Professional Documents
Culture Documents
Auth Review
Auth Review
Conducting a Successful
SAP® Authorization Review
TABLE OF CONTENTS
Introduction
Summary
What is an Authorization Review, and Why You “Authorization Review” is also often called “Access
Need It Review” or the “Authorization Inspection” process.
Only after achieving a complete view of all
Why should I be performing authorization reviews?
authorizations can organizations remove unused
The process of reviewing authorizations enables
ones.
enterprises to verify that authorizations granted to
employees are still valid. The process entails that a The Importance of the Authorization Review
manager must go through each authorization Process
allocated to each of his/her employees, and decide
The importance of the authorization review process
whether to remove or keep it. In some cases, the
is not only related to financial regulations like SOX.
authorization review process ends after a single
In addition to being a regulatory obligation, a
manager’s approval. In other cases, additional
periodic review of authorizations ensures that
approval steps from senior management are
employees are holding authorizations for justifiable
required. At the end of the process, a list is
reasons. Over time, a full overview of employee
produced of all the employees whose
authorizations is achieved via a comprehensive list
authorizations were not approved and will need to
detailing all of the authorizations, the usage pattern
be removed.
per each authorization, and the name of the
The authorization review process is required by SOX manager that approved the authorizations.
and equivalent regulations, so companies need to
After achieving a complete view of authorizations,
review their authorizations at least once a year.
organizations can:
Many organizations perform these reviews twice a
year or even quarterly, depending on legal • Remove unused authorizations
obligations and the requirements of the company’s • Identify usage of sensitive authorizations
auditors.
• Investigate irregular behavior
• Comply with SOX regulations
Employee
Organization’s Auditor
Provisioning
In general, the authorization review process is one 4. Closing Employee’s User Account - the process of
of four significant authorization-related workflow closing all user accounts in the event an
processes: employee leaves the organization. The term
“closing” changes from system to system
1. Authorization Review - the process discussed in
according to a company’s standards for saving
this document.
data. Some user accounts are erased, some are
2. Authorization Request - the process in which an only locked, and others receive an expiration
employee requests additional permanent date earlier than the current date. The trigger for
authorizations to answer a specific long term this process is an event of an employee leaving
business need, or a temporary authorization due or prior notice from the HR department.
to organizational needs such as replacing
Emergency Access
someone on vacation. The process begins with
an employee requesting an authorization to a The emergency access process interfaces with the
certain system and ends with either granting the four previous processes and deals with an
authorization or rejecting the request. immediate need to perform irregular entry into the
production environment. SOX regulations require
3. New Employee/Account Creation - the process of
enterprises to do this only by enabling privileged
creating a new record in the HR system for a new
and timely access into the production systems.
employee, then creating usernames in the
relevant systems and allocating the required Emergency access comes in answer to a situation
authorizations according to organizational needs where an employee who is not supposed to access
for the purpose of commencing work. In most the production environment needs access for a
organizations, creating new accounts for an limited amount of time and for a specific ad hoc
employee is performed by copying an existing reason (for example, to inspect a bug or train an
employee’s account, which can result in also end-user for a specific purpose). Rather than
replicating many unnecessary authorizations. allowing IT users to freely log into the production
Choosing between a manual or automated Many small organizations with just one system also
authorization review process is dependent on the prefer using an automated tool in order to be
amount of available resources and the complexity prepared at all times for any changes or new
of the project. The more systems an organization requirements. Changes can include a new auditor, a
has, the more complicated the authorization review new organizational structure, a request to view
process can be, and the more resources are records from a previous process, etc. Small
needed. Therefore, in such a case, an automated companies also see the value in an automated tool
process adds great value to a company, saving time for improving the quality of the process and for
and unnecessary hassle. obtaining accurate cross-organizational information
so they can perform the review in the most
Similarly, if an auditor demands complex
professional way.
requirements for the review process (such as exact
documentation for each step, the reason behind From a departmental point of view, an automated
each authorization, second approval by senior level tool enables the process-owner and the auditor to
management, etc.) an automated tool becomes a know the exact status of the review by business
must. In addition to the great savings in time and units or business processes at any given moment.
resources, authorization- related information is The process owners can be in control and easily see
more up to date and can be documented easily, different views: how many authorizations need to
which pleases auditors and management alike. be reviewed, how many authorizations have already
been reviewed by second level management, and
Furthermore, an automated tool allows for the
how many authorizations have not yet been
process to be repeated easily (based on previous
reviewed. With an automated tool, departments are
reviews) without requiring additional resources and
able to control the entire process, provide clear
without depending on the organization’s experts.
reports to management and reach accurate
decisions.
