cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Audit Question - Access to SU01

Go to solution
chris_hall2
Participant

on ‎10-28-2009 2:29 AM

0 Kudos

I have a question in regards to access to SU01. We currently have a team to setup users and assign roles. We are SOx regulated and have been questioned about having individual having this access.

Does it make sense to have one user setting up the ID without any authorizations assigned and then another person add the roles? We have compliance calibrator installed and no issues from that, but I am aware sometimes it is a business process decision from our auditors.

To me this does not make sense to me at all. Not sure if this would be the same for all our other applications either at this point including BW, IPC, XI, network access etc. etc. etc.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-28-2009 6:05 AM
0 Kudos

Hi Chris,

Normally security (if not basis) team will take care of authorization part i.e. creating users and assigning roles to users.

They only(Security) should have access to SU01.There is no point to split authorization activity in to two categories like one person will create user id with out roles and another person will assign roles to that user.

We can have common security team for ECC, BW, and XI....etc.

Thanks & Regards,

KKRao.

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎10-30-2009 12:07 PM
0 Kudos

Please see the object S_USR_GRP and S_USR_AGR which are used to control the user assignment and role administration task

Show replies
Show replies
Former Member
‎10-28-2009 7:44 AM
0 Kudos

Hi,

Yes the same thing has been recommended by the auditor to our company. There should be a SOD with in the team which ensures that user id can not be missused by any one even if security team which enhances the security to the system.

Thanks & Regards,

Satyabrat

Show replies
Show replies
chris_hall2
Participant
‎10-28-2009 1:46 PM
0 Kudos

Thanks for the quick responses. We have a central team that is 7x24 to administer all ID's across all applications.

I'm not sure there is a valid reason for splitting this administration out. Once an ID is setup the second party can manipulate the ID in any manner any ways.

Former Member
‎10-28-2009 5:53 PM
0 Kudos

Chris,

This causes a lot of confusion and consternation across the industry. Having been on both sides of the fence from an audit perspective, I tend to take a pragmatic approach.

The key issue is about being able to amend roles and assign to users. Wherever possible, this should be avoided. It is up to you how you manage that but if you have a situation whereby a single person can create a role / profile and assign it to a user they control, then you have a potential audit issue.

You can split it in any way you like but you are basically trying to stop that SoD.

Some choose to have a dedicated team who are able to create users but not create or assign authorisations, a separate team who can assign authorisations and not create users or roles and a third team who can only create roles but not create or assign to users.

While that is ideal, it is not always practical so it is often somewhere in the middle.

As long as your central team cannot amend the roles and authorisations that they are assigning (or assign super user access like SAP_ALL) without appropriate controls in place, then you can generally have a fairly reasonable discussion with your auditors.

Simon

chris_hall2
Participant
‎10-29-2009 2:18 PM
0 Kudos

Thanks Simon.

I agree with what you have said. It may just take a little push back on our end with the auditors. We have alerts setup for when SAP_ALL is added to a user and monitor this very closely. The team that can setup an ID and add the roles have no authorization to maintain any of the role via PFCG. I think we can put a legit argument that we can retain our central team and have no issues.

Thanks,

Chris

Ask a Question