Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

My Bonnie Lies Over The Ocean. Which SAP Authorizations Should He Have?

  • Font size: Larger Smaller
  • Hits: 6960
  • Print

Many small and medium sized companies struggle with this challenge. Let’s say they have a sales representative who’s located in another country. Which authorizations should he get? Should he have access to the SAP system at all? If so, should he be allowed to only see SAP reports (“view only”) or should he issue sales documents too? The answer is not easy, and might involve solving or remediating Segregation of Duties violations during the analysis process.


Who is this person?

Many organizations will relocate a business development guy or a senior sales person into another country to be their local representative. Others will recruit him directly in the remote country as a local agent. No matter how it’s done, the first decision that relates to authorizations is to determine which business functions he should perform and thus which permissions he should have. In most cases, the answer will be one of the following business functions:

1. Access to corporate email and the organization’s calendar

2. Access to SAP and other core business applications for self-service activities (such as asking for a vacation or to report his hours & tasks) and for viewing reports

3. Access to SAP for issuing sales-proposals (while the approval of the sales-proposal is done by other managers)

4. Access to SAP for issuing sales-proposals, approving them, issuing customers invoices and handling payments

According to the answer to the above questions, this person will get the suitable permissions to use the network and the SAP system.

While options 1, 2 and even 3 are quite straightforward from an SAP authorizations point of view, the most interesting and the only challenging option in regards to SAP authorizations is the fourth one. In this case, the representative is essentially a full-service office abroad, serving customers from A to Z. This is the most risky situation from a fraud point-of-view: If a single person can do “everything” in terms of taking care of customers, he is probably violating some SoD rules and the organization is obligated to track his activity. Furthermore, he is probably able to commit fraud much more easily than any other employee in the organization who doesn’t have this expanse of business functions.

Controlling the remote “one man show”

So in the situation of a remote “one man show,” you should do the following:
1. Identify the exact required business functions and define the right authorizations for this person
2. Check if there are any SoD rule violations and, if so, consult with your SOX managers or with your auditors on how to handle them.
• In most cases, if there are SoD violations, you will be required to mitigate the risks by defining reports for each risk.
• In this situation it is also recommended to track this person’s activity because sometime in the future, an auditor might come and ask, “How do you track this person’s activity?” You need to be prepared.
3. From time to time, inspect this person’s authorizations and verify that they are still valid.

So, if your Bonnie lies over the ocean, which permissions should he have?

From a security point of view, granting a large amount of authorizations for a remote sales person who is taking care of all the business functions in a territory can be very stressful. Although it is a very common situation, each person is an individual with a mind of his own, and no two cases are the same. Might be best to implement a compensating control to safeguard your company from any possibility of fraud.

If you have this situation in your organization, please share below how you handle it and which policies you implement.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India