We have added search box. Key in SAP issue keyword to search
Home
About
Site Archive
SAP Chat
Contact
TopBottom

Announcement: wanna exchange links? contact me at sapchatroom@gmail.com.

Re: [sap-security] Working of SUIM

Posted by Admin at
Share this post:
 Ma.gnolia DiggIt! Del.icio.us Yahoo Furl Technorati Reddit

0 Comments

Posted by henrikmadsen2 (GRC Consultant )
on Sep 7 at 11:20 PM 		Mark this reply as helpfulMark as helpful
Question:
If i run a query on 8th of September in SUIM looking for users which have
e.g. access to S_TCODE SU01. This TCODE is only covered by role 1 with the
end date 31.12.2009.
Answer: Yes, it will still show up, as the role is still assigned - the
profile however, is no longer assigned. That is assuming that you are
running the user compare job on a periodic basis.

Further which of the following is best practise or preffered when a user
changes function:
1. Delete the role that the user does not need anymore or
2. Put an end date for the role that is not needed anymore.

I would go with 1, as leaving the roles there makes the reporting a lot more
messy as you mention. From a risk point of view, there isn't really any.
SUIM shows you the right answer, but are you asking the right question? ;-)


/henrik

On 8 September 2010 12:59, asifali via sap-security <
sap-security@groups.ittoolbox.com> wrote:

> Posted by asifali(BBA RE CIA CISA)
> on Sep 7 at 11:01 PM Sap Guru's,
>
> I have a question regarding the working of Suim. Lets say you have the
> following hypothetical situation.
>
> User: KLM1234
> User Validity: 31.12.9999
> Roles (1): Z_Tasks_for_administrator => Role validity till 31.12.2009
> Roles (2): Z_Reporting_For_Finance => Role validity till 31.12.9999
>
> Question:
> If i run a query on 8th of September in SUIM looking for users which have
> e.g. access to S_TCODE SU01. This TCODE is only covered by role 1 with the
> end date 31.12.2009.
>
> Will Suim report the user even if the role has an end date which has passed
> (31.12.2009)?
>
> Further which of the following is best practise or preffered when a user
> changes function:
> 1. Delete the role that the user does not need anymore or
> 2. Put an end date for the role that is not needed anymore.
>
> I myself have preferences for option 1, considering that somebody working
> for a company for 20 years and changing jobs every 3/4 years, option 2 would
> be from maintenance and risk perspective less desirable. Further considering
> SUIM it may result in not accurate results.
>
> Waiting for your reply!
>
> Kind Regards,
> Asif

__.____._
Copyright © 2010 Toolbox.com and message author.

Toolbox.com 4343 N. Scottsdale Road Suite 280, Scottsdale, AZ 85251
henrikmadsen2
SAP Security Helper

Posted helpful replies on 5 threads in a group to earn a Bronze Achievement
In the Spotlight
Toolbox.com for iPhone: Ask Questions & Get Answers Anywhere. Use the New iPhone App
_.____.__

 

0 comments:

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

T r a n s l a t e to your language