In today’s digital enterprise landscape, managing SAP authorizations isn’t just a technical necessity — it’s a strategic lever for security, efficiency and transformation. For Endress+Hauser, a global leader in industrial automation, the challenge was clear: how to maintain control and compliance across a vast, complex SAP environment while preparing for the future with S/4HANA.

The answer? A bold, step-by-step journey toward smarter identity governance — powered by Pointsharp.

In a recent Experttalks session, Thorsten Kuhn, Solution Architect for Security and Monitoring at Endress+Hauser, shared how the company is tackling scale, complexity, and compliance debt head-on. With Pointsharp’s IGA for SAP solution, Endress+Hauser is not only simplifying access management but also laying the foundation for a secure and seamless S/4HANA migration.
 

e+h

The complex SAP landscape

The Swiss instrumentation and automation supplier Endress+Hauser is a market leader in its field, with offices in 130 companies in 54 countries and 18,000 employees worldwide. Given the impressive size of the organization, Endress+Hauser’s SAP environment is, on one hand, typical for a large enterprise with extensive operations. On the other hand, it illustrates the enormous scale of an enterprise SAP landscape, which includes the following:

  • 18 production systems covering ECC, BW, Fiori, and more  
  • 17,500 managed identities associated with
  • 200,000 accounts  
  • Roughly 30,000 roles across  
  • 350 clients  

Managing everything while ensuring compliant and secure operations was clearly challenging, prompting Endress+Hauser to find a solution to tackle this issue. 

A maturing identity and authorization journey

The journey began in 2017 with the initial rollout of Pointsharp Identity Manager, a component of the IGA for SAP solution, to 400 users. From there, it grew year-over-year from hundreds to thousands of users before achieving a full rollout across all Endress+Hauser entities in 2022.

“The step-by-step approach is very feasible and well supported”, Thorsten Kuhn explains while outlining the gradual rollout of the Pointsharp IGA for the SAP solution within the organization.  

“At the same time, we can scale in an unimaginable way”, he continues.  

Thorsten Kuhn

Thorsten Kuhn, Solution Architect Security and Monitoring at Endress+Hauser

Preparing for the S/4 migration 

Alongside the gradual rollout of the Pointsharp IGA for SAP solution within Endress+Hauser, work has also started on migrating to S/4 HANA. Foundations in ECC started in 2023, with the full transformation scheduled for completion in 2025 and to deliver value from 2026.

Looking ahead to the S/4 waves, Endress+Hauser’s program focuses on reducing perceived complexity while enhancing compliance.
 

  • Direct access for stakeholders. Via a Web Self-Service platform for user management and transparency.
  • Substantially reduce direct role assignments. Target a 95% decrease to only 2–3 business roles per person, making business roles the primary control mechanism instead of scattered role stacks.
  • Automation. “To the maximum extent” for consistency and speed.
  • Standardized compliance methods. Across all user groups with real-time compliance feedback during role assignment. 
     

Relying more on automated self-service at the beginning of the authorization process can significantly lower the workload for in-house authorization consultants. However, it also requires the authorization team to adopt a new way of working that differs from traditional SAP operations.

“When you use the Pointsharp solution as a tool, then you only have one tool”, Thorsten Kuhn explains.

The Pointsharp IGA for SAP solution can replace error-prone manual request processes with a self-service authorization model, enhancing quality from the source while strengthening the connection between consulting, AMS, and authorization management. 

e+h_2

What are the takeaways for your own strategy? 

Three takeaways from Endress+Hauser’s approach stand out for SAP, security, and other organizations on the S/4 HANA migration journey:

  1. Design for business roles first. A small, well-managed set of business roles, enhanced with self-service options and real-time compliance feedback, consistently outperforms thousands of loosely managed technical roles. Strive to minimize direct role assignments by assigning 2–3 roles per person to meet most access requirements.
  2. Implement compliance. By embedding standardized rules and SoD checks into the request process, you reduce rework and errors.
  3. A step-by-step approach. Kuhn’s team emphasizes that a gradual method is achievable and well-supported by the solution, as long as you invest in new skills for the authorization team and continue to iterate. 

 

Dive deeper

Watch the Experttalks: From risk to resilience: Mastering SAP security and compliance featuring Endress+Hauser’s customer story alongside expert guidance.