Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
Showing results for 
Search instead for 
Did you mean: 


As the cybersecurity landscape evolves, we’re constantly looking for ways to mitigate external threats to our cloud data, but what about threats from within? Internal threats like unauthorized access and mishandling data can breach even the most secure environments. The sooner you implement your user strategy, the more control you maintain over this facet of your security posture.  

Diagram of SAP Data Custodian user roles.

What is a user strategy? 

In SAP Data Custodian, your user strategy is the custom approach your team takes when onboarding users to your tenant. Each of SAP Data Custodian’s core services (i.e., Transparency and Control Service and Key Management Service) has four (4) user types that allow your team to manage internal access risks. Depending on your onboarded services, you may need all or only a few of the available user roles assigned out for your tenant. It is important to remember that only one user role is permitted per person per service. 

What does one role per service mean?  

Let’s say your team has purchased both core services and you’d like to onboard John Smith to your tenant. John can be given permissions as a Data Analyst in Transparency and Control Service and as a Key User in Key Management Service. However, he could not be both a Key User and Key Administrator in that tenant.  

Example of a valid and invalid SAP Data Custodian user role combination.

Are user roles permanent?  

The great thing about SAP Data Custodian user roles is that they can be edited by an administrator in their respective service and these events are recorded in the audit log.  

What type of user events are recorded in the audit logs?  

Any time a user is updated, deleted, created, enabled, or disabled by an administrator, the operation is recorded in the SAP Data Custodian audit logs. This information provides full transparency into your user management practices and allows your team to review how well your user strategy is implemented throughout the year.  

How do I define my team’s user strategy?  

1. Review the available user roles on the SAP Help Portal.  

User role permissions have been defined down to the task level by service to help you maximize control over your secure environment. Tables outlining permitted operations by role are provided on the SAP Data Custodian Help Portal pages to ensure your team understands what is available while creating your user strategy.  

It is recommended that you review the descriptions on the SAP Help Portal based on your team's purchased service(s) before assigning roles. See the links at the end of this post for direct access to each service's user roles and permissions page. 

2. Identify your administrators. 

During tenant onboarding, your team will assign its first user, an Administrator for Transparency and Control Service or a Service Administrator for Key Management Service. This user will be responsible for logging into your new tenant and adding users by service to permit access to specific operations based on your user strategy.  

It is recommended that you have at least two (2) administrator-level users per service. Once you have your tenant, SAP does not have access to your environment, which means that if your primary administrator is unavailable, you will be unable to complete those user-specific tasks.  

3. Identify which service features your team will onboard first.  

Tenant onboarding and configuration is a team effort, which requires users with different permission types to complete various activities. Required user roles are defined on each SAP Help Portal activity for SAP Data Custodian (see example below) to ensure your team knows which permissions are required in advance. For example, in SAP Data Custodian Key Management Service, a Service Administrator role is required to create a Tenant Operations Technical User (TOTU), but they cannot create an Application Technical User (APP TU). That is the responsibility of a team Key Administrator.  

Familiarizing yourself with the required activities will give you a sense of who will be needed and when.  

Example of SAP Data Custodian Help Portal user role call out.

4. Implement your user strategy.  

Once your first administrator-level user accesses your tenant, they can begin adding users. Your administrators are responsible for ensuring that the correct SAP Identity Service Management (SAP ISM) and SAP Data Custodian service roles are granted during onboarding and managing the list of permissioned users with access to your tenant operations.  

5. Keep your user strategy up to date. 

Proper tenant maintenance is just as critical as user onboarding and should be routinely performed to ensure best practices are implemented throughout the year. Adding your user strategy to your security reviews can be a great way to ensure you’re mitigating internal threats to your secure data.  

Learn more about setting user roles for SAP Data Custodian:    


If you found this post helpful, click the “Like” button, and share your thoughts using the comments section.