Announcement:
wanna exchange links? contact me at sapchatroom@gmail.com.
Posted by
Admin at
Reply from Alex Ayers on Apr 28 at 3:17 AM Hi,
Best practices are subjective (we all think what we do is good/best practice & we all can't be right!) but the key principles around user access validation/review/attestation are:
1. It is performed with a frequency related to the risk (this rarely happens but that it happens at all is better than nothing)
2. Access is signed off by people responsible for the data & process that the users are interacting with
3. The people signing it off understand what they are signing off/approving.
Assuming the users managers are data & process owners (or have delegated authority) then your challenge is to present the information in terms that they understand. That will require a degree of translation (easy if you have jobs, not so easy if you have tasks that are bit logically grouped).
As an example you may have someone who has a role for maintaining master data. Instead of listing XK01/2/3 & various technical restrictions this could be described as "maintaining master data for customers and vendors excluding employee vendors. This role is valid for the following business areas <put in descriptions of your comp codes/org levels>).
It is not an inconsiderable task but will result in better decision making. Of course, if you are trying to tick a box for audit then most auditors will just be looking that the exercise is complete, documented and actions have been taken. The method by which it performed i.e. Lists of transactions will be less relevant.
Good luck
| | | ---------------Original Message---------------
From: RonnieK039
Sent: Monday, April 28, 2014 1:30 AM
Subject: Best practices for a SAP User Revalidation
Looking for some guidelines on how to perform a SAP User Re-validation.
For auditing purposes I have to perform a full SAP user re-validation.
The simple idea i have is to provide to all managers a list of their users, the roles assigned and transactions contained within those roles and from there they will have to review and provide any details to amend
This I believe will be too much information and too technical for the majority of my Departmental managers to comprehend. Especially when a user has 100's of transactions assigned
Is this the best way to perform a user re-validation?
Thank you in advance |
| Reply to this email to post your response. __.____._ | In the Spotlight Become a blogger at Toolbox.com and share your expertise with the community. Start today.   _.____.__ |
