Assigning rights in ERP: More security through role-based access control

If you operate an ERP solution, you are responsible for the security of the data and processes. Your company should therefore address the issue of assigning rights in the ERP system sooner rather than later. This is because role-based access rights are at least as important for protecting sensitive data as firewalls or encryption procedures.

Two questions will be of particular concern to you:

• What roles are there in the company?
• What rights does each role require?

The answers to these questions and important tips for a practical authorization concept can be found in this article.

Free Whitepaper

Find out what the entire process of an ERP implementation looks like in the free Whitepaper.

Request now for free

Why is the assignment of rights in ERP so important?

An ERP solution brings together all of your company’s relevant data. If all departments have access to the system, this ensures a smooth flow of information. This means that all employees have access to the same database, preventing data silos and significantly speeding up many processes. So far, so good.

But imagine if the entire workforce – from management to interns – had access to all the data in the ERP system at all times. The consequences would be unimaginable:

Your company would not only be affected by serious security problems from unauthorized access to data. They would also violate the General Data Protection Regulation (GDPR).

For these reasons, it is extremely important to define access rights in the ERP software correctly and precisely. The prerequisite for assigning rights is a coherent role concept, which is ideally developed before the system is implemented.

The role-based assignment of rights has many advantages:

• Protection of sensitive information against unauthorized access, data theft and data manipulation
• Better compliance through adherence to legal requirements, such as the GDPR
• Optimized workflows and higher productivity, as employees only see relevant functions and data, which improves software usability
• Lower error rate and fewer support requests, as incorrect data entry or unintentional changes are avoided
• More transparency and traceability through clear responsibilities
• Cost savings through more efficient processes, fewer security incidents and lower license costs
  

Role-based access rights are at least as important for the protection of sensitive data as firewalls or encryption procedures.

The 3 standard roles in the ERP system

You should already develop an idea of how to best handle the distribution of roles in the system during project preparation. This is because you will be taking a close look at your processes during this phase anyway. Find out which person is suitable for which role – and how far you would like to subdivide the distribution of roles.

Nowadays, most companies are organized hierarchically. Typically, there is management, middle management levels (e.g. department heads) and employees in the respective specialist departments. As the assignment of rights is often based on this hierarchy, the structure mentioned must also be mapped in the ERP system.

Most ERP systems already offer predefined standard roles. For example:

• Standard user
  For standard users, the so-called minimum principle – also known as the “least privilege principle” – has proven its worth. Users may only access the data and functions that are relevant to their individual area of responsibility. To this end, the system administrators set up a data filter so that blocked areas are grayed out and cannot be clicked on.

• Key user
  Key users often belong to the middle management level and have more extensive access rights than standard users. Thanks to extended authorizations and responsibilities, they can view and edit all data records in their department. In this way, a dual control principle can also be ensured when entering critical data, for example, if only the manager is allowed to confirm such a data entry.

• Power User
  Power users are the administrators of the ERP system. They have more duties and have full access rights to all data records and functions of the system – even across departments.

The 4 standard rights for ERP users

You can assign individual rights to the individual roles that you define in the system. Most ERP systems are capable of assigning these rights very granularly – often down to field level.

The four standard rights are:

• Create
• See (Read)
• Change (Update)
• Delete (Delete)

They are also called CRUD rights according to their initial letters. At the lowest level (Read), users are very restricted. Most functions and data records in the system remain closed to them. At the higher levels, new rights and system functions are added – depending on the role of the employees in the company.

An example from purchasing illustrates the role-based access rights:

• Standard users can view and edit orders, but cannot create new suppliers.
• Key users can also create suppliers and change purchasing conditions.
• As system administrators, power users have access to the entire rights management and system configuration.

Differentiated assignment of rights within departments

However, the three standard roles only meet the requirements of day-to-day business in very few organizations. It is advisable to further refine the assignment of rights within departments . Trainees, for example, should be given fewer rights than experienced colleagues who have been with the company for several years. The same applies to interns, trainees and temporary and agency workers. A modern ERP system can therefore be used to further divide up roles as required.

Dynamic teams and external project staff must also be taken into account here. In larger companies in particular, it is common for staff to change frequently and for employees to only be deployed temporarily. Access rights must be assigned to new people quickly and withdrawn immediately after they leave.

10 tips for a practical authorization concept

Assigning rights in an ERP system presents numerous challenges that require careful planning and regular adjustments. The following tips will pave the way to a coherent authorization concept:

1. consider the department-specific requirements

Each department has its own access needs. While accounting needs sensitive financial data, sales teams tend to access customer information. In order to meet individual requirements, uniform but flexible role and rights management is essential.

2. check authorizations regularly

New employees, new projects or changing project requirements make it necessary to regularly check and adjust authorizations. In order to map entries and exits correctly, continuous synchronization between the HR system and the ERP system is recommended.

3. set up temporary rights for projects or external personnel

Employees working on temporary projects and external specialists usually only need short-term access to certain areas. In this case, it is important to revoke rights immediately after the end of the project to prevent misuse.

4. rely on automated rights assignment

Assigning rights manually carries the risk that authorizations are inadvertently granted too generously or too strictly. Automated workflows and predefined roles help to minimize this risk.

5. consider possible emergencies and escalations

In critical situations, a user may need immediate access to certain data. You should therefore define processes for the rapid allocation of emergency rights at an early stage.

6. integrate other systems

The rights in the ERP system should be coordinated with other systems such as a CRM or DMS in order to avoid duplication and gaps. Standardized role models facilitate administration and improve IT security.

7. think about vacation times and cases of illness

If a colleague is temporarily out of the office, there is a risk that processes will be delayed due to a lack of authorization. Therefore, remember to set up deputy functions. For example, if the sales manager is absent, the department can continue to complete orders.

8. reduce the security risk through remote access

The management of access rights in hybrid working environments is a sensitive issue. Therefore, make sure that data access is only possible using VPN access or zero trust security models.

9. document the assignment of rights as clearly as possible

Internal and external audits can put the authorization concept to the test. But not if you record the assignment of rights in writing. Then you can prove in no time at all which person has been granted which rights and for what reasons.

10. do not give one person too much control

If people have too many tasks and authorizations, the risk of fraud increases. It is therefore essential that you ensure a sensible segregation of duties when assigning rights and monitor this on an ongoing basis.

Conclusion: As much as necessary, as little as possible

In a company, all departments have access to the ERP system in order to create the necessary transparency. However, project managers must ensure that only the relevant employees have access to sensitive data. For this reason, thorough planning of the system based on the existing company divisions and the necessary authorizations is required.

An ERP solution offers the option of defining role-based access rights in the software in detail. Corresponding rights settings define which users are allowed to view, edit or release certain data.

How exactly you organize your individual role-based access rights system is, of course, entirely up to you. Unfortunately, there is no one-size-fits-all solution. A detailed analysis of your processes will provide information about all workflows and dependencies in your organization.