All of today’s major ERP solutions come with pre-defined roles and privileges out of the box, ready to put into use in your organization. These roles are provided to help your administrator save time and effort which, on the surface, seems practical. However, for role-based security, saving time often comes at a high price.
3 Reasons Why You Should Define Custom Roles in Your ERP
Factors such as increased internal control & compliance costs in order to optimize and mitigate the lack of inherent security in pre-defined roles lead to this high price. While it takes more time, planning, and effort to define and setup custom roles, implementing custom role-based security is well worth the investment. Besides pre-defined roles typically containing copious amounts of segregation of duties violations, here are 3 reasons to choose the “custom” route:
1. Nobody understands your business better than you.
The key to role-based security is aligning roles and privileges with the structure and processes of your business. They must fit together precisely; otherwise, you risk “holes” that can cause problems down the road. No matter how many roles and privileges they offer, ERP software providers do not know the specifics of how you run your business. They can make a logical, even informed guess at how a role operates and what access it requires, but it is still only a guess. Even the most “common” roles within an organization differ in some way from business to business.
But what if your ERP implementation is being handled by consultants who have in-depth knowledge of the product? This does not mean they are qualified to secure the product. Audit & ERP Security is a very specialized skillset that requires a deep understanding that most traditional software consultants simply do not possess. The only way to have total control over security is to build and assign roles with associated privileges tailored specifically to how your business operates.
2. Your custom roles will be supported by the manufacturer.
You might be hesitant to customize roles within your ERP because you’ve been told (or assume) they won’t be covered under your support plan with the manufacturer. This is not true. Even though you are creating custom roles and privileges, you are essentially just deconstructing and restructuring the pre-defined roles provided in the software —just as you would configure the chart of accounts, for example. The flexibility offered by most ERPs extends to the area of roles and should be taken advantage of, just as you do in other areas to tailor them for how your business operates.
3. Custom roles do not interfere with upgrades.
What about when it comes time to upgrade? Won’t your custom roles cause problems? If your custom roles keep you from being able to take advantage of regularly scheduled upgrades offered by the manufacturer, that would be a problem…but that is not the case. You are given the option to opt in on new functionality as it is offered, which gives you control over what is introduced into your environment. With tools like Fastpath Assure, you can take advantage of reporting that helps you assess and identify if and how to integrate new functionality into your solution. This reporting will help to ensure that roles and privileges are appropriately accounted for during your testing and training of new functionality, prior to production deployment.
In the end, it comes down to a choice: saving time and effort and adding risk or investing time and effort up front for better control and peace of mind. If you’re not sure, talk to us. At Fastpath, we’re experts in helping companies manage their security, audit, and compliance needs, including reviewing access, segregation of duties, user provisioning, and emergency access. We can help you make the right choice for your company!
If you're an Oracle Cloud customer, watch this on-demand customer session by Hearst, which shares how to create conflict-free custom roles, in "Lessons Learned In Overcoming Challenges In Oracle ERP Cloud Security Design And Monitoring" held during our GRC Days.
Check out GRCDays.com for even more educational on-demand sessions!