The Complete Guide for

Conducting a Successful
SAP® Authorization Review
TABLE OF CONTENTS

Introduction

Chapter 1 - Terms & Definitions

Chapter 2 – Related Processes

Chapter 3 – Individual Authorization Review

Chapter 4 – Manual vs Automated

Chapter 5 – Local vs Cloud

Chapter 6 – Automated Tool : Key Features

Chapter 7 – Six Important Tips From The Field

Summary

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 2

INTRODUCTION

What is an Authorization Review, and Why You “Authorization Review” is also often called “Access
Need It Review” or the “Authorization Inspection” process.
Only after achieving a complete view of all
Why should I be performing authorization reviews?
authorizations can organizations remove unused
The process of reviewing authorizations enables
ones.
enterprises to verify that authorizations granted to
employees are still valid. The process entails that a The Importance of the Authorization Review
manager must go through each authorization Process
allocated to each of his/her employees, and decide
The importance of the authorization review process
whether to remove or keep it. In some cases, the
is not only related to financial regulations like SOX.
authorization review process ends after a single
In addition to being a regulatory obligation, a
manager’s approval. In other cases, additional
periodic review of authorizations ensures that
approval steps from senior management are
employees are holding authorizations for justifiable
required. At the end of the process, a list is
reasons. Over time, a full overview of employee
produced of all the employees whose
authorizations is achieved via a comprehensive list
authorizations were not approved and will need to
detailing all of the authorizations, the usage pattern
be removed.
per each authorization, and the name of the
The authorization review process is required by SOX manager that approved the authorizations.
and equivalent regulations, so companies need to
After achieving a complete view of authorizations,
review their authorizations at least once a year.
organizations can:
Many organizations perform these reviews twice a
year or even quarterly, depending on legal • Remove unused authorizations
obligations and the requirements of the company’s • Identify usage of sensitive authorizations
auditors.
• Investigate irregular behavior
• Comply with SOX regulations

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 3

CHAPTER 1: TERMS & DEFINITIONS
User/User Account

The employee’s account in a specific system. For

example, JOHN_S in the ERP system, or account
john.smith@xpandion.com in the Active Directory
system.

Employee

The term in information systems for the logical

entity that represents the human employee. An
employee can have a number of user accounts in a
number of different systems. For example, the
employee John Smith has a user account JOHN_S in
the SAP ERP system and the user account JOHN_SM
in the CRM system.

Organization’s Auditor

External or internal auditors. In general, the

requirement for conducting an authorization review
process and its related follow-up actions come from
the organization’s auditor. Therefore, this document
refers to both types of auditors interchangeably.

Provisioning

Performing an actual change in authorizations via

an automated method for adding or removing
authorizations.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 4

CHAPTER 2: RELATED PROCESSES
In general, the authorization review process is one
of four significant authorization-related workflow
processes:
1. Authorization Review - the process discussed in
this document.
2. Authorization Request - the process in which an
employee requests additional permanent
authorizations to answer a specific long term
business need, or a temporary authorization due
to organizational needs such as replacing
someone on vacation. The process begins with
an employee requesting an authorization to a
certain system and ends with either granting the
authorization or rejecting the request.
3. New Employee/Account Creation - the process of
creating a new record in the HR system for a new
employee, then creating usernames in the
relevant systems and allocating the required
authorizations according to organizational needs
for the purpose of commencing work. In most
organizations, creating new accounts for an
employee is performed by copying an existing
employee’s account, which can result in also
replicating many unnecessary authorizations.
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
4. Closing Employee’s User Account - the process of
closing all user accounts in the event an
employee leaves the organization. The term
“closing” changes from system to system
according to a company’s standards for saving
data. Some user accounts are erased, some are
only locked, and others receive an expiration
date earlier than the current date. The trigger for
this process is an event of an employee leaving
or prior notice from the HR department.
Emergency Access
The emergency access process interfaces with the
four previous processes and deals with an
immediate need to perform irregular entry into the
production environment. SOX regulations require
enterprises to do this only by enabling privileged
and timely access into the production systems.
Emergency access comes in answer to a situation
where an employee who is not supposed to access
the production environment needs access for a
limited amount of time and for a specific ad hoc
reason (for example, to inspect a bug or train an
end-user for a specific purpose). Rather than
allowing IT users to freely log into the production
5
(creating unnecessary user accounts and the
possibility for security breaches), it is
recommended to implement an emergency
access process.

Emergency Access Process Flow

1. Employee opens a request for immediate,

privileged access and provides a reason for
this request.

2. Supervisor grants defined, privileged access

or additional authorizations to the user
account.

3. Employee logs into the production system

and performs the required task.

4. The account is automatically locked when

the defined time for the privileged access is
over.

