ERP Security: RBAC, Segregation of Duties, and Audit Logs

In real projects...

RBAC fails when access is treated as configuration, not as a controlled workflow. When approvals, evidence, and periodic access reviews are missing, audits discover the gap after the system is already in production.

A common issue we see...

Teams create roles, but they don’t enforce segregation-of-duties constraints in a repeatable way. When a user role changes, approvals and audit evidence are not captured consistently.

For example...

1. Define incompatible duties (request/approve/post/report) for the processes you audit.
2. Set a request workflow that records business purpose, effective dates, and approvals.
3. Validate role assignments against policy constraints before provisioning.
4. Provision permissions with change logs and archive evidence for review.
5. Run a quarterly access review and remove permissions that no longer have justification.

Note: These scenarios are representative and educational. Validate access governance with qualified security/compliance advisors for regulated environments.

Methodology: This is an educational guide using representative scenarios from public documentation and common implementation/audit patterns. It is not based on any one client’s confidential details.

ERP security failures are usually access management failures—too many users with too much access, configured without a documented rationale. This walkthrough builds a governance model that holds up under audit.

1. Map each business process to the transactions, data objects, and approval rights it requires—this becomes the foundation for role definitions.
2. Design roles around business processes rather than individuals: a 'Purchase Order Approver' role is transferable; 'John's access' is not.
3. Analyse segregation of duties conflicts using the ERP's built-in SoD ruleset and resolve conflicts before roles are assigned to users.
4. Implement role assignments with formal approval from the business process owner and the user's line manager.
5. Run a quarterly access review with business process owners to confirm that all active user assignments remain appropriate.
6. Configure audit logging for sensitive transactions—vendor creation, payment approval, journal posting—so all access is traceable.

Artifacts to expect:

• Role design document with transaction rights, data scope, and business process mapping.
• SoD conflict analysis report with resolution decisions.
• User access assignment log with approvals.
• Quarterly access review completion record.
• Audit log configuration and sampling plan.

What usually goes wrong (failure modes)

• Roles were copied from a previous system without review and contain excessive access
  Role definitions imported from a legacy system accumulated permissions over time and were never reviewed for appropriateness.
  Mitigation: Conduct a role design workshop before any access is configured in the new ERP. Design roles from business processes, not from legacy system exports.
• Segregation of duties conflicts are discovered during audit rather than at design time
  The SoD analysis was not run before roles were assigned, and the audit finds that key financial controls are undermined by conflicting access.
  Mitigation: Run the ERP's SoD analysis tool before roles go live. Treat unresolved critical conflicts as a blocker to go-live, not a post-launch remediation item.
• Sensitive access is granted as a temporary measure and never revoked
  Emergency or temporary access grants are not tracked and expire without being removed, leaving users with access they no longer need.
  Mitigation: Log all temporary access grants with an expiry date and assign an owner responsible for revocation. Include temporary access in the quarterly access review.

Controls and evidence checklist

• Design roles from documented business processes before configuring the ERP.
• Run SoD analysis before assigning roles to users.
• Require dual approval—line manager and business process owner—for all access grants.
• Conduct quarterly access reviews with business process owners.
• Configure audit logging for all sensitive transaction types.
• Track all temporary access grants with expiry dates and owner responsibility for revocation.

Implementation checklist

1. Complete a business process to transaction mapping before any ERP security configuration.
2. Design and document all roles, then run the SoD analysis before assigning access to users.
3. Build the access request and approval workflow in the ERP.
4. Train HR, IT, and business process owners on the access governance process.
5. Run the first quarterly access review within ninety days of go-live.
6. Configure scheduled SoD reports to run automatically before each quarterly access review.

Frequently asked questions

Where do teams usually lose time in ERP RBAC implementation?

Most time is lost when role definitions were copied from a previous system or created ad hoc during implementation, leaving conflicts and excessive access that are only discovered during an audit. A structured role design workshop—before configuration begins—that maps each role to specific business processes and data ownership significantly reduces remediation effort later. Two weeks of role design at the start prevents months of access remediation after go-live.

What segregation of duties checks should we prioritise?

Prioritise SoD checks across the most sensitive transaction types: vendor creation, payment approval, journal posting, and period-end close. Most ERP platforms have built-in SoD analysis tools—run these reports before go-live and after every significant role change, not only at audit time. A user who can both create a vendor and approve a payment to that vendor is a critical control failure that auditors will flag immediately.

When should we update role definitions after go-live?

Adjust role definitions when the same user consistently requests temporary elevated access for routine tasks—this is a signal that the underlying role is too narrow for the work they actually perform. Also review roles when business processes change significantly, when the organisation structure changes, or when an audit finding identifies a gap. Temporary access grants should be rare exceptions, not a regular workaround for role design gaps.

Sources

• COSO Internal Control - Integrated Framework (2013 refresh)
• ISACA: Implementing Segregation of Duties (SoD) — practical experience
• NIST SP 800-53 Rev. 5 (Security and Privacy Controls)

Conclusion and next steps

ERP security is an ongoing governance process, not a one-time configuration. Role design, SoD analysis, and quarterly access reviews are the three activities that keep access appropriate over time.

Start with the five to ten most sensitive transaction types in your ERP and confirm that no single user can initiate and approve the same transaction without a second reviewer. Getting this right for the highest-risk transactions is more valuable than a comprehensive but poorly maintained access structure.