- SAP Community
- Products and Technology
- Additional Q&A
- Expired user show up in cross system Risk Analysis
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Expired user show up in cross system Risk Analysis
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-11-2013 2:12 PM
Dear all,
we have set GRC Risk Analysis to ignore expired users.
But when doing a user level RA against a cross system (A.SAP ERP and B.SAP SRM) where a user is expired in system A and valid
in system B the user is listed in the result view.
If doing the same RA against single system A the user won´t be listed due to setting "ignore expired users".
Only if user is expired in both system A and B the result of a user level RA against the cross system for this user will be empty.
But if a user is expired in system A how should he/she execute the critical business activity reported per user level RA? For this user must be valid and active in both systems to execute activities of the reported cross system SOD.
Per SAP Support this behaviour is standard.
Does anyone have same experience with cross system RA and migth have any idea about a work around?
Regards,
Markus
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Markus,
I agree with your observations on a technical level, as being disabled on one system in theory would/should not realise the risk.
However, if the role assignments on the disabled/expired account are still valid and if a scenario takes place where the account is enabled again (out of chance and/or without thinking), then obviously the risk being potentially realised are odds-on. It should be remembered the Risk Analysis reports potential risk scenarios as a preemptive tool, rather than a proactive or post-event tool, i.e. according to the risk analysis, that risk is still possible as the access combination still exists in the landscape.
In many organisations, the best practice for an expired account is to have the role assignments removed from the User ID. If this approach is considered, then the obvious cross system risks would not be reported in such situations.
I hope the answer helps in understanding your situation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Customer/Vendor Tax Codes in custom global reports migration into S4 in Technology Q&A
- SAP LICENSE RENEWAL FROM BASIS END #ATR in Technology Blogs by Members
- Question regarding enabling the Extended Integration Impact Analysis for SAP Readiness Check in Technology Q&A
- SAP S4HANA Cloud Public Edition Logistics FAQ in Enterprise Resource Planning Blogs by SAP
- SAP Named a Leader in the 2024 Gartner Magic Quadrant for Transportation Management Systems in Supply Chain Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.