Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

How to Consciously Uncouple in the SAP Authorizations World

  • Font size: Larger Smaller
  • Hits: 6016
  • Print

“Conscious uncoupling,” (see goop) the fancy new age words that Gwyneth Paltrow and Chris Martin are using instead of the word “divorce” do feel a bit weird, but there is some truth to the approach that I think can actually highly benefit certain events the SAP world. In fact, without a “conscious uncoupling” approach to employees in the SAP world, a great deal of work might go to waste.


I’m talking about when the Authorization Manager leaves. While in large enterprises the authorizations team can be a couple of people, in small and medium businesses it can easily be a one-man show that deals with everything: allocating authorizations to new employees, changing authorizations, and eliminating authorizations for employees who have left the organization. While most of the areas in SAP are covered by procedures and regulations – especially on the business end, like Finance and Logistics, and also Development – Basis and Authorizations are usually not covered. Who opens an SAP productive client for customization in SMBs, and how do they do it? Who approves the granting of new authorizations in the SMB and how this is done? Those questions seem to be totally unimportant… until the authorization guy leaves.

For Want of a Nail

The authorizations guy is a crucial element in the large integrated environment of SAP and other business applications; however in most cases he doesn’t seem to be as important to management as, for instance, the financial consultant or the logistics implementer. Although his non-importance may be true from a business-continuity point of view, it is not true when it’s time for him to leave. Years of work, including de-facto procedures and arrangements that are stored only in his mind can disappear forever. Like the proverbial children’s song, “For Want of a Nail,” goes, small actions can result in large consequences, so the small departure can create a large hole in the authorization area, even if the organization has just finished a role-redesign process and everything seems to be neat and tidy. The “next guy” will not be able to use the first guy’s inherent knowledge and the loss will be significant.

Therefore, it is important to verify beforehand that at least the following things are well documented – or better – embedded in a system like ProfileTailor Dynamics:

• The process of granting authorizations – who opens the request, who approves it, what should be done if the request is for sensitive authorization (like T-code F110 for payment run or SE16 for browsing data in SAP tables). What should be done if granting the requested authorizations will violate a Segregation of Duties (SoD) rule? Note that this happens to be one of the most inspected issues in an audit. Best to automate it using a dedicated workflow system like ProfileTailor Dynamics Authorization Request.

• The process of granting authorizations to new employees and eliminating authorizations from departing employees. Like the above – these processes are “beloved” by IT auditors to investigate and comment on, and they better be automated.

• Any “common knowledge” about authorizations in the specific organization. For example: a list of sensitive activities that need special approval, a list of special company codes and bank accounts like management monies and personal expenses, a list of power users that really need power user authorizations (and the ones who don’t), a list of common activities for each role, and so on.

• Last but not least, a good piece of advice is to conduct a semi-yearly access review process, above and beyond the regulatory obligation. This will ensure that all employees’ authorizations are checked and are still valid, and will enable the “next guy” in authorizations to start from a good standing point. In order to conduct a winning one, read our free ebook: How to Conduct a Successful Authorization Review.

Conscious Uncoupling

No less important, like our friends Gwyneth and Chris, it is recommended to leave with good feelings. Even if things are documented and working fine, you’ll need the authorization guy for the yearly audit, so it’s for the best if you can keep a good relationship with him before and after he leaves. Never assume that all of the employee’s knowledge can be documented and it’s always wise to maintain good relationships, anyway.

What’s your experience? Have you ever faced a hole in procedure caused by a departing employee? Leave your comments here.


Click to Tweet this post! http://ctt.ec/fal4x

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Yoav Michaeli

How to Become a Successful Security/Authorization Manager

The more Security and SAP Licensing Managers that Xpandion works with, the more confirmation we receive that there is a distinct difference in the actions taken by successful managers vs.  unsuccessful managers.  Using ProfileTailor Dynamics/ LicenseAuditor these successful managers implem...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.

in Security & AuthorizationsPosted by Yoav Michaeli

Discover How Simple It Can Be To Manage a Role Catalog

One of your accounting clerks just left on maternity leave (congratulations to Sally). Another employee is replacing her and thus has the new responsibility of performing Invoice Reconciliation (good luck to John). To perform this task, John needs to open a new request in the portal for the proper a...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India