Case Study Details:
The Challenge
The client is a global manufacturer of lift trucks, materials handling, technology, and energy solutions, running a mission-critical SAP landscape across the Americas, EMEA, and APAC in support of more than 2,500 users. The client’s internal SAP team was stretched thin. Managing security, GRC, and Fiori on top of daily operations takes specialist depth that few in-house teams carry, and the risk had been quietly building for years:
- Role landscape debt. PFCG roles had multiplied unchecked, leaving segregation-of-duties conflicts and over-provisioned composite roles across MM, PP, SD, FICO, and Basis.
- Stalled GRC governance. The GRC 10.1 ruleset was out of date, approval workflows had broken down after a BRF+ misconfiguration, and Firefighter logs sat unreviewed.
- Fiori access failures. OData and SICF authorization errors kept blocking the self-service and manager-approval apps users depended on.
- Custom code risk. Business-critical Z-programs were missing AUTHORITY-CHECK statements, and there was no code hygiene process to catch them.
- Plant expansion. New manufacturing sites in Mexico and India needed a security design built from the ground up.
- Integration exposure. RFC trusted-system relationships and IDOC partner profiles for Hybris e-commerce and web ordering had never been audited.
Engagement Architecture: The diagram below shows the client’s SAP landscape and where each of our three service streams did its work—from the Fiori access layer down through the ECC core, GRC Access Control, transport governance, and the integration surface.
Figure 1. SAP AMS engagement architecture: landscape components and Evoke service streams
Evoke’s Approach
We put a blended four-person team on the account, organized into three parallel streams. Everything ran under an ITIL-aligned model with P1 to P3 severity tiers and disciplined change governance from development through to production.
Stream 1: SAP Security & Authorization
- Role audit and consolidation. A full PFCG review across every module cut the active role count by 23%, with no segregation-of-duties conflicts reintroduced.
- Least-privilege enforcement. We stripped out excessive authorization assignments across the role landscape.
- Transport discipline. Every security change moved through DEV, QAS, and PRD with a documented business approval behind it.
- Plant roll-outs. Complete security design, role build, user provisioning, and go-live support for the new plants in Mexico and India.
- Custom code fixes. We patched missing AUTHORITY-CHECK statements in critical Z-programs, shrinking the ABAP risk surface.
- Proactive monitoring. Regular authorization traces and SU53 resolution put an end to the recurring failures in SD order entry and MM goods movement.
Stream 2: GRC Access Control 10.1
- Ruleset cleanse. We removed more than 180 obsolete and conflicting SoD rules that were flooding risk reports with false positives.
- Risk clearance. Working alongside business process owners, we resolved or mitigated over 300 open access-risk violations.
- Workflow repair. Fixing the broken BRF+ decision tables and MSMP mappings lifted approval completion from roughly 60% to over 99%.
- Firefighter governance. We brought back monthly log reviews, retired stale IDs, and automated log forwarding.
- User access reviews. Quarterly campaigns ran with HR-correlated data and manager-certified sign-off.
- Executive reporting. The CISO and IT leadership received monthly compliance dashboards covering violations, controls, and Firefighter usage.
Stream 3: SAP Fiori Administration & Security
- OData fixes. We resolved the service and authorization errors that were blocking order-status, purchase-approval, and finance-reporting apps.
- Launchpad cleanup. Corrected catalogue and group assignments mean every user now sees exactly the tiles they should.
- Service-layer repairs. We closed SICF activation gaps and authorization misconfigurations that stopped apps from launching.
- Connectivity tuning. Intermittent app failures traced back to RFC and HTTP destination misconfigurations, which we fixed for good.
- New apps. Four new Fiori apps went from activation through authorization design to production go-live.
- Documentation. A maintained app-to-role mapping matrix gives the client a reliable reference for every future role change.
The Outcomes
| Metric | Outcome |
|---|---|
| P1/P2 incident SLA adherence | 97.4% over a rolling 12 months |
| Production security incidents | Zero. No unauthorized access, no audit findings |
| Role rationalization | 23% reduction in active role count |
| SoD violations cleared | 300+ resolved or mitigated; 180+ obsolete rules removed |
| GRC approval workflow | Restored from roughly 60% to over 99% completion |
| Fiori availability | 4 new apps launched; app errors reduced by 85% |
| Batch job performance | Average 40% runtime reduction across the top 10 jobs |
| Plant expansion | Mexico and India security designed and delivered on schedule |
Strategic Value Delivered
Plenty of AMS providers resolve tickets. This engagement shows something different: a partner that works like an extension of your own SAP team, quietly removing governance debt and hardening access controls while the business keeps growing. If you run a complex SAP landscape with regulatory access requirements or expansion on the horizon, that combination of operational stability and audit confidence is exactly what a blended AMS model is built for. Ready to strengthen your SAP security and compliance posture? Contact Evoke Technologies
