tenfold Permissions Management
for SAP ERP®

A permissions management solution is only complete if all of a company’s important systems can be integrated. This includes not only the Active Directory® and file servers, but above all, any other important business applications.


The ERP software by SAP (SAP ERP Central Components) is used for all central business processes. SAP is a program that is used to store important information about products, orders, financial data and personal customer data. Business IT departments are responsible for ensuring that mission-critical data are protected from unauthorized access. Therefore, employees who need to work with SAP must be given user names and passwords to authenticate themselves for access. New users must be generated manually in SAP and also be given certain permissions (transaction SU01).

The Challenges of User Management in SAP

This means that users and permissions in SAP must be administered separately from users and permissions in the Active Directory. Any form of data exchange between the two systems is not intended, which means that the task of creating, modifying or deleting users and permissions must always be done twice. This approach is very time-consuming and prone to errors. Also, maintaining transparency of how and when permissions were assigned, and to whom, is achieved by documenting all steps in yet another, external solution – manually, of course; and, to complicate things even more, there is no user-friendly reporting tool out there that is able to provide a visual summary of permissions for both systems. This is detrimental to data security.
tenfold‘s SAP ERP plugin is the answer to all of these challenges:

Automated Management

With the SAP ERP plugin, you can automatically create, modify, lock and set permissions for SAP. tenfold implements changes in SAP automatically by using SAP’s standardized BAPI interface. Field contents can also easily be configured using tenfold.

Workflows and Transparency

All related processes are represented as requests. This means that modifications are subjected to workflows that include role owners in the decision-making processes. Transparency on how and when permissions are assigned by different departments is therefore always given. All changes to SAP users are completely documented in tenfold, which is necessary to comply with legal standards and is regularly checked in audits.


tenfold supports out-of-the-box integration of SAP ERP® (in addition to other ERP solutions). The user’s SAP authorizations can be reported and administered via tenfold. Accesses and authorizations are managed via the tenfold web interface either by the system owner, the superior or the employees themselves via the self-service area.


The SAP® functions are fully integrated into tenfold’s profile functions. This makes it possible to group SAP® authorizations (in addition to authorizations from Active Directory® and other systems) into profiles which can then be assigned to employees on the basis of their department. The permissions assigned in this way are automatically adjusted by tenfold when employee changes departments. This means that new permissions are assigned automatically and permissions that are no longer required are removed automatically and with a time delay.


You can find out at a glance in which SAP® systems an employee has accounts and which permissions are assigned to this account. This evaluation is available both from the perspective of the person (which systems and permissions does an employee have?) and from the perspective of the permissions (which persons have this permission?). The ability to evaluate both current and historical data facilitates compliance with internal and external audit requirements.

Features in detail

User Creation

  • Automatic creation of new user accounts in SAP.
  • Uniform and automatic setting of user fields in SAP, based on configurable mapping.
  • Automatic definition of the user name, based on configurable rules. The system also checks the user name for duplicates and generates a rule-compliant alternative, if necessary.
  • The duplicate check can be consolidated via Active Directory and all SAP systems, so that a uniform user name can be guaranteed.
  • Specify an initial password according to the password policy and send the initial password to the user, the superior, or any other valid e-mail address.
  • Automatic assignment of permission roles based on department, position or office of user.


  • User attributes are updated automatically. Changes are protocolled and access to historical data is given.
  • Permission roles are adjusted automatically according to department, position or office of user. Permission roles that are no longer needed are removed automatically. If required, it is possible to set a time for the removal.

Locking and Deleting Users

  • Automatic deactivation of user accounts.
  • Removal of permission roles.
  • Automatic locking or deletion of accounts when the defined leaving date is reached

Role Management

  • Individual assignment and removal of permission roles for users. This function is available in addition to the automatic assignment function that is based on employee attributes.
  • Changes can be made either by administrators via the administrator interface or by users themselves via the self-service area.
  • Definition of data owners for individual permission roles. The assignment and removal of permission roles can be controlled via workflows.

Password Reset

  • Ability to reset own SAP password via a web portal.
  • Secret questions and/or SMS tokens for user validation.

Other features

  • All changes can be controlled via workflows. The workflows can be managed by the administrator in a graphical editor directly on the web interface.
  • Regular synchronization with the actual data in SAP to record changes that have not been processed via tenfold.
  • Connection of individual systems and ZBV, or any combination thereof, is possible.

System Requirements

  • SAP ERP central components (all versions since 2008).
  • RFC connection between tenfold server and NetWeaver server.
  • Service account for tenfold with BAPI permissions on BAPI_USER_*

SAP authorization via Transaktion SU01

View SAP Permissions in tenfold

SAP Permissions Report

Request a free trial

It has never been easier to manage and keep track of your users and their access rights in one centralized software. Administrators, managers and your company as a whole will benefit from tenfold, as it provides a transparent overview of all access rights. tenfold can help you comply with standards, like ISO 27000, BSI, etc., and offers worthwhile functions for managing users and access rights.

Request trial