In general, Cloud-based applications usually do not hardware is needed. When servers are not installed
involve continuous connection between the in an organization, there is no installation cost, no
organization’s internal systems and the Cloud; need for ongoing maintenance, nor determining
rather they require loading occasional data to the password policies, nor for technicians if something
Cloud. For example, a CRM system in the Cloud, like goes wrong. In addition, working in the Cloud
Salesforce.com, means, in most cases, that facilitates organizations to allocate resources
employees work only in the Cloud and do not use exactly as needed. The Cloud entails payment only
data from internal systems inside the organization. for the exact amount of time required to complete
Therefore, there is usually no need for continuous the process and saves upholding hardware costs
connection between Cloud applications and the after the review ends.
organizational network.
What about the data itself? The most common
Surprisingly or not, due to the many services belief is that data is not totally secure in the Cloud.
available in the Cloud, more and more However, even if we ignore the robust security
organizations are reviewing their employee’s methods of the Cloud, (like SSL access, security
authorizations of the internal systems using the reviews, penetration tests, etc.), most Information-
Cloud. The data is obtained from the internal Security Managers will agree that exposing data
network (either automatically or manually) and then required for the authorization-review process such
transferred to the Cloud. Emails are sent to as usernames and roles, cannot be compared to the
managers via a server in the Cloud, and managers larger risk of exposing business- related
work on web pages that are located in the Cloud information. Not that exposing usernames and
and not inside the organization. authorizations should be taken lightly, but in most
cases the risk is small compared to the potential
The main advantage of performing an authorization
benefit.
review process using the Cloud is the fact that no
• Only reviewing sensitive authorizations, per • Support the ability to retrieve authorizations
employee (for immediate and rapid review). data and maintain a centralized database for
employees in operational systems.
• Only reviewing specific activities such as financial
activities, per employee. • Obtain the HR system’s organizational structure
and upload it to the main system.
• Reviewing authorization groups (roles) allocated
to employees. If there is a need for a quick • Email managers with a link to their employees’
review, some objects can be removed (but this authorization review.
will result in a less thorough review).
• Support “Cancellation Tickets.” Cancellation • Simple and clear language. The language of the
requests need to be documented in relevant user interface needs to be understandable by
tickets – one ticket per each cancellation request. business managers so they can make educated
These tickets can be handled later by the and accurate decisions. Role names like
Helpdesk or relevant authorizations manager. In ZLO_NOCHANGE provide little or no information
many cases, the auditor needs to see the full to non technical people, so managers may
flow of the cancellation request – so, supplying inadvertently sign authorization reviews without
cancellation requests by tickets is a rather good really knowing if the authorizations are required,
solution. which causes a rubber stamp situation. Instead
of unclear names, use role descriptions that
• Provisioning. For certain systems in an
have a meaning, like “Logistic authorizations:
organization, such as the main systems,
reports only, no change options.”
provisioning is strongly recommended for
changing authorizations automatically and • Employee details. Employee details like names
documenting the actions in the appropriate and positions must be displayed clearly because
ticket. This ensures that no one will make managers usually refer to employees by
manual mistakes during the tedious process of personal information and not to user accounts.
removing authorizations, and also increases the
level of security.
The following useful suggestions come straight involve them along the way to get professional
from customers and consultants that implemented guidance and to increase their level of satisfaction
an automated authorization review process in their and confidence in the process. It is also a good idea
organizations: for the auditor to appoint a representative to
participate in regular status meetings, while the
Tip 1: Prepare enough time in advance
auditor him/herself should be present in the
The average time for the first implementation is company’s executive meetings.
between two weeks to three months, depending on
Tip 4: Prepare proper infrastructure
the number of systems, the readiness of the
databases and the organizational culture. To avoid issues that might slow down the
Therefore, it is recommended to be prepared ahead implementation process, and to maintain an
of time, especially if additional resources need to be atmosphere of success, it is important to prepare
included. proper infrastructure. The infrastructure may
include the required hardware, additional software
Tip 2: Get top management support
programs (such as Microsoft Office in a certain
It is essential that higher managers like the CEO and situations, graphical elements, etc.), preliminary
CFO support this process. Involving senior installations (database, Windows), and allocation of
management and sending them status reports authorizations to the different systems.
promises that the review will end on time and
A delay in any of the above will postpone the
successfully.
implementation and the auditor might disqualify
Tip 3: Involve the auditor the authorization review for that period. Preparing
the proper infrastructure shortens implementation
At the end of the day, the auditor is the real time, improves the level of satisfaction and enables
customer in this process. It is recommended to the review to begin as scheduled.
About Xpandion