In any access review, including access to Sensitive Data, or Segregation of Duties, understanding Users, their Roles and their Permissions remains a key and challenging component of the process.
Yardi's Voyager application provides end to end management of the Real Estate process, for commercial and residential applications. With over 4,000 Permissions to utilize, the flexibility of the application equals many of it's larger counterparts in the Enterprise software space.
With this level of flexibility though, comes higher standards for securing your User's and Data. Over 4,000 Permissions creates a significant challenge to evaluate, starting with:
- What does each Permission do?
- Which Roles (and associated Users) have these Permissions?
- What authorities do these Permissions have?
The last point is very consequential, if a User has access to the Bank Accounts for Suppliers, but is 'read only' and cannot create or edit these accounts, is this still a risk? Build that out for Segregation of Duties and the question becomes bigger, if a User has access to Bank Accounts and Payments, could a User create a fictitious Supplier and pay them?
The answer is that the risk is reduced, if not mitigated. The problem is that if your organization is not reviewing these authorities as part of the review you could end up with false positives or negatives.
The additional component to Yardi Voyager are the Menus, and a parallel set of Menu actions that User's can execute. The problem with these Menu items is that when granted the User has full access to their functionality, and they are difficult to understand. For example, what does this Menu permission do:
iftsfixedasset.txt
We can see it has something to do with Fixed Assets, and we also know that documentation on what this option does it limited. Through our process we established that this text file helps with the Asset Depreciation process.
Lets look at this one:
rs_PHA_HC_Cancel_Intake_WF.txt
This text file controls access to the Cancel Intake Workflow Past Due screen, and thankfully we have a short description to help understand what this file does. This permission should be noted as it has an impact on Workflow.
We look at Workflow configuration as a risk, because Users who can configure/change Workflows, should not be running transactions that use them. The risk being, they could alter the flow of the transaction to benefit themselves, run it, and then switch the workflow back again - covering up any fraud or error.
For any access review the combination of these menu items and the Permissions assigned to the groups is essential in understanding what your Users have access to. A process to evaluate existing Permissions (and new ones that are released in patches, updates or even customizations) is key to retaining Governance over your Yardi applications. Here at Seecuring, we have gone through this process, and built rulesets that cover Sensitive Access, Segregation of Duties and a process to help you report and remediate any issues you have in your security design.
Seecuring provides a full evaluation of Yardi Voyager, along with Rent Cafe, Client Central and more. The process provides evaluation of the Permissions in Yardi to help determine their risk and in turn, who has access to them. The solution is able to avoid false positives by also testing the authorities Users have (Read Only, Read/Write etc) Here are some of the solutions we provide for Yardi to assist with your Security, Audit and Compliance programs:
- Segregation of Duties.
- Sensitive Access.
- User Access Reviews.
- Patch Impact Analysis & Configuration Changes.
To discuss your requirements, you can schedule a call with us: