on 10-01-2014 12:28 PM
Hello All,
we are having a discussion about the use of unpersonalized (dialog) users for business in our organisation.
Business want's to use these for trainees and maintain a log who used the user when. Including usage of valid-to and valid-from dates. External auditor has agreed to that.
I don't like the idea at all, but lacking valid points to discuss this, as this was not an option in any of the companies I've worked so far, and with the auditor agreeing to this, it is even harder. Just want to avoid getting into trouble at some point in the future. Could you please share some impacts that this could have?
greetings
Alexander Walkenhorst
Have you checked that this complies with the wording of your SAP contract? You may find the term "named user" in there...
Steve.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As Gretchen says below, I'm staggered than an external auditor approves of such an arrangement. I wouldn't, for all the reasons she mentions. The first sign of fraud and all involved will instantly regret it.
Security is like insurance - it is often a pain in the neck, and wallet, and when you don't need it (all your users are behaving themselves) you'll wish you didn't have to bother. But when something goes wrong you'll be glad you've got it...
Steve.
Hello,
from an auditor perspective I would not agree to any anonymous users für business in a productive enrionment. Only emergency or service accounts, sometimes admins should have such an access.
If you can make proposal: set up a management process and assign roles to trainees (with named users) only for the dedicated period they are working a department. Mostly trainees have a predetermined schedule of their departments and therefor it should be possible to assign the roles according to their actual department schedule. This would help to decrease the management effort. If this is not possible (no plan existing) then always limit roles to the available date - no unlimited assignment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Could you install a separate training system?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Jeff,
requirement is that these trainees should take part in day-to-day business. But only for four weeks.Most of them won't touch SAP again. Business wants to avoid creating users for only four weeks and fears that they gather roles from multiple departments and become to powerful. I understand the concern.
They would tend to gather faster if you have a shared user ID, as there are more people moving around and the likelihood of forgetting to remove the role again is very real in the real world. Or one apprentice does PO approvals and accounts payable in the morning and another (with the same ID) does vendor master maintenance in the afternoons.
When they are prompted to change the password at end of validity they will also not know how many others to tell the new password to, so they will probably write it on a post-it on the inside of the laptop screen so that it can be passed on...
I am speculating now, but one reason why the auditors might be OK with it is concience -> they are known to do exactly that as well and have a user ID called AUDITOR01 because every year they send you a different auditor.
Cheers,
Julius
What is the point of training these users if, after the four weeks are up, they will never touch SAP again? I do get the concern about the churn created by constantly creating and then invalidating accounts every four weeks. Seems like something IdM could help with, but I haven't used that tool so wouldn't know for sure.
My current organization does not give external auditors access to the systems, so we have to pull the data for them. At my previous customer organization, external auditors, like everyone else who wanted an SAP account, were required to have HR records, and the auditor role was assigned to the audit org unit.
Shared IDs for *auditors*? <smh> They better hope no auditor like me comes along one of these years.
Gretchen
Wise!
We are audited by the State annually, and in the fourteen years I have been with my current employer, managing our SAP system, only once has a State auditor asked for direct access to the system. Every other year they just ask for reports or extracts from it and are happy to let us provide them. Actually, most years the auditors don't even talk to IT; Finance deals with them and it is Finance that asks us for the extracts and reports. We have had a couple years, though, where the auditors wanted to look at things like the history of all transports to production in the course of a given year, and then they picked two (seemingly at random) and asked for the documented approval chain for them.
A few years ago our internal auditor asked for access, and so we do have an auditor role for that. However, as that person is an employee, they would have an account anyway for ESS purposes, so it was just a matter of adding the additional role.
The idea is that they (treinee, apprentice) are on a training for two to three years and are working with most departments (not IT of course ) for a while to get an complete overview of processes in a company. Most employees did that (me oo) at the beginning of their career.
They would use a department trainee user and switch to the next department user when they switch to the next department.
Normally I make auditors sit with me and extract the data to stop them pulling tables and data without the context. It's frustrating as once the put a risk in a report that is invalid it takes a lot of effort and grief to explain why their assessment is wrong or there is a control in place already
but then I worked on a few government systems and the internal auditors has legislation or frameworks that gave them the right to access all data. Its amusing when they demand a generic user to use in their team which contradicts a heap of items they would mark as a violation for anyone else
LIke Gretchen, I would be concerned with an external auditor supporting shared account with modify access. An xls spreadsheet to track probably would not stand up in court to prove who had access and if fraud occurred to identify which person of the group had access. Possibly a password change each time might reduce it but I suspect the team leader would track password.
does the system have SSO in place as well?
Alexander,
That is rather suprising that an external auditor would agree to such a plan. All it will take is one time when there is fraud committed by one of these accounts, and the manual log shows a mysterious gap during the time when it occured. That will be the end of anonymous shared dialog accounts and perhaps also the employment of the manager who signed off on that scheme. Configuring the system to ensure accountability for the business transactions is a key control for most organizations.
Regards,
Gretchen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.