Request A demo
Case Studies

How Pathlock Helped Metropolitan Sewer District Address Security Issues 

Download a pdf file
Louisville/Jefferson County Metropolitan Sewer District (LJCMSD) Louisville/Jefferson County
Industry Utilities
Pathlock Solution


For the past 60 years, Louisville/Jefferson County Metropolitan Sewer District (LJCMSD) has built, maintained, and operated quality wastewater and stormwater facilities for the people who live in Jefferson County, Kentucky. LJCMSD has over 200,000 customers throughout the greater Jefferson County metropolitan area.


LJCMSD implemented SAP R/3 in 1998 to support the organization’s back-office accounting and financial reporting business processes. With about 200 users in the company, there were many employees who needed access to the system for various reasons. In contrast to many large enterprises, there were a limited number of IT staff available to manage user access issues to SAP. In most cases, employees were simply granted access to SAP when they put in a request. 

Though it’s a public utility and not governed by Sarbanes-Oxley regulations, LJCMSD applications analyst Ed Hammerbeck realized that there were many vulnerabilities in their SAP user access permissions. For example, a payroll clerk should not have access to billing a customer and then accepting payment. In other words, “they should not be in a position to handle cash from cradle to grave,” says Hammerbeck. 

“We had been granting employees access to the network on a need basis but never looked at the access or our security from a 50,000-foot level. Who was being granted access? How long did they need access? Were there any conflicts of interest, like the payroll clerk example, going on?” 

In order to try and address these issues, Hammerbeck and the IT team had to spend time writing scripts to produce the types of reports necessary to monitor system access. In addition, auditors wanted assurances that security issues were being addressed before problems could arise. Hammerbeck and the rest of the IT team realized that they needed technology to augment their SAP user administration process that would help identify security risks, develop role-based authorization and address inactive users. 

“In the past, when someone left the company, nobody on the IT staff would delete their user access rights. Now we can generate an inactive user report that highlights if a user has been inactive for 90 days and then automatically eliminate their access.”

– Ed Hammerback, LJCMSD Applications Analyst

Solution & Results

Early in 2007, LJCMSD implemented Pathlock’s solution and the software has already produced tremendous benefits. Hammerbeck was able to easily run reports which showed him which employees had access and which access might cause potential security breaches. “With Pathlock, we’re able to continually identify security issues, analyze the entire system and then implement a role-based approach to eliminate potential security issues. From an efficiency standpoint, we’re able to design roles that automatically grant or deny system access based on a person’s job function, not on an ad-hoc basis.” 

“The people at Pathlock have been very supportive and easy to work with. I’ve asked them technical questions and they’ve responded quickly. In addition they’ve incorporated some of our thoughts into how to engineer their product. I can’t point to many software companies that offer that type of customer service.”

Ed Hammerback, LJCMSD Applications Analyst