Users and permissions in SAP must be managed parallel to users and permissions in Active Directory. There is no form of data exchange between the two systems, which means that users and permissions must always be created, modified and deleted twice – once in SAP and once in AD. Not only does this task consume disproportionate amounts of time, it also significantly increases the risk of mistakes. Transparency as to how, when and to whom access rights were assigned must be maintained by documenting all steps in yet another, external solution – and manually, of course; to complicate things even further, there is no reporting tool available that is both user-friendly and able to provide a visual summary of access rights for both systems. All of this is detrimental to data security.