SAP Security is a concept that can and will be defined in many ways.
Depending who you are talking to you will get different answers:

‘User Management’
Make sure there is a swift process that creates users when needed and removes them when idle.

SAP Security is all about authorization object and their values combined in single (master) roles, derived roles and composite roles. Its purpose is to make sure that users are properly equipped to executed their job.

‘Segregation of Duties’
The main purpose of SAP Security is that we make sure there is a rule set that is aligned with our business risks and that we control all SoD’s in our active user community.

‘Application Security’
Getting the application secured by optimizing system parameters, client settings, password rules, access lists, logging & monitoring, etc is most important.

‘Role Based Access Control’
Every user should get a pre-approved role based on his function in the organization. Clear ownership needs to be defined in the business

‘Identity Management’
All business rules and controls should be correctly listed, prioritized and coded and all provisioning related processes run themselves.

XL Security knows that each and every description above is true but is not complete by itself. Every application is as strong as its weakest spot, SAP is no different. I will always advise your company with the the big picture in mind but will also be able to focus on one of these topics when needed. ┬áSAP Security is a concept which can be effected by high level business decisions but can also be disturbed by ‘nitty gritty’ technicalities. With the end-to-end approach of XL Security you can never go wrong