A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintain, as you’d expect. But we need to spot the people who are taking advantage of this freedom and going beyond their permitted activities; those who are misusing their authorizations and, based on their job descriptions, going where they’re not allowed. For instance, we have a sneaking suspicion that some people in the warehouse are exploring payroll records.”
At first, I was sure that this was a joke. They are granting a single role, equivalent to SAP_ALL, to everybody? In that large-size company? In this day and age? It couldn’t be real.
But it was real. In fact, I noticed that more than a few customers do it.
Are they insane?
Why would an SAP customer choose to employ a single authorization role for the entire organization? I’ll tell you why:
1. It’s easy to maintain. A single role requires almost no maintenance. In fact, SAP_ALL requires absolutely no maintenance.
2. It helps to streamline business. There’s no waiting. New employees don’t need to wait to receive their authorizations, current employees don’t need to wait for additional authorizations when they need them, and there aren’t any long approval processes to wait for. Business can continue as usual even if people change position or need to perform additional functionality.
3. It saves a huge amount of money. The company above would have had to pay for a lengthy initial authorization implementation project, and for at least 10 professional employees to maintain their authorizations if they hadn’t chosen the “single role” method. I hear from many companies that they prefer the risks of fraud and misuse over explaining to the CFO why they need to budget for additional jobs.
4. It’s based on the romantic concept of “We trust everyone here.” This is a wonderful idea upon which to build a great company. All the best corporate success stories start with small groups that trust each other. So, why not use this in practice?
5. There’s no managerial responsibility. When everyone has a single authorization role, if one person misuses his permissions and goes into a part of an application that he shouldn’t, (or worse, commits an act of fraud), it’s this person’s fault only. Nobody else can or will be blamed for granting the wrong authorizations to that employee, and no one, especially not the manager, will have to explain why this employee was able to perform the fraud.
So why not go for it? Just because we’re captive in the concept that this is wrong, doesn’t prove that it really is wrong. As a matter of fact, there are many good examples that show this can work well in practice.
OK, but of course there are consequences. If we make the decision to grant everyone the same super-wide authorization role, what do we need to do in order to not lose control?
Apparently, the secret lies in the response for misusing the allowance. If it’s clear that if one misuses his permissions then he’ll be fired, he won’t dare do it. Taking an example from the real world, statistically in places where the punishment for crimes is disproportionately severe; the percentage of crime is extremely low.
Catching the crime when it happens.
In order to have an efficient response for such a single-role situation, you need a good auditing system. “Big Brother” is a must here. It’s imperative to take the following steps:
1. Audit who’s doing what and create business profiles. This is your data source. You must know exactly who is peeking at an invoice, who is messing with employee salaries and who is changing vendor details. Furthermore, you must know what each person normally does and create business profiles for them so that you can identify deviations from their normal behavior when they occur.
2. Use a behavior-based alerting system. When an employee behaves suspiciously, someone needs to check it out immediately. If you want to catch people “red handed,” the response needs to be quick. This is the reason for implementing an alerting system that notifies you about irregular or sensitive activity.
3. Perform a usage review. Instead of the periodic “Access Review” processes, perform periodic “Usage Review” processes, where each manager approves his employee’s activities and marks irregular or suspicious activities for further inspection.
Well, crazy as it might seem, the all-employee single role method can really work, and quite successfully. The companies that did it well, which I personally witnessed, ranged from SMEs to large corporates. The people there are not crazy at all, they just think “out of the box” and prefer to take advantage of the benefits while putting the right mechanisms in place for mitigating the risks.