Louisville MSD revamped its SAP access controls with Pathlock, removing inactive accounts and enhancing role-based permissions for easier audits.
Background
The Louisville and Jefferson County Metropolitan Sewer District (MSD) provides wastewater and stormwater services to more than 200,000 customers across Jefferson County, Kentucky. With a long-standing SAP R/3 implementation dating back to 1998, the organization relied on the system to manage back-office operations, including accounting, financial reporting, and payroll.
However, as user access requests increased over time—and as security expectations evolved—MSD’s IT team recognized that their SAP environment lacked the necessary visibility and control to effectively manage risks.
Security Gaps Exposed
With only a small IT team supporting roughly 200 users, access to SAP was historically granted on an as-needed basis, without consistent review of potential conflicts or over-provisioning. That lack of centralized oversight began to raise concerns, especially for Ed Hammerbeck, Applications Analyst at MSD.
“We had been granting employees access on a need basis but never looked at the access or our security from a 50,000-foot level,” said Hammerbeck. “Who was being granted access? How long did they need it? Were there conflicts of interest?”
For example, a payroll clerk with permissions to bill customers and accept payments could pose a serious risk. Meanwhile, dormant user accounts remained active long after employees left the organization, another red flag in terms of access hygiene.
In response, the IT team began writing scripts to generate custom reports that could identify issues. But the process was time-consuming, reactive, and failed to provide the broader visibility auditors were starting to demand.
A Role-Based Approach with Pathlock
MSD implemented Pathlock to gain the visibility and automation they needed. With Pathlock’s user access analytics and controls, Hammerbeck and his team were able to:
- Identify conflicts and risky access combinations across the SAP environment
- Automatically flag inactive users and deprovision them after 90 days
- Create job-based roles that grant or deny access based on business function rather than one-off requests
“With Pathlock, we’re able to continually identify security issues, analyze the entire system, and then implement a role-based approach to eliminate potential problems,” said Hammerbeck. “From an efficiency standpoint, we can now manage access proactively instead of reactively.”
Improving Audit Readiness and Reducing Manual Work
MSD’s audit posture improved dramatically with Pathlock. Reports that used to require manual scripting and ad hoc investigation could now be generated automatically, providing auditors with more unmistakable evidence of controls and activity monitoring.
“In the past, when someone left the company, nobody on the IT staff would delete their user access rights,” said Hammerbeck. “Now we can generate an inactive user report and remove access automatically.”
The IT team also praised Pathlock’s customer support and responsiveness, noting that feedback provided by MSD helped influence future product features.
