Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
Subscribe to this list via RSS Blog posts tagged in Access Review

“Leaving us so soon, Mr. Solo?” This famous quote might sound good in the movies, but in a business environment, the event of an employee leaving your company can cause some serious security issues if not treated properly. Let’s talk about why and what you can do to prevent these risky situations.

SAP-Security-and-Irregular-User-Activity

Two Types of Employee Leave

In general, there are two types of leave: planned leave and unplanned leave. Both are different and should be handled accordingly.

Continue reading
Hits: 5912 0 Comments
Hits: 6949 0 Comments

“Conscious uncoupling,” (see goop) the fancy new age words that Gwyneth Paltrow and Chris Martin are using instead of the word “divorce” do feel a bit weird, but there is some truth to the approach that I think can actually highly benefit certain events the SAP world. In fact, without a “conscious uncoupling” approach to employees in the SAP world, a great deal of work might go to waste.

iStock_000005261770_XSmall.jpeg

Continue reading
Hits: 5845 0 Comments

True Story

A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintain, as you’d expect. But we need to spot the people who are taking advantage of this freedom and going beyond their permitted activities; those who are misusing their authorizations and, based on their job descriptions, going where they’re not allowed. For instance, we have a sneaking suspicion that some people in the warehouse are exploring payroll records.”

iStock_000034870080Small.jpg

Continue reading
Hits: 6746 5 Comments

One of your accounting clerks just left on maternity leave (congratulations to Sally). Another employee is replacing her and thus has the new responsibility of performing Invoice Reconciliation (good luck to John). To perform this task, John needs to open a new request in the portal for the proper authorization. Then he must browse through the business process list and select Invoice Reconciliation, add an explanation for the request and submit it. The financial top-user receives the request and approves/disapproves it. Upon approval, John is automatically assigned the required authorization role, and even receives and email indicating this.

iStock 000015614694XSmall

Continue reading
Hits: 6008 0 Comments

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...

iStock 000011246561XSmall

Continue reading
Hits: 8046 0 Comments

I recently held a conversation with a highly-experienced risk manager from one of our valued customers. As we were discussing the topic of development it dawned on me that this subject is often neglected by risk managers – despite the fact that development issues are a major potential for business risk.

iStock 000014086128XSmall

Continue reading
Hits: 6031 0 Comments

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.

iStock 000019600119XSmall

Continue reading
Hits: 6056 0 Comments

When it comes to requesting and granting authorizations, I found that in many companies the process is performed manually – via email – as follows:

  1. User sends email to IT requesting additional authorization to perform activity.
  2. IT transfers request to relevant manager, who approves required authorization (at times without even inspecting the real intention of the request).
  3. IT allocates the required authorization to user.

Responsible 000006149074XSmall

Continue reading
Hits: 6233 0 Comments

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

wh authorized 000010478987XSmall

Continue reading
Hits: 7174 0 Comments


Headquarters

+972-3-624-4245

157 Yigal Alon Street,

Tel Aviv 67443, Israel

info@xpandion.com

US Office

+1-800-707-5144

33 West 19th Street, New York,

NY 10011, USA

info.us@xpandion.com

India Office

+91-989-2546216

C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India

info@xpandion.com