Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Control GRC and Segregation of Duties in Your Organization – It's Your Duty!

  • Font size: Larger Smaller
  • Hits: 7007
  • Print

Companies of all kinds and sizes are focusing more and more on finding the most adequate GRC (Governance, Risk, and Compliance) and SoD (Segregations of Duties) solutions.

SoD 000019289272XSmall


Why? Failure to comply with GRC and SoD requirements can affect a business severely.

SoD basically means ensuring that more than one person is required for completing a task within an organization. Today, companies understand the critical role SoD plays. Specifically, when dealing with money and sensitive information, SoD has become a key factor for gaining control and confidence in a business environment, as well as in assisting companies to successfully pass audit inspections. By complying with SoD rules an organization reduces the likelihood of fraud, significantly.

Since you and everyone else already know all this, you are probably wondering whether you will actually benefit from any new information. The answer is YES, of course, so to find out what is new, enjoy reading the rest of the blog…

Did you ever ask yourself what is the point of authorizing an employee to perform actions x, y and z, when that employee never actually uses such combination of authorizations? Authorizations are not free. They require monitoring and maintenance. Excessive authorizations merely floating around the company inevitably entail greater risk and unnecessary expenses.

What can you do?

Xpandion values its customers’ point of view. We like it when our customers enjoy our products. That’s why we offer ProfileTailor Dynamics GRC. You could use it as well.

Control GRC and Segregation of Duties in your Organizatio

What’s so special about it?

ProfileTailor Dynamics GRC identifies any SoD violations not only on a static level (the authorizations granted to users), but also on the dynamic level (as a compensating control). Essentially, the actual usage behavior of each and every SAP user is monitored in real time; all the time.

How does it work?

Only if and when a user performs actions x, y, and z, an alert is sent; and only then the need to allocate the resources for further inspection arises. There really is no need to check user actions based on theoretical authorizations on a regular basis.

Why does it matter?

Because customers using ProfileTailor Dynamics GRC are able to complete their entire SoD project successfully in just one month!

We have (painfully) witnessed organizations handling SoD projects (and there’s really no better word to describe this) in a “primitive” way. This project can take a year (!). The organization checks user after user in an attempt to determine who needs authorization/s and which of the authorization/s are really needed. Did I already mention that this process can carry on for a whole year?! I know it’s hard to believe. The first step of such a project: Import a set of rules or build a new set of rules based on best practice of about 10,000 rules. Then, the relevant rules for the company are determined. Let’s say 2,000 rules were selected; to this all the customer-development own objects need to be added; finally, you now have a set of rules suitable for the organization.

Second step: Initial running of the rules on the users will show that in an average organization there are about 900,000 violations (anyone with SAP_ALL or similar authorization violates all the rules). With 900,000 violations, you now need to check each and every violating employee, one after the other; set up a meeting, investigate and then analyze. This is a long, tedious and exhausting project. The average time for understanding a current situation of a company is – and I cannot stress this enough – a whole year. Don’t forget that after these steps are completed, you still need to provide recommendations and implement.

[Side note: Suppose only 20 users are violating rules. Do the math: 1000 rules, 20 users with SAP_ALL, that alone already adds up to 20,000 violations.]

What is the solution?

Applying dynamic SoD makes a difference. You can try it before beginning your SoD project the old way. Save meeting the users to begin with, in 95% of the times. How? Upload all rules to see what each and every employee is authorized to perform, and then dismiss all employees that have never used their authorization/s in the past year. 

With ProfileTailor Dynamics GRC, if an employee is authorized to maintain a supplier account (SAP T-Code XK02), yet does not use it, the activity can be modified to XK03 (which allows display and not open), thus immediately that employee’s actions will not be defined as a violation. At the same time, if an employee really needs to perform a violation, a compensating control technique is then implemented (checking up on what the employee is really doing).

Keep a proactive approach and stay in control with ProfileTailor Dynamics GRC.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Do You Understand the Meaning of Behavior-Based Profiling?

Xpandion creates “behavior-based profiling” for business applications. Sounds impressive, huh? However, do you know what it means, exactly?

in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Yoav Michaeli

The Three Most Sensitive T-Codes Ever: What Are They?

What are your organization’s top three most sensitive T-Codes; the ones that you’re really careful about granting? You’ve had to think about this before, either during an authorization-inspection project, a GRC project or when asked by an auditor. Can you name the “top three?” I’m sure you can. And ...
in Security & AuthorizationsPosted by Yoav Michaeli

Support Package Upgrade: How to Update SAP Authorization Roles, Part 1

If you haven’t already noticed, in some SAP support packages several T-Codes have been replaced with other T-Codes. These changes create a challenge in maintaining your company’s authorizations, and there are also implications to the GRC module. So, what do you do?



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India