Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Granting SAP_ALL to Everybody – Crazy or Not?

  • Font size: Larger Smaller
  • Hits: 6950
  • Print

True Story

A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintain, as you’d expect. But we need to spot the people who are taking advantage of this freedom and going beyond their permitted activities; those who are misusing their authorizations and, based on their job descriptions, going where they’re not allowed. For instance, we have a sneaking suspicion that some people in the warehouse are exploring payroll records.”


At first, I was sure that this was a joke. They are granting a single role, equivalent to SAP_ALL, to everybody? In that large-size company? In this day and age? It couldn’t be real.

But it was real. In fact, I noticed that more than a few customers do it.

Are they insane?

Why would an SAP customer choose to employ a single authorization role for the entire organization? I’ll tell you why:

1. It’s easy to maintain. A single role requires almost no maintenance. In fact, SAP_ALL requires absolutely no maintenance.

2. It helps to streamline business. There’s no waiting. New employees don’t need to wait to receive their authorizations, current employees don't need to wait for additional authorizations when they need them, and there aren’t any long approval processes to wait for. Business can continue as usual even if people change position or need to perform additional functionality.

3. It saves a huge amount of money. The company above would have had to pay for a lengthy initial authorization implementation project, and for at least 10 professional employees to maintain their authorizations if they hadn’t chosen the “single role” method. I hear from many companies that they prefer the risks of fraud and misuse over explaining to the CFO why they need to budget for additional jobs.

4. It’s based on the romantic concept of “We trust everyone here.” This is a wonderful idea upon which to build a great company. All the best corporate success stories start with small groups that trust each other. So, why not use this in practice?

5. There’s no managerial responsibility. When everyone has a single authorization role, if one person misuses his permissions and goes into a part of an application that he shouldn’t, (or worse, commits an act of fraud), it’s this person’s fault only. Nobody else can or will be blamed for granting the wrong authorizations to that employee, and no one, especially not the manager, will have to explain why this employee was able to perform the fraud.

So why not go for it? Just because we’re captive in the concept that this is wrong, doesn’t prove that it really is wrong. As a matter of fact, there are many good examples that show this can work well in practice.

OK, but of course there are consequences. If we make the decision to grant everyone the same super-wide authorization role, what do we need to do in order to not lose control?

Hard Punishment!

Apparently, the secret lies in the response for misusing the allowance. If it’s clear that if one misuses his permissions then he’ll be fired, he won’t dare do it. Taking an example from the real world, statistically in places where the punishment for crimes is disproportionately severe; the percentage of crime is extremely low.

Catching the crime when it happens.

In order to have an efficient response for such a single-role situation, you need a good auditing system. “Big Brother” is a must here. It’s imperative to take the following steps:

1. Audit who’s doing what and create business profiles. This is your data source. You must know exactly who is peeking at an invoice, who is messing with employee salaries and who is changing vendor details. Furthermore, you must know what each person normally does and create business profiles for them so that you can identify deviations from their normal behavior when they occur.

2. Use a behavior-based alerting system. When an employee behaves suspiciously, someone needs to check it out immediately. If you want to catch people “red handed,” the response needs to be quick. This is the reason for implementing an alerting system that notifies you about irregular or sensitive activity.

3. Perform a usage review. Instead of the periodic “Access Review” processes, perform periodic “Usage Review” processes, where each manager approves his employee’s activities and marks irregular or suspicious activities for further inspection.

Well, crazy as it might seem, the all-employee single role method can really work, and quite successfully. The companies that did it well, which I personally witnessed, ranged from SMEs to large corporates. The people there are not crazy at all, they just think “out of the box” and prefer to take advantage of the benefits while putting the right mechanisms in place for mitigating the risks.

Food for thought, no?


Xpandion is the leading provider of Security & Authorizations software solutions for ERP. If you have any questions or concerns about your authorizations, contact us now.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • Guest
    Gonzalo Cuatrecasas 18/03/2014

    uff... hard to swallow. And with my experience, I give them 6 months before they realize that not everyone is as trusted as we would like to think, especially when there is money to be made or reputations to be compromised. I am a true believer that policing practices are excessive in many companies, on the other hands, the problem with reliance on “trust but verify” practice is that detective controls only inform you of wrong doing after the fact. For me it would be tough to sleep!

  • Guest
    Shivraj Singh 18/03/2014

    It is not just the ability to commit crime or fraud but the ability to cover one's footsteps which will doom this trust policy. Also HR laws about access of personal data, large corp = good chance company is public, so has everyone signed NDAs & not trading stock of the company. Just too many reasons not to trust the "trust policy".

  • Guest
    Roxy 19/03/2014

    Surely prevention is better than cure?! I would think that any time/money/resources saved by granting SAP_ALL would be eaten up in implementing a solution to police what everyone is up to and then in the actual monitoring. And that's ignoring any Privacy laws that you/your company might be subject to.

  • Guest
    MarcinM 19/03/2014

    Apart from the compliance requirments, the only reason to change my mind would be a solid proof that the amount spent for the advanced monitoring is significantly lower than we spend for the IAM consultants. Is it?

  • Guest
    Dror Aviv 19/03/2014

    Hi MarcinM,
    I suppose that costs for monitoring are indeed lower, but I haven't checked. One company (a very large one) chose this way because of their “we trust everyone” belief which was really strong, so money was not really an issue – it was just an issue of principle. In a couple of other cases, the companies were small so they were stressed out about payroll issues and they preferred to monitor over paying for full time employees or consultants. Last but not least, three companies implemented SAP very early, in 1995, and then it was more common not to do large authorization projects – so they left this issue for a later time, which apparently hadn't come until now. :-)

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India