on 06-07-2010 2:57 PM
Dear All,
I have a small question regarding Access Control (RAR and CUP).
We have customised our ruleset and developing new rules all the time. Many business areas ask us to include transactions where they would like to monitor who has access to it, however, it is not a "super-"critical transaction so that a violation leads to a mitigation or remediation.
The mitigating control for those reported violations would just be something like "is part of my team"... however, as far as I know, just to say "is part of my team" is not the end of story.
First of all, the mitigating controls have to be documented, then they have a limited validity so they have to be renewed as well. Also, the number of violations (or mitigated violations) is misleading, since it is not really a violation. So each violation causes quite some effort to manage it...
Therefore the question: Since it is possible to classify the risks for the rules as "low", is it also possible to configure the system in way, that for these risks no remediation or mitigation is necessary? So that in RAR they are not picked up by reports and in CUP provisioning is possible for those "low" violiations.
The perfect solution would be something like that those violations are generally ignored from the system, however if desired, you can check manually who is violating in order to see who has access to the transactions.
Hopefully I made the scenario clear.. but I guess that other companies as well have a similar scenario....
Thanks
Muhammad
You could also classify those risks as low, and only run background reports for risk levels medium and higher.
Frank.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I have not come across this scenario, but I think you can use Firefighter concept and by assigning these transactions access to FF ID, you can easily track it who is using these t-codes and what all actions have been performed with these t-codes instead of doing mitigation in RAR and all.
Thanks
Sunny
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
If these tcodes are not part of the daily job and not being used much then you should get away with Firefighter.
If these tcodes are almost used daily then the only way out would be to create a separate ruleset for them. I have done it at my previous client. We had 2 rulesets where the main ruleset was our default ruleset. We added all the other tcodes to secondary ruleset so the violations would not be reported in RAR or CUP. We can still run an adhoc risk analysis against the secondary ruleset when we need to find out who has access to those tcodes.
I hope it makes sense.
Regards,
Alpesh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.