The critical need to separate configurations from transactions in your Yardi applications.


One critical area that organizations are avoiding in their application controls is the issue of users who can configure the application (and its transactions) and perform the transactions. Think of users who can configure payments to suppliers and then pay suppliers, users who can receive orders and also set credit terms or pricing for customers.

For many organizations, a reduced headcount often means that users have to 'wear many hats', but that doesn't mean that these risks should be just accepted. Regardless of the size of your team working with Yardi and the users who perform transactions in it, the risk of fraud and or error that arises from this conflicting access is one that should be managed effectively.

Control owners need to be put in place around key configurations for the transactions, not just configuring the application itself. Quite often managers/subject matter experts may be responsible for the configuration of a transaction and have the ability to run the transaction. This presents a further challenge due to the knowledge that these individuals have around the application and the way transactions process.

The complex access model in Yardi.

The problem in making a decision to have greater controls is what should be monitored and what controls should be put in place. Yardi applications have an access model that includes both Permissions directly assigned to Security Groups, but also via Menus. These menus are often complex strings tha make extracting and analyzing the functionality difficult. There is a need to analyze these Menu permissions though, in our analysis of Yardi environments for risk we find areas such as Managing the Chart of Accounts that this process can be completed by a combination of the Account permission, but also a number of Menu permissions that combined create a greater risk of sensitive access being granted that should otherwise be secured.

Yardi Voyager has a very comprehensive Security model with over 4,000 Permissions that can be granted to your user's Groups. Many of these Permissions are also granted solely through a Menu. These Permissions relate to Reports that can be run on a Menu, and for some of they update Data. As part of our review, we also have to make sure that we take into account whether the Group/Role with the Permission has more than just 'Read-Only' access. With Read-Only a User technically can't process the transaction and we get a false positive.

Solutions, such as Workflow approval help tremendously segregate out these configurations and transactions, but a complete understanding of the application is required to understand what should be secured.

Segregation of Duties and Sensitive Access Control in Yardi Applications

Seecuring provides evaluation of your security and controls within your Enterprise Applications, including updates and patches. In addition, our services help resolve security issues through better security design and ensuring the right controls are in place.

Our solutions include management of:

  • Segregation of Duties.

  • Sensitive Access.

  • User Access Reviews.

  • Patch Impact Analysis & Configuration Changes.

For a comprehensive review of your Yardi suite of applications for security risks and control issues, get in touch with us below. We have a comprehensive suite of software and services to assist you in ensuring your applications meet your security and compliance requirements.