Customize SAP roles based on an SAP authorization trace

Release Notes


Efficient generation of SAP roles


Change SAP authorizations easily and automatically


Reduction of historically grown roles to the essential

Customized roles and authorization on a tap


Create SAP roles quickly, easily and precisely

Do you know that? Your department expects you to create complex SAP authorizations without having been sufficiently informed about the business context. This often leads to errors and time-consuming work, which slows down the development process of PFCG roles.

On the other hand, there are also users who have too extensive SAP authorizations. These may contain critical SAP authorizations and SoD conflicts. If these are technical users, this situation poses a high security risk. If the user is hijacked, there is often unrestricted access to a large number of connected systems.

To minimize these risks, it is recommended that you develop PFCG roles from an SAP authorization trace. This is often time-consuming and error-prone due to the many manual entries. An SAP authorization trace can contain hundreds of authorization objects, each of which can have up to ten values. There are also various options for assigning an asterisk to authorizations to speed up the process. It quickly becomes apparent that with a large SAP authorization trace, the development of compliance-compliant PFCG roles can take hours.

SECMENDO.authority_generator creates custom-fit SAP roles fully automatically in just a few steps. It imports an SAP authorization trace of the type STAUTHTRACE and ST01 and creates a role file with the SAP authorizations required by the user after a few manually entered parameters.

In addition, an existing PFCG role can be extended with a trace and regenerated. If you want to revise existing roles, for example with many manual authorization objects, you can regenerate the role in the SAP standard by selecting a predefined SAP standard SU24, or by uploading a customer-specific SU24.

This speeds up the adjustment of the authorizations of the roles enormously, especially during an upgrade or release change, since the PFCG roles are simply regenerated with the new authorizations and those of the old role. The role can be configured as required using the input parameters and then only needs to be imported into the PFCG.

SAP roles are thus created or changed within a few minutes.

Register here

Fast creation of tailored SAP authorizations

  • Execute SAP authorization trace

  • Import trace into SECEMENDO.authority_generator

  • Generate SAP roles

  • Import role file into SAP system

  • Done

Increased security in SAP authorizations

  • Job-related creation of SAP authorizations based on a trace

  • Remove unused SAP authorizations from the role

  • The role now only contains SAP authorizations that are really needed

Price Plan


Start for free

Register now

Annual License

From 300 EUR p.a.

Ask for a proposal

Want to know more about SECMENDO.authority_generator?

Please complete the form and submit it. We'll get back to you as soon as possible.

Do you already know the other products from our SECMENDO suite?


Clean up with historically grown roles and authorizations


Increased employee productivity and relief for the IT department


User-friendly interfaces for managing roles and permissions in just 5 minutes


User-friendly and fast processing of work items from the UWL


24/7 monitoring of your SAP IdM landscape and provisioning processes

Audits and reports on a tap


System-wide automation, on-premise and in the cloud

IBsolution_kurze Entscheidungswege


Real-time validation of user entries