The focus for this week is based on some very naive statements we’ve heard during our experience in the field. The following quotes are definitely myths, and we highly suggest that you familiarize yourself with them in case you hear them too.
1. SAP Authorizations are too complicated, we need a consultant
The truth: The SAP Authorizations model is not rocket science, you can learn all about it quicker than you think. The concept of authorizations is simple, but in ERP systems, there’s a high level of complexity due to all of the possible scenarios of how the system is used. Nevertheless, you can still get a hold on it. Furthermore, you must know how the SAP Authorizations model works, especially if you’re in a managerial position and have to oversee authorizations (approve them, grant them, etc.). You can start with this guide. However, after you acquire the basic knowledge, do indeed get a good consultant who’s been in the field for a few years. After all, you can’t learn experience from a book.
2. The project will be quick because we only have two company codes
In fact if you want to perform a thorough authorizations project, it will probably start when your SAP project begins and end on the go-live day. No serious authorization structure can be done very quickly because someone needs to make strategic decisions about what to implement, and someone needs to work on executing the implementation. You may have only two company codes, but how many warehouses are in them, how many different purchasing groups or general ledger type of accounts are handled? It’s not as simple as it might look at a glance, because you might be ignoring other authorization related requirements.
Furthermore, no serious authorization project ends without putting the proper controls and workflow processes in place in the event of new authorization requests and for periodic authorization reviews.
Read more about putting controls on authorizations.
3. We work only at the T-code level, don't make us go deeper
No-No! Don’t do this. SAP didn’t create authorization objects just for fun – they are crucial for preventing people from accessing sensitive data or committing fraud. Granting people only the exact authorizations they need keeps you safe. Granting authorizations to T-codes without limiting people to certain objects is like giving the car keys to your kid and saying, “Take it out whenever you want.” But when you add authorizations, you’re saying, “Here are the car keys, go out and have fun with your friends – but my monitoring system will verify that you are not too far away from home, and at midnight will shut down the engine.”
4. We don't deal with authorization checks in our Z programs, why bother?
You’re just inviting fraud! Your own-developed programs are precisely like SAP’s programs, there is absolutely no difference to SAP between code that was written by them and code that was written by the customer. It’s imperative to implement authorization checks in your code in order to prevent the misuse of programs and the vulnerability for someone to commit fraud. In fact, even though this issue is well known, it’s still not managed well enough.
5. Our authorizations are perfect. Our auditors have already approved them.
Ignorance is bliss. In most organizations, internal and external auditors don’t really understand authorizations so deeply, and also they are usually focused on financial-related authorizations. A thorough check, done by an authorization expert, is a must. Don’t cheat yourself by saying, “If the auditor told me it’s OK, I’m good.” Strive to have your authorizations checked by someone that‘s really familiar and understands SAP authorizations!
Want to see how YOUR system handles risks? Run a quick scan and get a full report.