TL;DR: SAP role accumulation, emergency access that is never revoked, and weak segregation of duties reviews create a repeatable fraud path in manufacturing environments, according to OpenIAM’s analysis, with audit findings ranging from reportable deficiencies to material payment and journal-entry abuse. The control failure is not SAP itself but governance that allows conflicting roles to coexist unchecked.
NHIMG editorial — based on content published by OpenIAM: The 5 most dangerous SoD conflicts in SAP and what they could cost your manufacturing company
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when SAP users can create and approve their own transactions?
A: Independent control breaks down.
Q: Why do SoD conflicts keep appearing even when access was originally justified?
A: Because role accumulation is normal in real organisations.
Q: How can IAM teams reduce SAP fraud risk without slowing operations?
A: By separating creation, approval, and execution into distinct identities and then applying risk-based compensating controls where teams are small.
Practitioner guidance
- Rebuild SAP SoD rules around transaction combinations Map the exact T-code pairings that create end-to-end fraud paths, then test those pairs across every role and derived role in the system.
- Separate supplier maintenance from payment execution Remove payment-run access from anyone who can create or change vendor masters, and require a named second approver before any disbursement file is generated.
- Enforce independent approval for purchase orders and journal entries Configure workflows so the preparer cannot release their own purchase order or approve their own journal entry, with the system blocking the combination rather than relying on policy.
What's in the full article
OpenIAM's full article covers the operational detail this post intentionally leaves for the source:
- Exact SAP transaction codes and authorization objects for each of the five SoD conflicts
- Plain-language fraud scenarios that map each conflict to a specific manufacturing control failure
- Remediation guidance for each conflict, including compensating controls for small teams
- The full manufacturing rule set across FI, MM, SD, PP, CO, QM, Basis, HR/Payroll, and Plant Maintenance
👉 Read OpenIAM's analysis of the five most dangerous SAP SoD conflicts →
SAP SoD conflicts in manufacturing: what IAM teams need to fix?
Explore further
Segregation of duties fails first as an identity problem, not an audit problem. The post’s real lesson is that SAP role design creates a governance dependency on continuous entitlement review. Once emergency access, promotions, and temporary coverage accumulate, the conflict is already present even if no one intended abuse. Practitioners should treat SoD as lifecycle governance across human access, not a point-in-time audit exercise.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should own SoD remediation when auditors find conflicts?
A: The business process owner should own the remediation, with IAM and security enforcing the access change. Audit can identify the issue, but finance, procurement, or plant leadership must decide whether to redesign the workflow, add countersignature controls, or remove conflicting access.
👉 Read our full editorial: SAP segregation of duties conflicts expose manufacturing control gaps