Security as a Process

90% of SAP authorization concepts only work on paper – here’s why.

A few years ago, I was in a go-live war room, we were all staring a bit nervously at the screen.
Everything ran smoothly – until one user brought the system to a halt.
The reason? Incorrect authorizations, “temporarily” granted… and never revoked.

That was the moment I realized:
🧾 Authorization concepts often look great – in documentation, slides, and audit reports.

But what truly matters is the lived reality:
🧪 Who regularly checks actual usage?
📆 Who verifies that “temporary” really means temporary?
🧭 Who truly owns role maintenance?

Since then, I’ve worked on many SAP projects and learned one key thing:

Security isn’t a state. It’s a process – driven by real people.