If you work in IT security, compliance, or internal audit, you have undoubtedly heard this phrase. You analyze an ERP environment, discover a user with a toxic combination of permissions, and move to revoke that access to comply with Segregation of Duties (SoD) rules.
And then, the pushback begins.
“You’re slowing me down.”
“I’ve always had this access.”
“How am I supposed to close out the month if I can’t do X and Y?”
Revoking access rights is rarely a technical challenge; it is almost entirely a human challenge. Navigating the friction between operational efficiency and corporate compliance requires tact, strategy, and empathy. Here is how to handle the inevitable pushback when locking down your ERP environment.
1. Empathy First: Understand the “Why”
When an operations manager pushes back against access restrictions, they usually aren’t trying to leave the door open for fraud. They are trying to be efficient.
In many organizations—especially those that have grown rapidly or use legacy systems—employees have historically been granted broad access (“Super User” or “God Mode” rights) simply to bypass clunky workflows. Over time, that over-provisioning becomes the status quo.
Acknowledge their frustration. Start the conversation by validating their goal: “I know you are trying to process these invoices as efficiently as possible, and I want to help you do that securely.”
2. Educate on the “Risk,” Not Just the “Rule”
“Because the auditors said so” is a weak defense that pits your team against the business. Instead, explain the actual business risk.
Most users do not understand the mechanics of internal fraud. Explain what a toxic combination is. For example: “If the same person who can create a new vendor in the system can also authorize a payment to that vendor, the company is vulnerable to a ghost vendor scam. We aren’t questioning your integrity; we are removing the mechanical capability for that fraud to happen here.”
When you shift the conversation from arbitrary IT rules to protecting the company’s bottom line, business leaders are much more likely to support the change.
3. Shift from “Role Redesign” to “Process Redesign”
Sometimes, a user genuinely does need conflicting access to do their job because the underlying business process is broken.
If a department is understaffed, or if workflows are poorly designed, one person might be forced to handle both the creation of purchase orders and the receipt of goods. In this case, simply revoking access will indeed break operations.
Use this as an opportunity to fix the root cause. Work with department heads to reallocate tasks among the team. Segregation of Duties isn’t just an IT access problem; it’s an organizational design opportunity.
4. Implement Firefighter (Emergency) Access
Operations teams often cite emergencies as the reason they need excessive access. “What if the AP manager is on vacation and a critical vendor needs to be paid on a Friday afternoon?”
The solution to this is not permanent, unchecked access. The solution is Emergency Access Management, often called “Firefighter” access.
Provide a mechanism where users can temporarily check out elevated privileges to resolve an emergency. Once the emergency is over, the access is automatically revoked, and a detailed log of every action taken during that time is sent to a manager or auditor for review. The business gets its safety net, and compliance gets its audit trail.
5. Rely on Objective Data and Automation
Pushback becomes highly emotional when it feels like a subjective decision made by an IT admin. You can remove the emotion by relying on objective, automated tools.
When you use a dedicated SoD and compliance automation platform, the system flags the conflict based on a globally recognized matrix of best practices. It changes the dynamic from “IT says you can’t have this” to “Our automated compliance matrix flagged this combination as a critical financial risk.”
Data depersonalizes the restriction. By generating clear reports that show exactly where the conflicts lie and what risks they pose, you provide management with the undeniable facts they need to authorize access cleanup.
Finding the Balance
Perfect security is a system nobody can use; perfect operations is a system anyone can exploit. The goal of GRC professionals is to find the secure middle ground.
By leading with empathy, explaining the real-world risks, providing emergency alternatives, and utilizing automated SoD tools, you can successfully restrict access rights while keeping operations running smoothly—and keeping the auditors happy.