10 Common Mistakes You May Be Making When You Set User Rights and Securities
Published On: May 2009
Whether you are implementing a new enterprise resource planning (ERP) solution in your company or you already have one—but did not pay very much attention to user rights and securities—there are some factors that you need to take into consideration.
ERP is a sophisticated system where simple mistakes can cause big problems. It is also an important investment for your company—and you’ll want to make sure users take good advantage of its features.
The way user rights and securities are set can make an ERP system efficient—or turn it into a tool for inefficiency. I'll discuss the 10 most common mistakes administrators make during this process.
1. Disable or change any of the settings for the administrator account used by your vendor’s support team. The support team should be able to reset the account or create a new one, but by the time this happens, it might be too late to fix an urgent problem. Also, some vendors might even charge you for the work they have to do in order to recreate the account that you removed or changed.
2. Use “admin” or “administrator” as a username or password. Also, using easy-to-guess words such as: “system,” “1234,” or even the word “password” is not a very good idea. Do not use passwords that follow a pattern which is obvious to everyone in the company (for instance: first name followed by phone extension or birthdays, phone numbers, etc.).
3. Create just a few usernames and let people share them; (e.g., all sales representatives use the username “sales”). This will make it very hard for you to track who did what in the system. Even if there are just a couple of users in your company, they should all have different usernames and passwords. If they decide to share these, it is their responsibility and they should be aware of that.
4. Give regular users access to the securities section. This will allow them to change user settings not only for themselves but for others as well. By mistake or deliberately, users might give access rights to sections they’re not supposed to use, or remove access to modules they cannot work without. Only administrators should be able to set and change access rights.
5. Make only one person responsible for user rights and securities. At least two people in your company should have access and know how to change user rights. They should have a good knowledge of the company and the way different departments interact, but also some basic IT knowledge.
6. Ask your ERP vendor to do the setup for you. Do not assume that your vendor’s support team knows who does what in your company and that they will be able to do the job for you. They should show you how to do it and help you when you’re having problems, but they should not change anything unless they are given detailed instructions on what needs to be done.
7. Let users decide what kind of access they need. Especially when you have just started using a new system, users do not know very well how it works, so the best person to decide who is doing what would be the system administrator. Ideally, the administrator should work with the head of each department in the company, who understands better the needs of each user.
8. Create user groups for each user—unless you have no choice. This depends on the way your software manages user rights and securities. If you only have the option to set permissions by user group, then sometimes you will have to create a group for a user with special needs. If the system lets you set rights per user, then there is no need to create a group for just one user—except when you only have one user in a department (for instance, accounting).
9. Assign access rights to the users or user groups without knowing exactly how they work. For instance, does the right to modify an invoice allow the user to remove a line from the invoice? Not always. Some systems allow you to set user rights at the invoice level and at the line level, but others don’t. In both cases, it is very important to understand what the user will be able to do and how this will affect other users.
10. Let the users call your vendor’s support team about securities and user rights problems. Regular users should not call support when they have problems with rights and securities. This is an internal problem, and they should first see you or whoever is responsible for securities in your company. Only if it’s a technical problem should you contact your vendor’s support team.
Even though all these recommendations might seem obvious to you, you would be amazed to find out how many people simply ignore them. Ideally, you should set up user rights and securities before people start using the system.
Unfortunately, this part of the implementation process is often skipped—mostly because the deployment took longer than expected, and either the vendor or the management of the company pushes users to go live before they are ready.
Prevention Is Better than a Cure
No matter how eager you are to start using your new system—and even if you have just a couple of users that you completely trust—you should not take user rights and securities lightly. Think about all the work you’ll have to do to fix a mistake that affects thousands of invoices, and you'll understand why setting the user rights and securities now will spare you a lot of trouble later.