5. A detailed report on all activities performed

in the production environment is sent to the
supervisor for approval/inspection.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 6

CHAPTER 3: INDIVIDUAL AUTHORIZATION REVIEW

In many companies an authorization review is

performed immediately after an employee changes
positions. This is because when an employee switches
positions, the organization must verify that all
authorizations from the previous position are still
relevant for the new position. If not, changes must be
made immediately to the current authorizations in
order to adjust them to the responsibilities of the new
position. Other organizations adopt more strict
approach, removing all authorizations first and only
then allocating the required authorizations, as if they
are dealing with a new employee.

While the latter method makes sense, it may disturb the

employee and/or company’s proper and functional
performance, as many employees receive
authorizations outside their formal position, such as
access to personal network folders and the ability to
execute special queries. An individual authorization
review that is performed automatically after an
employee switches positions is strongly recommended.
Such a process prevents unpleasant surprises that tend Organizations with more than one system
to occur during a periodic authorization review. and 500+ employees should definitely
utilize an automated tool for reviewing
Removing all authorizations can interfere with ongoing authorizations.
business process, even if an employee does not protest.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 7

CHAPTER 4: AUTHORIZATION REVIEW PROCESS – MANUAL vs AUTOMATED
Choosing between a manual or automated
authorization review process is dependent on the
amount of available resources and the complexity
of the project. The more systems an organization
has, the more complicated the authorization review
process can be, and the more resources are
needed. Therefore, in such a case, an automated
process adds great value to a company, saving time
and unnecessary hassle.
Similarly, if an auditor demands complex
requirements for the review process (such as exact
documentation for each step, the reason behind
each authorization, second approval by senior level
management, etc.) an automated tool becomes a
must. In addition to the great savings in time and
resources, authorization- related information is
more up to date and can be documented easily,
which pleases auditors and management alike.
Furthermore, an automated tool allows for the
process to be repeated easily (based on previous
reviews) without requiring additional resources and
without depending on the organization’s experts.
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
Many small organizations with just one system also
prefer using an automated tool in order to be
prepared at all times for any changes or new
requirements. Changes can include a new auditor, a
new organizational structure, a request to view
records from a previous process, etc. Small
companies also see the value in an automated tool
for improving the quality of the process and for
obtaining accurate cross-organizational information
so they can perform the review in the most
professional way.
From a departmental point of view, an automated
tool enables the process-owner and the auditor to
know the exact status of the review by business
units or business processes at any given moment.
The process owners can be in control and easily see
different views: how many authorizations need to
be reviewed, how many authorizations have already
been reviewed by second level management, and
how many authorizations have not yet been
reviewed. With an automated tool, departments are
able to control the entire process, provide clear
reports to management and reach accurate
decisions.
8
CHAPTER 5: AUTHORIZATION REVIEW TOOL – INSTALLED LOCALLY vs CLOUD
In general, Cloud-based applications usually do not
involve continuous connection between the
organization’s internal systems and the Cloud;
rather they require loading occasional data to the
Cloud. For example, a CRM system in the Cloud, like
Salesforce.com, means, in most cases, that
employees work only in the Cloud and do not use
data from internal systems inside the organization.
Therefore, there is usually no need for continuous
connection between Cloud applications and the
organizational network.
Surprisingly or not, due to the many services
available in the Cloud, more and more
organizations are reviewing their employee’s
authorizations of the internal systems using the
Cloud. The data is obtained from the internal
network (either automatically or manually) and then
transferred to the Cloud. Emails are sent to
managers via a server in the Cloud, and managers
work on web pages that are located in the Cloud
and not inside the organization.
The main advantage of performing an authorization
review process using the Cloud is the fact that no
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
hardware is needed. When servers are not installed
in an organization, there is no installation cost, no
need for ongoing maintenance, nor determining
password policies, nor for technicians if something
goes wrong. In addition, working in the Cloud
facilitates organizations to allocate resources
exactly as needed. The Cloud entails payment only
for the exact amount of time required to complete
the process and saves upholding hardware costs
after the review ends.
What about the data itself? The most common
belief is that data is not totally secure in the Cloud.
However, even if we ignore the robust security
methods of the Cloud, (like SSL access, security
reviews, penetration tests, etc.), most Information-
Security Managers will agree that exposing data
required for the authorization-review process such
as usernames and roles, cannot be compared to the
larger risk of exposing business- related
information. Not that exposing usernames and
authorizations should be taken lightly, but in most
cases the risk is small compared to the potential
benefit.
9
 In the end, in regards to authorization review, the
choice between on premises installation or Cloud is
mainly based on the organization’s policy and its
approach to innovation. The more traditional
organizations, such as banks and insurance
companies, are expected to choose classic
installation. The more innovative companies,
especially companies that already use the Cloud for
other services, may consider conducting an
authorization review process using the Cloud.

