As part of our evaluation of customer Yardi Voyager implementations for Segregation of Duties and Sensitive Access Risks, one area of concern is always around Suppliers.
Yardi Voyager has a very comprehensive Security model with over 4,000 Permissions that can be granted to your user's Groups. Many of these Permissions are also granted solely through a Menu. These Permissions relate to Reports that can be run on a Menu, and for some of they update Data. As part of our review, we also have to make sure that we take into account whether the Group/Role with the Permission has more than just 'Read-Only' access. With Read-Only a User technically can't process the transaction and we get a false positive.
An additional area of analysis that we conduct is based upon a User needing (via their Group) multiple Permissions to complete a task. Without considering these Permissions in a chain we end up with false positives - the idea of having the ability to perform an action, but actually the user can't. This leads us onto Supplier Electronic Fund Transfers, we found when evaluating this process that in order to complete the process a User needs Permissions including the Suppliers Permission itself, along with the EFT Setup and Pay processing.
Be sure that if you are reviewing the Permissions for Supplier Payments that you are encompassing all of the Permissions required, or take a look at our service which will perform the work for you! We area already review over 650 Permissions for Segregation of Duties and Sensitive Access, and have everything needed to review your Security
If you would like to discuss your Yardi Application Security and Controls, reach out to us below: