The Risk Control Framework (CRAF) by Xiting AG – Put an end to critical authorizations and Segregation of Duties (SoD)!

Even in highly developed business environments, the challenges of authorization management and the prevention of conflicts in roles and permissions for end-users are ever-present. In the pursuit of efficient and secure access controls, we have created our Critical Authorizations Framework (CRAF) as a tool for risk minimization and compliance optimization through the possibility of a customer-specific risk control framework. Managing critical authorizations and Segregation of Duties (SoD) conflicts can pose a significant challenge for companies that need to protect sensitive data while ensuring operational efficiency. SAP Security is more than just a technical term; it forms the backbone of modern business infrastructures. In today’s digital landscape, where data is synonymous with power, protecting that data is of the utmost priority.

Therefore, in this blog post, we will thoroughly examine how the CRAF Risk Control Framework from Xiting helps companies overcome these challenges and achieve comprehensive control and security for their authorization landscape. The Xiting CRAF tool is a comprehensive tool in the field of risk analysis to enhance your SAP security. But what makes it so special? What significance does holistic system security have? What opportunities are offered to you in the context of SAP Security and a customer-specific framework? What support is provided for your access management? How can you use CRAF independently or in the context of other modules within XAMS? Let’s dive into the topic together.

If you’ve ever wondered about the most common and essential SAP tables in the context of SAP Security, feel free to download my list of the “TOP 50 SAP Security Tables” for free. In my blog post on the “THE TOP 20 SAP IT BASE TABLES WITH SPECIAL PROTECTION REQUIREMENTS IN SAP S/4HANA”, I delve into table authorizations and their need for protection in more detail. Enjoy reading!

The Significance of Comprehensive SAP System Security

Before turning our attention to the Xiting CRAF Tool, it is crucial to understand the value of a holistic approach to SAP system security. SAP systems are not just warehouses for company data; they are ecosystems seamlessly interacting with other systems, third-party applications, platforms, and even cloud applications. An isolated focus on security is not sufficient. Recognizing, analyzing, and defending against threats on multiple fronts is key. However, what exactly should you pay attention to, and what threats could impact your overall SAP system security? Therefore, I have previously outlined five important thematic areas in the world of SAP security that need consideration:

Protection against Data Loss and Cyber Attacks

SAP systems contain a wealth of corporate data, including sensitive financial information, customer details, and mission-critical processes. Comprehensive protection against data loss and cyber attacks is, therefore, crucial. Holistic SAP system security ensures that data integrity, confidentiality, and availability are guaranteed at all times.

Compliance with Regulations and Standards

Many industries and regions have strict regulations and compliance requirements that businesses must adhere to. Robust SAP system security ensures compliance with these regulations, whether it’s GDPR in Europe, HIPAA in healthcare, or other industry-specific mandates. This minimizes the risk of penalties and legal consequences.

Prevention of Insider Threats

In addition to external threats, the prevention of insider threats is also of great importance. With comprehensive system security, companies can detect over-entitlements or suspicious activities and respond before harm occurs. This helps prevent potential data leaks and sabotage by employees.

Control over Authorizations and Access

The assignment and management of authorizations in SAP ERP and S/4HANA systems can be complex. Holistic system security enables companies to maintain control over specific authorizations and access. This means that only authorized employees can access certain data and functions, minimizing the risk of misuse and errors.

Advanced Technologies and Solutions

The security landscape is constantly evolving, and it’s crucial to keep pace. Holistic SAP system security leverages advanced technologies and solutions to detect and combat threats early on. This includes Intrusion Detection Systems, encryption technologies, advanced authentication methods, and sophisticated analysis and monitoring tools like the Xiting CRAF.

The Xiting CRAF

The Xiting CRAF Tool is not just another security product; it’s a revolution. It allows companies to protect themselves against threats and, at the same time, provides integral tools to proactively monitor and manage their entire SAP security infrastructure. The CRAF is not only relevant for your current security landscape. With its adaptability and scalability, it is ready to tackle future security challenges, perform clear risk assessments, and ensure sustainable authorization concepts in the long term. As companies grow and evolve, the need for robust security systems persists. The CRAF Tool will be at the forefront to ensure that your SAP systems are protected. The tool can identify vulnerabilities in your current role and authorization management within seconds and provide improvement suggestions to enhance the security of your SAP system.

“The Best Practice Framework by Xiting AG”

Overall, the best practice CRAF framework by Xiting AG provides comprehensive and proven content for the numerous challenges within SAP authorization analysis. It demonstrates how over 50 years of developer experience and the successful implementation of hundreds of authorization projects can be transformed into a powerful tool that helps your company succeed in a constantly changing business world. Through the careful integration of proven practices and authorization analyses from various projects in different industries and company sizes, the CRAF framework offers a practical solution to your challenges. It already considers diverse requirements and compliance standards that companies are exposed to today and ensures they can meet them. With this best practice framework, you can start your system analysis right after importing the tool and gradually enrich it with your customer-specific parameters. For example, you can perform a comprehensive check on the most critical aspects in your roles or for users using our CRIT_01 analysis variant right out of the box. Whether you want to review extensive HCM authorizations or even analyze data protection access in your roles according to GDPR to protect personal data, no problem – use our predefined analysis variants, as shown in Figure 1.

Figure 1: Xiting Best Practice Analysis Variants

With the change in the licensing model by SAP for SAP S/4HANA, proper authorization management and role-based authorization assignment to business units are more important than ever, especially considering the cost aspect. In summary, in future, the assigned authorizations will be priced down to object level. With our CRAF, you can prepare for this new mandatory licensing process directly before the changeover and thus save very high costs.

