
Meet the Authors
ToggleNow argues SAP access risk is created at the request, not the review: one read-only ME53N request routed through a broad composite role can deliver eleven transactions and three high-risk Procure-to-Pay Segregation of Duties conflicts the user never asked for.
The same over-broad role inflates licensing, because SAP's Full User Equivalent model classifies users by entitlement, not actual use, and ToggleNow shows how one composite can turn seven FUE into forty across a 200-user plant.
The fix is three preventive checks (cost, conflict, and need) run inside the access request itself, grounded in NIST SP 800-53 AC-6, ISACA SoD guidance, and SOX Section 404, and best applied during S/4HANA role redesign.
Ask an SAP security team where access risk gets created, and most will point at the review. ToggleNow points somewhere earlier and more uncomfortable: the request itself. In a June 2026 blog post, the SAP security specialist makes a sharp argument that hits licensing, compliance, and audit teams at once. It notes that the most expensive decision in an SAP access request is usually the one nobody realizes has been made.
The Eleven-Transaction Issue
The example cited by ToggleNow is deliberately mundane. A procurement analyst needs the ME53N transaction to display a purchase requisition as read-only. The role that carries ME53N is a procurement operations composite, so the analyst also receives ME51N, ME21N, ME22N, ME29N, XK01, XK02, MIRO, and F110. Thus, a single read-only request roughly provides a dozen capabilities. As ToggleNow frames it, the analyst asked to view a requisition. The role handed them create-and-approve, vendor-and-pay, and order-to-invoice. The user did not request a conflict, but the bundle introduced one, in this case three high-risk Procure-to-Pay Segregation of Duties conflicts.
ToggleNow’s fix is not a better approval workflow. It is three checks that run before the role is ever assigned:
- What it costs
- What it conflicts with
- What it is for
The point of intervention, the firm argues, is the request, not the review.
The Licensing Bill Hiding In A Role
The cost check is the one most teams skip, because licensing is treated as a procurement problem rather than a provisioning one. In SAP’s named-user model, a user is measured by what they are authorized to do, not what they actually do, so the classification follows the entitlement. ToggleNow’s math is worth sitting with. A plant with 200 users, each needing one self-service capability, consumes close to seven Full User Equivalents at RISE’s roughly 30 self-service users per FUE. Reclassify those same users to Core Use at about five per FUE, and seven FUEs become 40, more than five times the entitlement. At an illustrative 3,000 per FUE per year, the 33 unnecessary FUEs in that single plant cost close to 100,000 per year. One over-broad role, quietly, on one site.
The Conflict That Rode Along
The Segregation of Duties check is about the bundled access, not the requested access. According to ToggleNow, detection after the fact is rework. Simulation before the fact is control. Organizations must run the same SAP Access Control ruleset as a simulation inside the request screen, and the toxic create-and-approve or vendor-and-pay combination never gets provisioned. Multiply the example across 20 analysts and the same three conflicts replicate 20 times, making each an audit finding in waiting.
The need check applies least privilege at the individual authorization level, not at the role level. If 10 of 11 transactions have no documented requirement, the role is the wrong fit for the request, and the honest response is to scope a smaller one rather than approve an oversized role just because it contains what was asked. ToggleNow leans on established ground here, citing NIST SP 800-53 AC-6, ISACA’s SoD guidance, and SOX Section 404 IT general controls. The tools already exist: SU24, SUIM, ST03N for actual usage, and USMM at audit time. The argument is simply to use them at the point of request.
Why This Matters Now
Access sprawl is not a static problem. SAPinsider’s RISE with SAP benchmark report found only one in three organizations do regular monitoring, exactly the review-centric posture ToggleNow argues is too late and too noisy. The timing is pointed because as organizations rebuild roles during SAP S/4HANA migrations, they can carry bundled access forward or reset classifications cleanly.
ToggleNow recommends applying the three checks during migration, and extending the discipline to technical users, RFC connections, service identities, and AI agents that are non-human accounts that now outnumber people in many landscapes. Compliant and controlled are not the same state, the blog states.
What This Means for SAPinsiders
Move risk analysis from review to request. SoD conflicts and license inflation are created at provisioning, so detecting them quarterly is rework by design. Organizations should embed a cost check, an SoD simulation, and a need test into the access request screen so the fast path is also the precise one.
Treat every broad role as a licensing decision. In the FUE model, entitlement drives classification, and one composite role can quintuple a population’s license weight. SAP Security practitioners should review requested entitlements against actual ST03N usage before assignment and right-size roles so they are not paying Core Use rates for self-service work.
Reset access during the SAP S/4HANA move, not after. Migration is the cheapest time to rebuild roles task-first rather than cloning the nearest person. IT leaders must bake the three checks into their role redesign and apply them to RFC connections, service accounts, and AI agents alongside human users.



