- SAP Community
- Products and Technology
- Additional Q&A
- Critical Actions
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Critical Actions
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 05-10-2010 7:27 AM
Hi Everyone,
I'm trying to establish what is a good practice to follow on how to deal with critical actions.
Our thinking is that even though they are critical actions people will still need to have access to them.
Here are some options with the cons we have been considering:
1. Add the actions into Firefighter id's & roles. We don't necessarily want to add actions into a firefighter role that someone is expected to do during their daily/weekly/routine activities.
2. Disable the Critical Actions rules. This will disable your ability to easily identify when an unwanted user has access to these actions.
3. Create mitigation controls for these critical actions and assign them to the specific users. This is quite and administrative burden due to the number of critical actions. We would not want to mitigate at the Higher risk level but rather at the individual rule level.
We are leaning towards option 3 but would appreciate some other options and input on how to deal with these?
Kind Regards
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
To cut down on the administrative burden of mitigating the users you could create a critical transaction role and assign the users you want to mitigate to this role and then assign the role to the mitigating control. This way you'll only be adding user to the SAP role to consider them mitigated.
Dave wood
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
We are going through the same process and are using a combination of your suggestions. First we are going through the critical actions and determining if our company (business reps and auditors) agrees with SAP standards. Some of the transactions we don't consider as being critical so those will be disabled. Next, we will put some critical actions in our firefighter ID's and not allow an end-user to have them in production. Then, we will mitigate the users who use some of the transactions regularly. And lastly, we will run the critical action notify job weekly or maybe even monthly.
Peggy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Receive a notification when your storage quota of SAP Cloud Transport Management passes 85% in Technology Blogs by SAP
- What's new with Collaborative Maintenance? in Supply Chain Management Blogs by SAP
- fiscal year and standard year in the same model in SAP Analytics Cloud in Enterprise Resource Planning Q&A
- Data Actions - IF in Enterprise Resource Planning Q&A
- SAP PaPM Cloud Universal Model: Deploy your environment via Manage Containers in Financial Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.