Access Intelligence — modern SoD and GRC for SAP

What it does

• 102 SoD rules + 8 critical-permission rules across ~9 process areas
• Snapshot-based scans (point-in-time comparable scans of users, roles, transactions)
• Role intelligence (what each role actually grants, by transaction)
• Change-diff audit (compare scan A to scan B; what moved, who moved it)
• AI executive narrative (Gemini default; Anthropic and OpenAI live)
• Per-conflict explain — natural-language reasoning per signal
• Simulation wizard — “what if I assign role X to user Y?”
• PDF and XLSX export of the conflict catalog
• Sidebar live counts as you triage

The rule library

Today's library covers ~9 process areas with 102 SoD rules and 8 critical-permission rules. The ruleset is opinionated for finance — AP, AR, GL, treasury, vendor master, customer master, MM, SD, HR-finance.

Coming soon: specialty SoD packs for QM, JV (energy / Saudi / mining), BPC, RE-FX, EH&S, and PM-X. Compliance overlays — re-tagging existing rules as SOX, GoBD, GDPR / Data Privacy, and ISO 27001 — are also on the roadmap. Ask us if a specific pack is on your audit timeline.

Snapshot scans and change-diff audit

Run a snapshot, get a point-in-time view of users, roles, and transactions. Run another next quarter, get a change-diff: who got which role, which conflict appeared, which conflict closed. Auditors get the answer to “what changed between the last cycle and this one” without you running queries in SE16N.

AI narratives without hallucinated numbers

Every figure in the executive narrative is checked against the underlying scan aggregate. >5% drift rejects the narrative — it doesn't ship to the dashboard. The CFO reads a story about real users, real conflicts, real numbers. The auditor opens the same scan and finds the figures match the underlying data, line for line.

This is the same numeric-guardrail check that runs on Bank Intelligence and Executive Intelligence narratives. One pattern across the platform.

Simulation — what if I assign role X to user Y?

Before you assign a role, ask the simulation wizard. It models the conflict landscape after the assignment, shows new conflicts that would appear, and surfaces the org-rule choices that would mitigate them. The audit conversation moves from “who approved this?” to “what would change if we did?”

Cut the audit queue with Access Architect

Most SoD reviews start with a 10,000-row spreadsheet. Access Architect ships alongside Access Intelligence and scores every conflict before you triage — real, likely real, unclear, likely false, false. Most auditors find that 70 to 90% of conflicts in the catalog are false positives.

See how false-positive scoring works →

Frequently asked questions

How does the rule library compare to SAP GRC's?

102 SoD rules + 8 critical-permission rules across ~9 process areas, opinionated for SAP finance teams. Specialty packs (QM, JV, BPC, RE-FX, EH&S, PM-X) are on the roadmap. Compliance overlays (SOX, GoBD, GDPR, ISO 27001) are on the roadmap.

Do scans require a transport?

No. Access Intelligence reads from whitelisted Z-OData services your Basis team exposes. Nothing is installed inside SAP.

Can I export findings for an external auditor?

Yes. PDF and XLSX export. Per-conflict explain rendered in either format.

Which AI model writes the executive narrative?

Gemini by default; Anthropic and OpenAI are live alternatives. Pick per tenant. Numeric guardrails apply regardless of model.

Does Access Intelligence include false-positive scoring?

Access Architect, the false-positive engine, ships alongside Access Intelligence. They work as a pair — Access Intelligence finds conflicts; Access Architect scores them. Read about Access Architect.