Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

6 Shocking Discoveries about SAP Authorizations

  • Font size: Larger Smaller
  • Hits: 11048
  • 1 Comment
  • Print

Here are 6 harsh realities that we discovered from our customers:


1. Users are still using SAP_ALL Power Profiles

Although SAP doesn't recommend using the power profile SAP_ALL, many organizations are still using it. They should definitely not. This authorization profile enables way too much activity. Having power users with SAP_ALL access is a backdoor invitation for hackers and it’s simply not appropriate from a business perspective, particularly from a GRC point of view, because having SAP_ALL is a clear violation of all the rules of SoD. See our article that discusses the dangers of SAP_ALL in detail. If SAP_ALL and other power authorization profiles are being used, this issue is one of the first things that we recommend resolving as the first step of narrowing down authorizations or executing on a GRC project.

2. Enterprises do not monitor access to sensitive activities like SU01 and F110

This is a shocker because the list of highly sensitive activities is well defined in most organizations. Business users know these risky activities and take extra time to classify them as “sensitive.” Auditors tend to ask who is allowed to use them during audits. But many organizations aren’t investing the extra mile in monitoring the usage of these activities, to check if all users that have the authorizations to use these sensitive activities are really using them. In our blog about SU01, we highly recommend using a portal instead and to narrow down the access to sensitive activities to only users who really need it.


3. People are still retaining the authorizations from their last position, together with their current ones

We have found that in many companies, people that have moved into a new position keep both their old authorizations from Position A and their new authorizations from Position B. Many organizations tend to fail twice in controlling the position change. The first thing missing is a procedure for tracking the position change and cancelling a person’s old authorizations. The second thing missing is an automatic mechanism for enforcing this procedure.

It’s refreshing to see organizations that do have an automatic mechanism that identifies employees’ movement. They monitor the HR system to identify the move from Position A to B, automatically send an authorization review to the new manager asking if this employee still needs their previous authorizations, the manager enters his decision, and either the old authorizations are removed automatically or the helpdesk will carry out the decision.

4. 87% of users’ authorizations are not being used at all!

It’s amazing that the average is so high. The methodology of creating authorization roles, that include authorizations for multiple tasks, creates the situation in which people are getting many more authorizations than they really need. Add to this the fear of taking authorizations away from users and the lack of clear process for requesting and granting authorizations, and you will understand that amazing figure. Organizations commonly believe their users are utilizing 80%-90% of their authorizations, when in fact they are only using 13%. We can’t stress enough – monitor and reduce unused authorizations in roles.

5. A company’s own development (Z Objects) doesn’t include authorization checks, making reports accessible to almost anyone

Organizations develop objects on their own to add capabilities to the standard SAP software. There can be many, many self-developments in the system. The surprise here is that a large portion of these organizations are not including authorization checks in their development, creating huge security gaps left open to anyone who can execute the reports.

6. Attention is not being paid to which SAP Queries were executed, including very sensitive ones

SAP Query is a great tool that SAP gave to business users so they could create ad-hoc reports without needing to bother their development team. But this great tool, if not treated properly, also gives them the power to inquire about whatever sensitive material they want, such as employee details or customers with the highest revenue. If no one monitors which queries were executed and why, almost anyone can execute and misuse queries. In our opinion, companies must monitor who is executing which query and get alerts for suspicious usage of sensitive cases.

Xpandion is the leading provider of ERP usage inspection solutions, delivering unprecedented real-time visibility into management systems, significantly improving security, optimizing licensing usage and enabling GRC/SOX compliance. Contact us now.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • Guest
    Karen Malyon 16/01/2014

    Unfortunately this is all very true and is the tip of the iceberg. Resolving these examples and many more has kept me busy for over 17 years. I have also found that in some cases the problem is actually getting worse as technical knowledge and experience of those implementing and maintaining SAP Controls is getting diluted. Front End web interfaces, and the perception that Auditing tools can contain security access is a misconception. Unless the underpinning fields. activities, ABAP programmes, report and interfaces all align, there will be problems.It is all fixable, but takes time.

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Dror Aviv

The SAP Security Paradox: Irregular User Activity

“How Many Times?” We, and our partners, often ask ourselves that very question after hearing case after case of employee fraud being committed at an enterprise. How many times will these companies endure suspicious activity by their employees before they get the right tool to send them alerts about...
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...
in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.




157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India