Xpandion supports both on-premise and cloud

authorization review.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 10

CHAPTER 6: AUTOMATED AUTHORIZATION REVIEW TOOL – KEY FEATURES

An effective automated authorization review tool Advanced Reviews:

includes, at the very least, the following features
• Reviewing business objects as authorizations to
and abilities:
warehouse, to company codes, etc.
1. Review options
• Reviewing activities that haven’t been used.
The tool must be able to support the following
• Reviewing authorizations according to position.
review options:
• Reviewing authorizations resulting from an
• Review of all basic activities allocated to an
organizational change.
employee, such as opening supplier accounts,
updating records, etc. 2. Requirements from a process point of view

• Only reviewing sensitive authorizations, per
employee (for immediate and rapid review).
• Only reviewing specific activities such as financial
activities, per employee.
• Reviewing authorization groups (roles) allocated
to employees. If there is a need for a quick
review, some objects can be removed (but this
will result in a less thorough review).
• Support the ability to retrieve authorizations
data and maintain a centralized database for
employees in operational systems.
• Obtain the HR system’s organizational structure
and upload it to the main system.
• Email managers with a link to their employees’
authorization review.

• Only reviewing some employees, a specific user

group, department, etc.

• Reviewing only changes in authorization

allocation since the last successful review.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 11

• Allow managers to highlight the authorizations
they want to cancel and keep, according to the
following options:
• Approve/reject authorizations per user.
• Approve all authorizations in department
with just one click.
• Reject some authorizations and approve
the rest.
• Approve some authorizations and reject
the rest.
• Continuousness of Review. Permit managers to
review some authorizations, shut down their
computers, and return later to complete the
review of only the authorizations that are still
open.
• Requests to Cancel. Allow those authorizations
marked as canceled to be sent to a special
database where they can be handled by the
person responsible for the relevant system.
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
• Data owners must have the ability to review
authorizations. This means that the key financial
user reviews all financial authorizations, the
asset expert reviews all authorizations related to
asset accounting, etc. Note: Even if this option is
not relevant to your current review
requirements, it is important to ensure that the
tool supports it in order to allow future
modifications based on current reviews and
changes in the auditor’s direction.
• Quickly obtain authorizations data from the
various systems. In many organizations this is
done manually and repeatedly for each and
every system! By the time the data is fetched
from last system, time has elapsed and the
information from the first system is no longer
100% accurate. Therefore the tool must be able
to repeat the process quickly, and to recover in
case of a technical malfunction.
12
• Upload user and authorization data from Excel.
This feature is needed for systems that do not
support direct connectivity or if connecting to
them is complicated. It is very frustrating to
discover in the middle of the process that there
is a legacy system for which the auditor
demands a full review, yet there is no easy
option to upload the data from it to the main
system.
• Current status of the review: It is critical to be
able to understand the status of the review at a
glance: how many authorizations needed review,
how many authorizations have been reviewed
and how many authorizations still need to be
reviewed? The status should be divided into
different views for departments, managers, user
groups, etc. Sage advice: The report should be
understood not only by system technicians but
also by business managers.
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
Thorough documentation of the whole process for
later access. The entire process, each approval,
rejection, change in definitions, and every ticket for
cancelling authorizations must be easily accessible
after the review, even after a long period of time.
Many times, during an audit or investigation, the
question “Who asked to remove this authorization,
and why?” arises, and the answer must be easy to
find.
3. Requirements from a business performance
point of view
• Review employees, not users. Managers tend to
have a limited amount of time for audit-related
tasks and therefore need to be able to review an
employee’s authorizations in all systems with
one view. This is vital for satisfying managers
and for getting a quick response from them. In
other words – it should be possible to review
each employee only once for all of his/her
authorizations.
13
• Resend a reminder or the full request again to
managers that did not perform or complete it.
Many managers tend to take the review
seriously only after receiving a reminder (or a
couple of them…).
• Support “Cancellation Tickets.” Cancellation
requests need to be documented in relevant
tickets – one ticket per each cancellation request.
These tickets can be handled later by the
Helpdesk or relevant authorizations manager. In
many cases, the auditor needs to see the full
flow of the cancellation request – so, supplying
cancellation requests by tickets is a rather good
solution.
• Provisioning. For certain systems in an
organization, such as the main systems,
provisioning is strongly recommended for
changing authorizations automatically and
documenting the actions in the appropriate
ticket. This ensures that no one will make
manual mistakes during the tedious process of
removing authorizations, and also increases the
level of security.
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
• Multi-language user interface support. It is
proven that responsiveness to the authorization
review process is significantly higher when the
user interface is in the manager’s native
language.
• Simple and clear language. The language of the
user interface needs to be understandable by
business managers so they can make educated
and accurate decisions. Role names like
ZLO_NOCHANGE provide little or no information
to non technical people, so managers may
inadvertently sign authorization reviews without
really knowing if the authorizations are required,
which causes a rubber stamp situation. Instead
of unclear names, use role descriptions that
have a meaning, like “Logistic authorizations:
reports only, no change options.”
• Employee details. Employee details like names
and positions must be displayed clearly because
managers usually refer to employees by
personal information and not to user accounts.
14
• Automatically indicates sensitive authorizations
in the full authorization list. This is critical,
because when managers can visually identify
sensitive authorizations, they can focus on them
quickly and make smarter decisions. For
example, “opening an account entry” can be
defined as a risky action that should be
highlighted clearly in the manager’s review page.
• Display last usage for each authorization. If the
system being reviewed includes usage records,
the review needs to provide information
regarding the last time the authorization was
actually used. Managers find it easier to remove
an authorization from an employee when they
see that the last time it was used was over a year
ago, as opposed to one that is being used
frequently.
An effective automated tool enables sending a reminder
email to managers that did not perform the review
according to the defined timeframe.
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
4. Additional Requirements
The tool should also follow important capabilities:
• Delegation option. One manager can transfer
the review to another manager, as in the case
when an employee does not work directly under
this manager. In addition, delegation should be
permitted for certain authorizations if there is a
more than one appropriate manager to approve
them.
• Saving the data to a file. The output can be
saved to external files, such as saving audit
reports to Excel and user forms to Word or PDF.
Managers and many other users require saving
capabilities – usually for backup purposes – and
the tool should enable this action. The output
must be able to be saved in a nice, graphical
style to guarantee user satisfaction.
15
CHAPTER 7: SIX IMPORTANT TIPS FROM CUSTOMERS
The following useful suggestions come straight
from customers and consultants that implemented
an automated authorization review process in their
organizations:
Tip 1: Prepare enough time in advance
The average time for the first implementation is
between two weeks to three months, depending on
the number of systems, the readiness of the
databases and the organizational culture.
Therefore, it is recommended to be prepared ahead
of time, especially if additional resources need to be
included.
Tip 2: Get top management support
It is essential that higher managers like the CEO and
CFO support this process. Involving senior
management and sending them status reports
promises that the review will end on time and
successfully.
Tip 3: Involve the auditor
At the end of the day, the auditor is the real
customer in this process. It is recommended to
©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission.
involve them along the way to get professional
guidance and to increase their level of satisfaction
and confidence in the process. It is also a good idea
for the auditor to appoint a representative to
participate in regular status meetings, while the
auditor him/herself should be present in the
company’s executive meetings.
Tip 4: Prepare proper infrastructure
To avoid issues that might slow down the
implementation process, and to maintain an
atmosphere of success, it is important to prepare
proper infrastructure. The infrastructure may
include the required hardware, additional software
programs (such as Microsoft Office in a certain
situations, graphical elements, etc.), preliminary
installations (database, Windows), and allocation of
authorizations to the different systems.
A delay in any of the above will postpone the
implementation and the auditor might disqualify
the authorization review for that period. Preparing
the proper infrastructure shortens implementation
time, improves the level of satisfaction and enables
the review to begin as scheduled.
16
Tip 5: Hold regular status meetings

