Users of any ERP system must have access to the right data at the right time. This ERP user access must be policed, in other words, they can’t have access to everything, all the time. This is especially true when you consider that 37% of your employees, on average, use your ERP system. This includes anyone from a worker on the shop floor to your CEO, but each employee requires different levels of access to data. Here are some useful pieces of advice to improve your ERP user access strategy.
Outside of payroll and human relations, very few will ever need to see employee tax identification and payroll rates. If your business differentiator is Grandma’s secret recipe, that should be identified and your ERP user access strategy should be updated accordingly. Do not get carried away with making a long list of data in these limited access categories. The important step in this process is not lengthening the list of restricted data, the crucial step is identifying which employee roles require access to this data.
Set up internal groups by categories or roles and provide access to input screens and datasets based on those roles. A common misconception is that role-based user access is best practice because of security issues. As much as this is a factor in role-based access, the main advantage of this strategy is the process efficiency improvements associated with role-specific data access due to reduced “noise” within the ERP system.
External users such as supplier or customer portals will always be limited within an ERP user access strategy. In the role-based model, external users will have very niche roles in the ERP system - their access will reflect that. If someone needs to see your inventory position for parts in a certain class, let them see only that part class.
This might be the most important tip for your ERP user-access strategy. You expect an accounts payable clerk to look at certain data. What else have they poked into? If it is innocent exploring, OK. If it raises a suspicion, set some alerts to warn you when suspicious behavior occurs. Track what data people are copying to spreadsheets. It is probably part of their jobs, but when it is being transferred out of your ERP system, your ERP security controls become worthless. Keep a close eye on any data copied to a thumb drive or shared on the internet. Have data policies in writing and expect all employees and users to follow that policy.
Part of the ERP audit is checking if people are in the correct role groups. One common problem is when someone changes positions; they get the new roles added to their security access and keep their old role too. Another common issue is providing access to every role for high-level people. Your sales VP, for example, should not have access to write a purchase order just because they are a VP.
Audits should be a part of internal controls and are required by Sarbanes Oxley for many businesses.
Author: Tom Miller
Tom Miller is a columnist for ERP Focus, and has completed implementations of Epicor, SAP, QAD, and Micro MRP. He works as a logistics and supply chain manager and he always looks for processes to improve.