RE: RE:[sap-security] Questions about Temporary Roles/Assignments in SAP
Posted by
Admin at
|
Share this post:
|
|
0 Comments
 | Posted by Mark Toney (SAP Security Analyst) on Mar 8 at 11:43 AM |  Mark as helpful |
Mark, is there any reason to have the role still appear in the user's profile after the expiration period? I have heard of organizations that accumulate many (sometimes thousands) of these "expired roles". As I understand it, users cannot make use of these roles, so there's no real danger (right?). But I've also heard that it can make the organization seem disorganized/messy, especially to auditors.
Regarding Firefighter IDs, Mark, I was under the impression FireFighter is typically used to perform emergency actions, and provides the user with significant authorizations (e.g., SAP_ALL).
No, once a role has expired there's no reason to leave it there. In fact, a zealous auditor might make the attempt to say it's a risk. We perform a monthly cleanup where we search for user accounts that have been inactive for 90 calendar days (we lock these) and also 120 days (we delete these) and also for expired role assignments (we delete these as well).
As for Firefighter, it's very useful for providing as-needed access for things like user backup... i.e., I Sally is out of the office and Bob needs to perform her job BUT giving Bob Sally's access in addition to his own would create a big time Segregation of Duties issue, create a Firefighter ID that has Sally's access and give it to Bob for as long as it's needed. Not at all an emergency scenario.
If you want to cover yourself in the event of an emergency, create an uber-user equivalent to SAP*. DO NOT LOCK IT. Use the password generator to create its initial password, put this on a piece of paper, seal it in an envelope, then place it in a safe. Develop a process by which senior members of management would have to give documentable permission to release the password in an emergency. And log EVERYTHING.
Hang tough.
Mark A. Toney
SAP Security Analyst
Sodexo NorthAmerica
________________________________
Confidentiality Notice: This electronic message transmission contains information from Sodexo, Inc. which may be confidential and/or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please let us know by reply and then delete it from your system.
__.____._ Regarding Firefighter IDs, Mark, I was under the impression FireFighter is typically used to perform emergency actions, and provides the user with significant authorizations (e.g., SAP_ALL).
No, once a role has expired there's no reason to leave it there. In fact, a zealous auditor might make the attempt to say it's a risk. We perform a monthly cleanup where we search for user accounts that have been inactive for 90 calendar days (we lock these) and also 120 days (we delete these) and also for expired role assignments (we delete these as well).
As for Firefighter, it's very useful for providing as-needed access for things like user backup... i.e., I Sally is out of the office and Bob needs to perform her job BUT giving Bob Sally's access in addition to his own would create a big time Segregation of Duties issue, create a Firefighter ID that has Sally's access and give it to Bob for as long as it's needed. Not at all an emergency scenario.
If you want to cover yourself in the event of an emergency, create an uber-user equivalent to SAP*. DO NOT LOCK IT. Use the password generator to create its initial password, put this on a piece of paper, seal it in an envelope, then place it in a safe. Develop a process by which senior members of management would have to give documentable permission to release the password in an emergency. And log EVERYTHING.
Hang tough.
Mark A. Toney
SAP Security Analyst
Sodexo NorthAmerica
________________________________
Confidentiality Notice: This electronic message transmission contains information from Sodexo, Inc. which may be confidential and/or proprietary. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please let us know by reply and then delete it from your system.
Copyright © 2010 Toolbox.com and message author.
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
Mark ToneySAP Security Enthusiast
Contributed 100 posts in a group to earn a Bronze Achievement
Related Content
In the Spotlight
White Papers
In the Spotlight
55% of IT Pros Use Social Media to Advance Their Careers. See the Survey Results
View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion
_.____.__ 
