Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Get Rid of Power Users Once and For All

  • Font size: Larger Smaller
  • Hits: 6219
  • Print

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.

iStock 000019600119XSmall


In most cases, Power Users are system administrators or employees holding senior positions in an organization. It is also very common that senior programmers, system analysts or project managers aim – and succeed – at obtaining full authorizations. Such Power Users tend to believe that they are above making mistakes and will never misuse their authorizations. Their need for wide authorizations is at times purely for work, such as IT employees claiming to save the company from a production bug and cannot therefore afford to be stopped by lack of authorizations.

You must be thinking to yourself that these IT employees have a point… Of course, production bugs must be fixed immediately; however handing out SAP_ALL to any “important” employee is not the point. I promise however to get back to this matter.

Never forget the auditor:

Auditors perceive Power Users as a major risk! And they provide their reasons:

  • First, believe it or not, auditors are not convinced that Power Users make no mistakes.
  • Second, Power Users are highly inclined to violate SoD (Segregation of Duties) combinations.
  • Third, if a hacker takes over a username with wide authorities, well no need to spell it out…

Make peace with your auditor:

There a few ways to keep your auditors satisfied.

1. Cheat a bit… this is the most common solution organizations choose to use. Instead of granting users with full authorizations (i.e. SAP_ALL in SAP systems) the IT team creates a module-oriented wide authorization profile, for example FI_ALL for all authorizations in FI module, HR_ALL for all the authorizations in HR, and so on. Then SAP_ALL is removed and replaced with the relevant profile. A more sophisticated way to “cheat” is by replacing the word ALL with WIDE, ALMOST_ALL, etc.

This solution is wrong for three main reasons:

  • It is not nice to cheat.
  • Auditors do not appreciate being outsmarted (it is actually becoming harder to do so in any case). Auditors have learnt to identify Power Users by the number of authorizations inside the role; hence changing the name of role is not longer sufficient.
  • Removing ALL from the a role name leads to more Power Users, since it becomes less frightening to grant wide authorizations as they no longer include SAP_ALL. From our observation, if you add up the numbers of employees with FI_ALL, MM_ALL, HR_ALL, etc. you get a number that is twice or even three times higher than the number of employees who previously held SAP_ALL!

2. Be strict – setting a strict policy across the organization is the best way to make your auditors happy, yet within the organization you will be liked a bit less…. Policies that declare nobody has SAP_ALL tend to remain in place only until after the audit. Somehow, there are always those employees (especially system administrators and senior IT people) that succeed in achieving their desired status of Power Users. Of course Power Users take management’s policies seriously, however they are also very successful in convincing management that wide authorizations is essential for running the business smoothly (and they kind of have a point… I know, I didn’t forget my promise and I will refer to this right below). 

3. Narrow authorization according to actual behavior – this is the winning solution. No, I don’t mean for you to do this manually, that would be such a waste of time… (you would have to start by investigating last year’s log of activities per each Power User, uploading the data to Excel, removing un-required and/or duplicate authorizations, and then you could begin building authorization roles… yawn…). I suggest doing this efficiently. What you really need is a tool that can narrow user authorizations according to the user’s de-facto behavior, automatically. This tool would build a dedicated authorization role accordingly and replace the SAP_ALL with the dedicated authorization role. This would result in happy auditors alongside pleased employees, who could continue their business as usual without even noticing or being affected by the fact that they no longer have.

It’s really very simple: Dedicated authorization roles to replace SAP_ALL.


Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Yoav Michaeli

How to Become a Successful Security/Authorization Manager

The more Security and SAP Licensing Managers that Xpandion works with, the more confirmation we receive that there is a distinct difference in the actions taken by successful managers vs.  unsuccessful managers.  Using ProfileTailor Dynamics/ LicenseAuditor these successful managers implem...
in Security & AuthorizationsPosted by Dror Aviv

Granting SAP_ALL to Everybody – Crazy or Not?

True Story A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintai...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India