Get Rid of Power Users Once and For All

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.



In most cases, Power Users are system administrators or employees holding senior positions in an organization. It is also very common that senior programmers, system analysts or project managers aim – and succeed – at obtaining full authorizations. Such Power Users tend to believe that they are above making mistakes and will never misuse their authorizations. Their need for wide authorizations is at times purely for work, such as IT employees claiming to save the company from a production bug and cannot therefore afford to be stopped by lack of authorizations.

You must be thinking to yourself that these IT employees have a point… Of course, production bugs must be fixed immediately; however handing out SAP_ALL to any “important” employee is not the point. I promise however to get back to this matter.

Never forget the auditor:

Auditors perceive Power Users as a major risk! And they provide their reasons:

  • First, believe it or not, auditors are not convinced that Power Users make no mistakes.
  • Second, Power Users are highly inclined to violate SoD (Segregation of Duties) combinations.
  • Third, if a hacker takes over a username with wide authorities, well no need to spell it out…

Make peace with your auditor:

There a few ways to keep your auditors satisfied.

1. Cheat a bit… this is the most common solution organizations choose to use. Instead of granting users with full authorizations (i.e. SAP_ALL in SAP systems) the IT team creates a module-oriented wide authorization profile, for example FI_ALL for all authorizations in FI module, HR_ALL for all the authorizations in HR, and so on. Then SAP_ALL is removed and replaced with the relevant profile. A more sophisticated way to “cheat” is by replacing the word ALL with WIDE, ALMOST_ALL, etc.

This solution is wrong for three main reasons:

  • It is not nice to cheat.
  • Auditors do not appreciate being outsmarted (it is actually becoming harder to do so in any case). Auditors have learnt to identify Power Users by the number of authorizations inside the role; hence changing the name of role is not longer sufficient.
  • Removing ALL from the a role name leads to more Power Users, since it becomes less frightening to grant wide authorizations as they no longer include SAP_ALL. From our observation, if you add up the numbers of employees with FI_ALL, MM_ALL, HR_ALL, etc. you get a number that is twice or even three times higher than the number of employees who previously held SAP_ALL!

2. Be strict – setting a strict policy across the organization is the best way to make your auditors happy, yet within the organization you will be liked a bit less…. Policies that declare nobody has SAP_ALL tend to remain in place only until after the audit. Somehow, there are always those employees (especially system administrators and senior IT people) that succeed in achieving their desired status of Power Users. Of course Power Users take management’s policies seriously, however they are also very successful in convincing management that wide authorizations is essential for running the business smoothly (and they kind of have a point… I know, I didn’t forget my promise and I will refer to this right below).

3. Narrow authorization according to actual behavior – this is the winning solution. No, I don’t mean for you to do this manually, that would be such a waste of time… (you would have to start by investigating last year’s log of activities per each Power User, uploading the data to Excel, removing un-required and/or duplicate authorizations, and then you could begin building authorization roles… yawn…). I suggest doing this efficiently. What you really need is a tool that can narrow user authorizations according to the user’s de-facto behavior, automatically. This tool would build a dedicated authorization role accordingly and replace the SAP_ALL with the dedicated authorization role. This would result in happy auditors alongside pleased employees, who could continue their business as usual without even noticing or being affected by the fact that they no longer have.

It’s really very simple: Dedicated authorization roles to replace SAP_ALL.