Which integrations are available for this server?

Enables real-time analysis of SAP security configurations, providing tools for auditing user roles, detecting SAP_ALL profiles, identifying dormant users, and checking Segregation of Duties (SoD) violations via RFC integration.

How do I use SyntaAI SAP Security MCP Server?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@SyntaAI SAP Security MCP Server Check for users with SAP_ALL profiles and list any SoD violations" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

SyntaAI ERP Security MCP Server

AI-powered security analysis for SAP systems via the Model Context Protocol (MCP).

Server URL: https://mcp.syntaai.com/mcp

Features

19 Tools — User management, security analysis, compliance auditing, role & authorization review (all read-only)
5 Resources — System info, security overview, compliance frameworks, security controls, user summary
8 Prompts — Pre-built workflows for security audits, SOX compliance, SoD analysis, and more
OAuth 2.0 — Full RFC 8414/9728 compliant authentication with PKCE and Dynamic Client Registration

Example Interactions

Example 1: Security Audit

User prompt: "Are there any users with SAP_ALL profile?"

What happens:

Server scans all user profiles for dangerous authorizations
Returns list of users with SAP_ALL, SAP_NEW, S_A.SYSTEM
Provides risk assessment and remediation recommendations

Tool used: check_critical_authorizations

Example 2: Compliance Check

User prompt: "Generate a SOX compliance report"

What happens:

Server runs SOX assessment across access controls, SoD, password policy
Returns overall compliance score with findings
Lists critical gaps with specific framework control references

Tool used: generate_compliance_report

Example 3: User Access Review

User prompt: "Find all users who haven't logged in for 90 days and check if any have critical roles"

What happens:

Server identifies inactive users past the threshold
Cross-references with privileged access and role assignments
Recommends lock/disable actions prioritized by risk

Tools used: find_inactive_users, list_privileged_users

Tools Reference

User Management

Tool	Description	Annotations
`list_users`	List SAP users with status/type filtering	Read-only
`get_user_details`	Get detailed user info including roles and login history	Read-only
`list_user_roles`	List roles and profiles for a user	Read-only
`find_inactive_users`	Find users inactive for N days	Read-only

Security Analysis

Tool	Description	Annotations
`get_security_parameters`	SAP security parameters vs best practices	Read-only
`check_critical_authorizations`	Find users with SAP_ALL/SAP_NEW/S_A.SYSTEM	Read-only
`get_audit_log`	Retrieve security audit log entries	Read-only
`check_default_passwords`	Check for default/initial passwords	Read-only
`get_rfc_connections`	Analyze RFC destinations for credential risks	Read-only

Compliance & Audit

Tool	Description	Annotations
`run_sod_check`	Check Segregation of Duties violations	Read-only
`generate_compliance_report`	Generate SOX/GDPR/ISO27001/NIST report	Read-only
`list_privileged_users`	List users with elevated privileges	Read-only
`check_password_policy`	Analyze password policy vs best practices	Read-only
`get_transport_log`	Transport request log for change management	Read-only

Role & Authorization

Tool	Description	Annotations
`list_roles`	List security roles with search	Read-only
`get_role_details`	Get role details including authorizations	Read-only
`compare_user_access`	Compare access rights between two users	Read-only
`find_users_with_role`	Find all users assigned a specific role	Read-only
`get_authorization_trace`	Get authorization check trace entries	Read-only

Authentication

OAuth 2.0 with PKCE. Discovery endpoints:

GET /.well-known/oauth-authorization-server (RFC 8414)
GET /.well-known/oauth-protected-resource (RFC 9728)

Supports Dynamic Client Registration (RFC 7591) and token revocation (RFC 7009).

Deployment

# Install
cd /opt/mcp-server
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt

# Run
python server.py                    # with OAuth (production)
MCP_NO_AUTH=1 python server.py      # without OAuth (development)