Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Who Authorized It?!

  • Font size: Larger Smaller
  • Hits: 7370
  • Print

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

wh authorized 000010478987XSmall


Although access to information is conducted and controlled through authorizations, this is not a flawless method, and mistakes can (and do) happen: Employees might change positions within the organization, yet remain with their previous authorizations; authorizations granted for specific timely tasks may be forgotten and never removed.

We all agree, mistakes happen – and when they do things may get complicated, leading to an investigation. Therefore, it is vital to be able to easily trace relevant approvers, while providing reason and justification for each and every case. A fraud investigation is not something to take lightly. My suggestion – be prepared!

Managing authorizations effectively involves the following processes:

  • Authorization request 



Authorization Request

This is where the confusion starts…  In most organizations the process of requesting and granting authorizations is performed via emails without any further documentation describing or justifying the process. A user sends an email to the helpdesk team, which will then require the approval from an authorization manager, and following approval the user is granted the requested authorization. Evading this process is easy; and often misused by IT teams. The best way to avoid this is by implementing an automated tool that manages the authorization request process from beginning to end.

To obtain complete control over the authorization request process, the following capabilities are needed:  (1) multi-system for enabling users to request authorizations for any system in the enterprise; (2) fully web-based for ease-of-use and simplicity (3) well documented steps for facilitating organization and auditors as one; (4) streamlined process, such as recommending best suited authorizations that are based on user-behavior profile; (5) integration with the costly GRC/SoD (Segregation of Duties) systems; (6) alerting system, immediately notifying if authorizations granted have bypassed standard process.


Authorization Review

From my experience, the most effective way to avoid wrong or improper authorization usage is conducting an Authorization Review process (which is obligatory for companies under SOX regulations). In this process all authorizations are re-certified by direct managers, followed by approval from senior managers. This ensures that no one holds unnecessary authorizations, in addition to all authorizations being revisited.

The manual process of reviewing authorizations is time consuming and a big burden on managers. To comply with regulations while controlling internal operations, an automated end-to-end tool is strongly recommended. To really simplify the authorization review process the following must be enabled: (1) different review selections with various filtering options, such as reviewing only risky authorizations, by roles, by position, and more; (2) full transparent system with clear documentation and complete history records; (3) web-based platform eliminating the need for spreadsheets, sending emails or chasing after employees; (4) advanced behavioral profiling analysis producing accurate decisions that are based on actual authorization usage.

Who Authorized It

Answering the Question

Integrated into ProfileTailor™ Dynamics suite, Authorization Request and Authorization Review successfully address the question: who authorized it. Managers simply need to select users and authorizations which they wish to inspect and view the list of previously granted approvals, together with dates and names. Moreover, auditors on their end, are able to view and examine the entire process at any given time, allowing managers to attend to their work peacefully and undisturbed.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Dror Aviv

How to Consciously Uncouple in the SAP Authorizations World

“Conscious uncoupling,” (see goop) the fancy new age words that Gwyneth Paltrow and Chris Martin are using instead of the word “divorce” do feel a bit weird, but there is some truth to the approach that I think can actually highly benefit certain events the SAP world. In fact, without a “conscious u...
in Security & AuthorizationsPosted by Moshe Panzer

How to Tell Your Mother That You’re an SAP Authorization Manager

Oh Mama! Although the title of this blog refers to mothers, it’s really referring to anyone who’s not technically savvy. The people that, when you tell them that you’re the new authorization manager at your corporation will squint their eyes and say, “Well, I’m sure it’s great and everything, but w...
in Security & AuthorizationsPosted by Debra Greenstein

SAP Authorizations IQ Quiz: The Results

Spoiler Alert:
This blog details the scoring results and answers to the SAP Authorizations IQ Quiz. Take the quiz here.

in Security & AuthorizationsPosted by Yoav Michaeli

Emergency Access at 2am? Don’t Wake Me Up, Please!

There’s a tricky little process with an innocent-sounding name, and it’s something that goes on in your organization far more frequently than you’d imagine. Can you guess what it is? It’s called “IT Access” (AKA “Emergency Access”) – and auditors love it. 




157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India