During the implementation process, from the

beginning and until the end of the review, it’s a
good idea to hold meetings about the progress. In
the meetings, determine the timetable and
remaining tasks. This way, enough time is left
dedicated to the authorization review and for
implementing any changes in authorizations
accordingly.

Tip 6: Train the reviewers

Hold a central training meeting in the organization

for all managers that are supposed to use the
authorization review tool. The meeting should be
run by the person in charge of the tool (ideally, an
internal employee), with the goal of increasing the
managers’ confidence in the process. Professional
training equals high satisfaction and fast
authorization reviews.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 17

SUMMARY Time To Take Control of SAP
Authorizations
By following the requirements, advice and guidelines in this
eBook, enterprises will be able to verify that authorizations
Not only are SAP Authorizations complex, but
granted to employees are valid and comply with
also the authorization team has to be in
regulations, and they will also be able to increase control of
control at all times. Events like granting
employee authorizations. Reviewing authorizations at least
sensitive permissions or identifying suspicious
once a year will ensure that employees are holding
use of risky SAP authorizations cannot be
authorizations for justifiable reasons and allow the
ignored and must be taken care of
organization to make the proper decisions regarding its
immediately.
authorization compliance.

LEARN HOW XPANDION’S

PROFILETAILOR DYNAMICS CAN
HELP YOU

About Xpandion

Xpandion is a global leader provider of ERP

usage inspection solutions delivering
unprecedented real-time visibility into
management systems, significantly improving
security, optimizing licensing usage and
enabling GRC/SoD compliance.

©Xpandion. All rights reserved. No republication, reproduction, or reuse without permission. 18