Custom Segregation of Duties Analysis Tool for SAP S/4HANA Public Cloud

Abstract

This thesis, entitled Custom Segregation of Duties Analysis Tool for SAP S/4HANA Public Cloud, was conducted in collaboration with Deloitte Belgium within the SAP Security team. It addresses the need for a cost-efficient and reliable solution to perform Segregation of Duties (SoD) risk analysis in SAP S/4HANA Public Cloud environments. The official SAP Identity Access Governance (IAG) tool is considered too expensive and complex, leading many clients to rely on manual verification processes.

The main objective of this work is to design, implement, and evaluate a tool capable of detecting SoD conflicts and Critical Actions (CA) based on SAP Public Cloud role and permission data. The tool produces clear reports to support Deloitte consultants in risk remediation, while ensuring correctness, usability, and scalability in line with the SAP authorization model.

The solution was developed as a standalone Python application with a graphical user interface, structured into four stages: input processing, risk detection logic, user interface, and output reporting. It relies on seven Excel input files, four extracted from SAP S/4HANA Public Cloud and three manually configured as a ruleset. The outputs include both raw data and formatted Excel reports highlighting SoD and CA risks. Validation was carried out using anonymized client datasets and synthetic inputs, with performance assessed through execution time analysis across varying numbers of users, roles, catalogs, and permissions.

The experimental results show that execution time scales linearly with the number of roles and slightly sub-linearly with the number of users. The number of actions has negligible impact on performance, whereas permissions induce superlinear growth, reflecting higher computational costs for large permission sets. The generated reports provide Deloitte teams with practical, user-friendly risk overviews at user, role, and catalog levels.

The contributions of this thesis include the delivery of a functional and validated SoD analysis tool for SAP S/4HANA Public Cloud, a cost-effective alternative to SAP IAG tailored to Deloitte’s consulting needs, and a systematic evaluation of complexity and performance in SoD analysis.

Finally, possible extensions of this work include larger-scale performance optimization, analysis of ruleset complexity, and integration with cloud-native platforms to enable broader deployment and adoption in production environments.