- SAP Community
- Products and Technology
- Additional Q&A
- GRC Risk Mitigation: B009
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
GRC Risk Mitigation: B009
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 09-30-2009 10:58 PM
I am working with some of the business units to mitigate GRC risk B009. However, the risk stem from the System Administrator role here at our organization. How have other managed to mitigate the risk that is probably commonly held by systems administrator (since they need a wide array of access). Comments and tips appreciated!
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Our security team severly limits the actions of the System Admins in production. For example, table maintenance is not allowed in production. This is only needed by the System admin once in a while, so we have Firefighter ID's they can use when they need to update tables. At first, they argued that they would be in as firefighters all the time, but in reality, it isn't so. So we get around most of the mitigations by having the security team make sure that access in production is "Display" only and we use Firefighter ID's with a process around it when needed. Just as long as the System Admins aren't limited in "doing their job", they are okay with it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
I have also approached it in a similar way to Peggy.
Trying to convince basis and system administrators that they actually don't need that access in production very often is a difficult task but it is achievable.
I would look carefully at the rules which you have stipulated and try to understand the key ones for consideration. Try to remove any unneccessary triggers in the first instance. You may wish to use ST03 to try to find evidence of how frequently they access the key transactions.
Consider using SPM to give back the access which you are removing from them in a more controlled way as that may increase the buy in of the team members.
Don't give up!!
- Adverse Media Monitoring: How to improve overall Supply Chain Management in Supply Chain Management Blogs by Members
- Drive productivity, safely and sustainably, with SAP manufacturing solutions in Supply Chain Management Blogs by SAP
- The Essential Role of Adverse Media Monitoring in Compliance and Risk Management in Supply Chain Management Blogs by Members
- GRC Risk Management Series: Risk Analysis profile in Technology Blogs by Members
- The Benefits of Applying Semantic Visions’ Screening and Monitoring Services in Supply Chain Management Blogs by Members
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.