In the past couple of years Xpandion has been involved in creating and integrating self- service user portals. Customers either wanted to use Xpandion’s self-service user portals, or they needed integration between ProfileTailor Dynamics’ portal and their own user portal. Based on these experiences, we have created a short list of tips that will help to improve security and increase user satisfaction with self-service user portals.
In this blog we will demonstrate our findings through three popular processes: user provisioning, request for new authorizations, and self-service password reset. All these processes heavily involve end-user interaction and have the potential to become security threats.
Adding Security to Self-Service Processes
When self-service requests work well, the organization becomes more efficient. An important thing that you should take into account is that streamlined automated processes tend to also be potential security traps because employees and managers pay less attention to the repetitive activities. For example, if managers approve end-user requests using their mobile phone and all they need to do is press on a big button that says “I approve”, there is a good chance that they will also approve by mistake a fraudulent request, created by a hacker. Therefore taking into account security and implementing additional security steps is crucial to any self-service workflow process.
Here are some examples of situations that should raise a red flag:
- Requests coming from a suspicious IP address
- Requests submitted for an inactive user account – hackers will always try to take over accounts that nobody pays attention to, and adding authorizations to these accounts is a good starting point for them (click here for more information on closing inactive accounts automatically)
- Requests submitted for a powerful user account (e.g. administrator) or for getting a powerful authorization (“SAP_ALL” and its equivalents)
- Requests for sensitive objects or for an authorization role that includes sensitive T-Codes
- Frequent password reset requests for the same user
All the above situations and many more should go through an additional approval step by the security teams and in some cases require a personal approval by the security manager. As we said above – streamlined processes facilitate efficiency but they also come with potential security threats if you don’t put the right controls into place.
Another piece of advice that helps to increase user satisfaction in this section is to narrow down non-applicable options in selection fields. If users don’t need to select a value in a drop-down box – then this option should not be visible to them. People tend to get confused or annoyed if they choose an option that someone then tell them “no, you do not have the authorizations for this option.” This can be a very frustrating situation. Common examples of places that you should limit values are: choosing only allowed company codes in the request for additional authorizations, choosing specific values for periods of time when asking for temporary authorizations, and limiting the list of systems in the self-service password-reset requests only to the ones that the user is able to access.
Adding SoD to Self-Service Processes
If your company has to comply with full SOX and GRC, adding Segregation of Duties rulesets or just enforcing policies to improve security and business continuity can help (click here to read more about implementing SoD rulesets). Our greatest advice is to automate and enforce your SoD rulesets in any relevant self-service processes that you use. The reason being is that everything that you can take care of during the process will save you from having uncomfortable situations with end-users and making tedious changes after the fact. In other words – if you find that a user is violating SoD rules before you grant their authorizations – it is much easier to fix at the time it comes up than to argue with them afterwards about removing authorizations.
Make sure to add an “SoD check” step to any workflow process that involves granting authorizations to users – especially to self-service authorization requests and to user provisioning. If the required authorizations will possibly violate SoD rules, redirect the request to the compliance manager to solve it. Try as much as you can to solve potential problems before they are created.
Another way to increase user satisfaction in this section is to allow users to appoint another user account as a reference user. Most user requests are typically “I would like to have the same authorizations as John has” or “I am replacing Harvey and I need his permissions for two months” or even “We recruited a new employee into a position similar to Lisa from accounting and we need a new user account for her”. If you include a dedicated “reference user” field, this will also give the ability to locate the right user account (and not just “Lisa from accounting”). This way you create higher satisfaction levels for the end users as well as with your security team who then don’t need to struggle to find Harvey or Lisa. In short – if you can remove uncertainty it will make the whole process more efficient.
Additional Tips to Increase User Satisfaction in Self-Service Requests
Here are a few more tips that we have found increase user satisfaction. The first one is to include as many applications (SAP, non-SAP, cloud and on-premise) in the same user portal. The reason being is that it already takes time to convince employees to use a portal instead of the usual routine of sending emails to the support team – so make it as simple as you can. If they know that in order to request a new authorization they need to use a request page – let them use the same request page for all applications, regardless of the automation level that you have for each one. One page, one screen for all requests of the same type – ensures less potential for mistakes and happier users.
The second tip is to automate as much as you can. This means avoid using emails. Instead, use a workflow system (like the one in ProfileTailor Dynamics), escalate user requests to other managers if requests are waiting too long in the queue to be approved, and avoid having too many approvals if they are not needed. Users love to know that their request is being handled quickly and automation can make it happen.
Another important point is to make sure to notify users about the current state of their request. So instead of just saying “your request was submitted successfully” consider sending updates automatically during the workflow, to show them the request is escalating from step to step. Examples are: “your request was sent to the security team”, “your request is number 10 in the queue” and so on. However, consider what data you include in these updates – for example, it is not good practice to include specific names (“your request is waiting for Graham Smith”) or unrealistic numbers (“your request is number 5,467 in the queue”) in the status notification. Be sure to always notify users when their request is approved or rejected, as some users tend to forget about it.
Last but not least – allow employees to use their mobile devices to access the portal in order to submit and approve requests. This means that the self-service portal pages should be fully accessible by mobile. The pages should be mobile-friendly and managers should be able to approve requests directly from emails (that they read on their mobile) even if they are outside of the organization (send us a message to hear more about our unique solution to mobile support). The notifications should be sent in short and mobile-friendly emails or text messages. You can witness true happiness when your users will get their initial password by a text message to their mobile – instead of in an email or a telephone call from the support team.
Each of the above tips will help to ensure a higher level of security and more satisfied end users, which in turn increases the effectiveness of the organization. So start implementing them and see the benefits for yourself!
If you wish to discuss how this can help your organization or just to share your experience, do not hesitate to write us a message.