →