Just a few years ago, the enterprise security perimeter ran along firewalls and proxy servers. Anyone found “inside” was treated as trustworthy. Anyone “outside” – as a potential threat. This model has disappeared for good.
In 2026, identity has become the perimeter. Every user, every technical account, every integration with an external system is a potential attack vector. In the SAP ecosystem, where the most sensitive financial, HR and operational data flows, this shift is of fundamental importance. Are we ready for it?
Why has identity become the primary attack surface?
The answer is simpler than it might seem. Modern SAP environments are no longer isolated systems tucked away in the corporate server room. They are distributed ecosystems connecting the public cloud, hybrid solutions, APIs and dozens of applications collaborating through SAP BTP. In such a world, a traditional firewall protects very little.
Attackers no longer need to break through technical defences. It is enough for them to obtain the credentials of a single user with excessive privileges. It is enough to exploit a forgotten technical account that was created years ago “temporarily” and remained forever. It is enough to hijack the session of a business partner who has access to the production SAP system via VPN.
The statistics are unforgiving. According to industry reports, more than 80% of security incidents in ERP environments involve improper access management or credential theft. In the SAP world, where a single transaction can mean a transfer of millions of złoty or a change to data in a central register, the consequences are proportional to the stakes.
Zero Trust – not a slogan, but a change of thinking
The Zero Trust concept assumes a radical change of approach: we trust no one and nothing without continuous verification. It is not enough that a user logged in this morning with the correct password. Every action, every access request, every transaction requires a fresh risk assessment.
In practical SAP terms, this means moving from the question “does this user have the role assigned?” to the question “should this user, at this moment, from this device, in this business context, be able to perform this specific operation?” That is a fundamental difference.
“Zero Trust in a SAP environment is not a technology project with a defined end date. It is a continuous process of building a security culture, where every access is justified, every privilege has a business owner, and every anomaly requires an explanation” – emphasises Jacek Bugajski of SNOK.
Classic SAP roles versus modern identity management
Many organisations still operate on a model where SAP roles are defined once, assigned to users, and practically never reviewed. GRC processes exist on paper, audits take place once a year and end with a list of recommendations that ends up in a drawer.
Meanwhile, a modern approach to identity management requires the integration of several layers. First – a central IAM system that serves as a single source of truth for all accounts in the organisation. Second – automated access certification mechanisms, where business owners regularly confirm the validity of their employees’ privileges. Third – continuous monitoring of user behaviour and anomaly detection.
Combining these layers with the classic SAP role model is not trivial. It requires rethinking the authorisation architecture from the ground up. Instead of hundreds of roles built over years through trial and error, a transparent structure based on business functions is needed. Instead of manually assigning privileges – automation based on user attributes. Instead of an annual audit – continuous recertification.
Concrete risks we see with clients
Our experience working with Polish enterprises allows us to point to several recurring risk patterns.
Excessive privileges are the most common problem. Users accumulate roles over the years – when they change position, they receive new roles, but the old ones remain. After a decade at the organisation, some employees have access to practically everything. The principle of least privilege exists only in theory.
Technical accounts pose a particular threat. Created for integrations, batch scripts or RFC interfaces, they often have privileges far exceeding actual needs. Worse still – they are rarely covered by a password rotation policy, and their activity is not monitored.
Access for external partners and consultants is another attack vector. Companies regularly grant access to production environments to external parties carrying out implementation projects or providing support. Do we know exactly who at the partner company is using these accounts? Is access revoked immediately once the cooperation ends?
Integrations with external systems are multiplying exponentially. Every API connection, every interface with the public cloud, every data exchange with an e-commerce platform is a potential gateway. Do we map all these connections? Do we know what data flows, and in which direction?
A privilege model that actually works
Building an effective identity management model in SAP requires a phased approach. It is not possible to change everything at once – but it is possible to start with the fundamentals.
The first step is inventory. It sounds trivial, but a surprising number of organisations do not know exactly how many active accounts they have in their SAP systems, how many of them are technical accounts, and how many belong to people who left the company long ago. Without this knowledge, further action is shooting in the dark.
The second step is analysis of privilege conflicts – known in SAP terminology as segregation of duties. Can an accountant both create and approve transfers? Does an IT administrator have access to HR data? Identifying critical privilege combinations allows priorities for remediation to be set.
The third step is implementing a recertification process. This is not about formally clicking through checkboxes once a quarter. It is about genuine engagement from business owners who understand why their employees need specific access rights and can justify that need.
“The most effective Zero Trust implementations in a SAP environment combine technology with process. One can have the best identity management tools, but without clearly defined responsibilities and regular access verification, they will remain unused” – notes Jaroslaw Kamil Zdanowski of SNOK.
How does SNOK support clients through this transformation?
Our team specialises in designing and implementing privilege models tailored to the specifics of each organisation. We begin with a diagnostic workshop, during which we map the existing state of access management, identify critical gaps and set business priorities.
We then design the target authorisation architecture – not based on abstract best practices, but grounded in the client’s actual business processes. We create a role matrix that is understandable to process owners while remaining secure from an audit perspective.
We support the implementation of recertification processes that are not a dead document but a living mechanism ensuring continuous access hygiene. We integrate GRC solutions with central identity management systems. We train the client’s teams so they are able to maintain the model independently going forward.
What should you do starting tomorrow?
If you take SAP security seriously, here are three actions you can take immediately.
First – request a report from your SAP system showing all accounts that have not logged in for more than 90 days. Every such account is a potential risk that can be eliminated with a single click.
Second – identify all technical accounts and check who their business owner is. If you cannot name a specific person responsible for a given account – you have a problem that requires urgent resolution.
Third – run a simple test: randomly select five users and check whether you can justify each of their privileges against their current job responsibilities. If you cannot – you have the material for your first optimisation project.
Identity is the new perimeter. In a world where network boundaries have ceased to exist, the only effective line of defence is precise management of who has access to what, and why. In the SAP ecosystem, this principle matters twice over.
Do you have questions about identity and access management in a SAP environment? Would you like to carry out a security audit of your system? Contact the SNOK team – we will help you build a Zero Trust model that actually works.
Would you like to see this in practice or discuss implementation at your company? Contact us – we will reply within 48 hours.