How does the European GDPR affect my Roles and Authorizations?

What is GDPR? 

GDPR is the General Data Protection Regulation (GDPR) of the European Union. The data protection regulation will become active on May 25, 2018. GDPR will not only affect businesses in Europe, but it also applies to organizations that do business with European customers. Business in that sense means trading goods or services to customers in the European Union. GDPR sets new guidelines on how an organization is dealing with the information of customers, prospects and also employees.

Once the regulation becomes active, the EU will begin to enforce all of the 99 articles that exist in the GDPR. If an organization does not comply with those articles, the EU can enforce penalties that include fines of up to 4% of annual global turnover, to a maximum of EUR 20,000,000.

GDPR consists of 11 chapters with a total of 99 articles.  At least three of these articles, article 25, 28, and 32, affect the roles and authorizations in your SAP system:

  • Article 25 addresses Data Protection By Design and Default,
  • Article 28 addresses Security of processing, and
  • Article 32 talks about the Processor.

Why GDPR may affect your  SAP system

Your SAP system stores a huge amount of data, including data that according to the new GDPR guidelines must be protected from unauthorized use. That data includes personal data such as first- and last name, date of birth, addresses, social security numbers, etc. According to GDPR, organizations must protect such information.

How to comply with GDPR?

It is not only essential to understand the impact and consequences of GDPR, but also to know how to be compliant with the new regulation. You must learn where critical data is stored and how to protect that data from unauthorized access using proper roles and authorizations. Ultimately, your authorization concept impacts whether you are protecting your SAP data according to the new guidelines, or not.

In addition to end-user authorizations, you must protect all RFC interfaces that send, receive, and transfer data from one system to another. As a result, assigning the powerful SAP_ALL authorization profile to RFC users inherently increases the risk of falling out of compliance with GDPR. That is why, Xiting recommends taking a close look at all your RFC interfaces and hardening them, if necessary.

Learn how AUDI redesigned their RFC interfaces

How can Xiting help you?

The Xiting Authorizations Management Suite (XAMS) is an innovative solution to safely, quickly and efficiently redesign the roles and authorizations dialog and RFC users. The XAMS eliminates most of the time-consuming tasks, significantly improving your chances to comply with GDPR by May 25. With the XAMS, you can:

  • Detect vulnerabilities in your custom code that allow access to sensitive data
  • Build roles and authorizations in SAP standard – complying with GDPR
  • Test the new role design in production without impacting business users – no time must be allocated to testing
  • Harden your RFC interfaces and document them according to GDPR guidelines
  • Apply best-practices to speed-up the redesign project with XAMS Quick Start – a rapid deployment solution
  • Automatically create and verify your SAP Security concept – get ready for an audit


If your SAP system is not yet fully compliant with the new guidelines of the European Union, don’t panic but don’t waste any more time either. Contact us to find out how the XAMS can help you.


Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now