Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Do You Really Want to Make Me Cry?

  • Font size: Larger Smaller
  • Hits: 6309
  • Print

I’m sure you heard this kind of dialog before:

“We need to remove one of your authorizations immediately”


“Because it violates a segregation of duties rule”

“Which rule???”

“Something to do with the financial auditors”

“But you can’t, I need it to do my job!”

“I can’t do anything about it, sorry. It’s a requirement coming from management”


iStock 000002502536XSmall

Sounds familiar..? This type of conversation often takes place following a major SOX/SoD (segregation of duties) project, in which an organization is required to solve various SoD conflicts. What this means is that during the SoD project all authorizations in the company are examined through a set of rules (for example: the same user can’t create a vendor and issue an order for that vendor). After initial inspection, all users that violate SoD rules are pinpointed. And then the fun begins…

In most enterprises a meeting is scheduled with each of the relevant users (this is the point when conversations like this take place). In reality, I’ve never seen a user that simply agrees to let go of any of their authorizations; this is also why such meetings end up taking such a long time.

Isn’t there any other way?

Let me suggest two alternatives:

Alternative 1: Compensating Control

Leave the violating authorization in place. Don’t panic, I’ll explain: There are cases where companies must enable a violation in order to ensure smooth business processes (such as when the same employee is in charge of several functions in the organization). When choosing to leave a violating authorization, a company is forced to find a way to supervise the potential violation (in GRC terms, implement a compensating control). For example, John can open new vendor accounts and also issue orders for these vendor accounts. In this case a compensating control needs to be implemented, which can include a periodical review of all vendors and orders that were created or changed by John. A compensating control has a termination date (usually after one year) so the necessity of the control is re-examined with each renewal.

Although listed as alternative #1, this is not the first option I recommend. Why? Simply because it requires a lot of resources. Just imagine implementing 1000 compensating controls (the average number needed); many managers would spend their time reviewing reports on compensating controls instead of doing their actual work.

Alternative 2: ERP Usage Inspection

Listed second yet recommended first is the option to remove any authorizations that violate SoD rules. How do you avoid the above conversation, you ask? ERP usage inspection is the answer. Let’s say John can open new vendor accounts and also issue orders for these vendor accounts – this creates the SoD conflict. However, when looking back (via ERP usage inspection), you can see that John has never opened a new vendor’s account. Therefore, this authorization can be removed without even wasting valuable time to meet John and discuss this. In fact from our experience 95% of users, which “lose” authorizations they don’t actually use, are not even aware of the fact that various authorizations were removed. For the 5% chance that a user suddenly needs an authorization that was removed, an automated authorization request process is available.

ERP usage inspection basically means knowing exactly which authorizations are used de facto (and not only which authorizations are theoretically needed). This is what paves the way to managing user authorizations smartly and effectively, and finally successfully maintaining a GRC-compliant working environment. By using ERP usage inspection together with business profiling you can complete a successful GRC project in time and within budget.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India