Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

The Concept of Isolation

  • Font size: Larger Smaller
  • Hits: 10247
  • Print

In order to manage a Segregation of Duties project successfully, it is essential that you eliminate business risk across your organization. To accomplish this you need to implement a comprehensive rule-set.

iStock 000005994546XSmall


What is a rule-set?

A rule-set is an extended list of rules, each including business activities that should not be performed simultaneously by one person. Prohibiting a single person from performing a set of activities prevents potential situations of fraud. For example, the same person should not be permitted to open a new vendor and also pay the vendor.

Why? Because this may result in an employee opening a fake vendor and then paying that fake vendor, where the bank account to which the money is being transferred actually belongs to the employee himself/herself.

What happens after implementing a rule-set?

Upon applying a rule-set, each rule must be reviewed in order to identify users who can potentially perform forbidden combinations of activities. Such risky potentials need to be eliminated by removing related authorizations, accordingly.

What if a combination of activities is essential for business performance? 
If in your organization the business decision requires the employee in charge of opening vendor accounts to also be the one responsible for paying vendors (which is a forbidden rule), you will need to apply compensating controls.

segregation of duties

Example of forbidden combinations (rules), written in plain language ready to be uploaded to ProfileTailor Dynamics from  Excel file.

What goes on in SAP?

In SAP systems the rules of business risks include activities (or T-Codes), authorization objects and values. For example, in order to implement the rule: a single user may not be authorized to perform Payment Proposal and Payment Run together, you must include T-Code F110 (Payment Run) and 
T-Code FBZ0 (Payment Proposal) in a rule and then check who has the authorization to violate such rule. However when dealing with SAP, leaving this at the level of T-Codes is not enough, as each 
T-Code operates differently depending on the values of different authorization objects. In this case, T-Code F110 and FBZ0 are highly dependent on the values of authorization objects F_REGU_BUK.

The following are possible values of field FBTCH in this authorization object: 02 Edit parameters, 03 Display parameters, 11 Execute proposal, 12 Edit proposal, 13 Display proposal, 14 Delete proposal, 15 Create payment medium proposal, 21 Execute payment run, 23 Display payment run, 24 Delete payment run payment data, 25 Create payment media of payment run, 26 Delete payment orders of payment run, 31 Print payment medium manually…. So, in fact the rule should be: T-Code F110 with object F_REGU_BUK, Field FBTCH and value 21 and T-Code FBZ0, object F_REGU_BUK, Field FBTCH and value 11.

Hello! Are you still there? Did the above make any sense? Did it scare you away? No need to feel uncomfortable. Whatever takes place inside the SAP system is either too complex for most business users, or of no interest to them.

Most business users do not understand activities, authorizations objects and values. Furthermore, they have no interest in trying to make sense of them, since they must handle their own expertise-related tasks. It is for this reason that in most organizations GRC consultants (who understand SAP authorizations) define the rules for the users, tying them with a rule-set that they cannot change independently.

Putting the notion into motion

We believe that business users should define business rules, whereas technical people should handle technical issues. For this reason, we present you with the concept of isolation.

Integrated into ProfileTailor Dynamics, the concept of isolation means that each activity 
(e.g. T-Code) has a different logical mode, which is technically defined by the combination of authorization objects, fields and values. Business users define the business rules only by using activities and modes, and technical people define the modes for each T-Code, dealing with authorization objects and values.

In order to shorten the technical process, we have already analyzed most of the SAP standard activities and pre-included approximately 60,000 different modes. Thus, in many cases there is no need for new modes to be defined by users at all, allowing them to focus on enhancing their business rules (also pre-loaded in ProfileTailor Dynamics).

The way we perceive things here at Xpandion, the concept of isolation literally cheers up business users; they understand the rules and have full ownership on them. In addition, they also can change the rules when business risks change without any assistance from external resources. Finally, instead of dealing with technical issues, business users are able to efficiently concentrate on the vital task of mitigating business risk and accomplishing Segregation of Duties throughout their organization. 


Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
in XpandionPosted by Yoav Michaeli

Pay (Only) As You Use

Pay (only) as you use – innovative approach? Indeed (although we have already recommended a similar approach in SAP licensing by concurrent users, suggesting that companies pay only for the licenses they really need). I am a big believer in SAP® and also in methods that enable enterprises to be...
in Security & AuthorizationsPosted by Yoav Michaeli

How to Become a Successful Security/Authorization Manager

The more Security and SAP Licensing Managers that Xpandion works with, the more confirmation we receive that there is a distinct difference in the actions taken by successful managers vs.  unsuccessful managers.  Using ProfileTailor Dynamics/ LicenseAuditor these successful managers implem...
in Security & AuthorizationsPosted by Dror Aviv

My Bonnie Lies Over The Ocean. Which SAP Authorizations Should He Have?

Many small and medium sized companies struggle with this challenge. Let’s say they have a sales representative who’s located in another country. Which authorizations should he get? Should he have access to the SAP system at all? If so, should he be allowed to only see SAP reports (“view only”) or sh...
in Security & AuthorizationsPosted by Dror Aviv

Eliminating the Wrong Guy…

A couple of years ago, we included a “Lock User” button feature into our security product. If you received a “very high” alert, you could log into the system, catch the fraud in action, press the “Lock User” button and prevent the thief from stealing. Bam…. you’re the hero.




157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India