Creation of a Custom Framework

Every company is unique, and so are its security needs. With the increasing number of applications and systems, the need to efficiently and securely manage complex SAP authorization concepts grows. In conjunction with Xiting CRAF, you can quickly and easily create custom frameworks for your specific business processes and systems. This involves not only defining pure access rights but also incorporating company-specific security standards, requirements from business units, and external compliance requirements. What makes Xiting CRAF special is its high flexibility: companies can adjust their own frameworks at any time to precisely match their individual needs and challenges. The result is a tailored security mechanism that not only provides protection but also significantly reduces administrative overhead.

Think of a pharmaceutical company subject to strict international or GxP regulations, or a FinTech startup dealing with both innovative technologies and banking regulations. The CRAF allows both to customize individual security frameworks while ensuring your authorizations remain compliant and adhered to. If you want a differentiated view between individual departments, as shown in Figure 2, you can also implement this with CRAF.

Figure 2: Create Custom Analysis Variants in Xiting CRAF

Examination down to the Authorization Object Value Level

In the world of IT security, the devil is often in the details. Therefore, at the core of the Xiting CRAF Tool is the understanding that security is not solely based on surface transactions or SAP Fiori apps. While controlling user rights at a high level is important, the actual risks often hide at a granular level. This is precisely where Xiting CRAF comes in. With its ability to conduct examinations down to the authorization object value level, it provides companies with incredible depth in security checks. This opens the possibility to identify even subtle anomalies or potential security gaps that might be overlooked in conventional checks. For example, ensuring a restriction of background job administration rights isn’t just about revoking transactions SM36 or SM65 but also keeping an eye on the relevant authorization object and its values. With CRAF, you can directly create an authorization ID for your desired access scenario or utilize pre-delivered IDs, as shown in Figure 3.

Figure 3: Selection of Authorization IDs

Within this ID, you then declare, down to the authorization value level, which granular SAP authorizations are critical for this scenario.

Figure 4: Detail of the Authorization ID for Background Job Administration

If you now find yourself faced with the challenge of performing such a granular classification and design of critical authorization constellations yourself, I can reassure you. We already provide you with best-practice content in the out-of-the-box state of CRAF, based on our decades of authorization project experience and development activities.

The flexible utilization of the Xiting CRAF

The requirements for IT security are as diverse as the companies themselves. This necessitates tools that can adapt flexibly to different needs, and Xiting CRAF precisely represents such an integral tool.

The Versatile Use of Xiting CRAF

With its direct integration into our modules – the Role Profiler, the Role Designer (LINK!), and the Security Architect – it provides a comprehensive range of options for the creation and management of authorization concepts.

Within the Role Profiler, you can conduct detailed analyses of existing roles and users to identify redundancies and security gaps, as shown in Figure 5. There are various reports with different focuses. In addition to general critical SAP authorizations and segregation of duties, you can also check for display-only authorizations or specifically critical transactional accesses.

Figure 5: Role Profiler Watchdog Analysis

With the Role Designer, customized roles can be developed based on actual business requirements, and as shown in Figure 6, they can be compared to your framework during the initial role creation process.

Figure 6: CRAF Analysis during Role Creation in the Role Designer

The Security Architect supports companies in creating a holistic authorization concept that considers not only current but also future requirements. With the integration of CRAF into the Security Architect, you can even implement real-time analyses of your framework with a system-wide internal control system (ICS). This allows you to set up security alerts and periodic authorization analyses using the ICS implementation. Additionally, our CRAF supports module-independent ad-hoc analyses, as shown in Figure 7. These can be conducted on role and user levels, just like in the other modules, and even centrally via RFC connections.

Figure 7: Ad-hoc Role Analysis with Custom Framework

Another aspect that CRAF enables is integration into your change management. If changes have been made to roles that are to be transported to the productive system, you can insert a role transport check using the embedded risk control framework beforehand. This allows you to prevent critical accesses on the productive system in advance.

Of course, within the XAMS, we also offer comprehensive logging and mitigation options for your risk assessment.

Together, these versatile tools, functions, and their integration with Xiting CRAF enable a flexible, targeted, and above all, secure design of your SAP authorization concept.


In the dynamic world of information technology, seamless integration of systems is key to efficiency. With the integration of the Easy-Content-Solution (ECS) from our longstanding partner ibs Schreiber GmbH into the XAMS, companies benefit from a harmonized platform that combines extensive data foundations through a variety of frameworks with security options and analyses. By merging the two components ECS and CRAF, users can leverage flexibility and a high security standard. This means a significant reduction in the effort to create custom frameworks, less complexity in authorization analysis, improved data flows, and ultimately optimized business processes and authorizations. For companies constantly striving to optimize their IT infrastructure, this integration represents a significant step forward.


The digital transformation brings countless benefits but also requires an increased level of vigilance regarding security. The Xiting CRAF Tool offers a holistic, future-proof solution that ensures companies can work confidently every day. In a world where data is one of the most valuable resources, this level of protection is not just desirable – it is absolutely necessary. Furthermore, in conjunction with our numerous XAMS modules, you can conduct a comprehensive risk analysis of your entire systems, optimizing not only your processes in the context of SAP authorizations but also benefiting from a predefined comprehensive written authorization concept for SAP ERP and S/4HANA across your entire system landscape. Optionally, we also offer a concept for your HANA database, for example. Additionally, XAMS provides numerous analysis options for ABAP developers, such as for custom developments and their authorization management.

This article serves as an overview of the Xiting CRAF-Tool and its functions within our authorization suite XAMS. The CRAF is capable of much more. Companies seeking a comprehensive security solution for their SAP systems should consider delving deeper into the capabilities of the CRAF-Tool. Feel free to join one of our weekly webinars to get a closer look at this tool and our XAMS Suite. Additionally, we offer a variety of services and products to assist you in maintaining your authorization management.

Alexander Sambill

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now