on 05-10-2010 7:27 AM
Hi Everyone,
I'm trying to establish what is a good practice to follow on how to deal with critical actions.
Our thinking is that even though they are critical actions people will still need to have access to them.
Here are some options with the cons we have been considering:
1. Add the actions into Firefighter id's & roles. We don't necessarily want to add actions into a firefighter role that someone is expected to do during their daily/weekly/routine activities.
2. Disable the Critical Actions rules. This will disable your ability to easily identify when an unwanted user has access to these actions.
3. Create mitigation controls for these critical actions and assign them to the specific users. This is quite and administrative burden due to the number of critical actions. We would not want to mitigate at the Higher risk level but rather at the individual rule level.
We are leaning towards option 3 but would appreciate some other options and input on how to deal with these?
Kind Regards
To cut down on the administrative burden of mitigating the users you could create a critical transaction role and assign the users you want to mitigate to this role and then assign the role to the mitigating control. This way you'll only be adding user to the SAP role to consider them mitigated.
Dave wood
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
We are going through the same process and are using a combination of your suggestions. First we are going through the critical actions and determining if our company (business reps and auditors) agrees with SAP standards. Some of the transactions we don't consider as being critical so those will be disabled. Next, we will put some critical actions in our firefighter ID's and not allow an end-user to have them in production. Then, we will mitigate the users who use some of the transactions regularly. And lastly, we will run the critical action notify job weekly or maybe even monthly.
Peggy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.