https://community.sap.com/t5/additional-q-a/critical-actions/qaa-p/6857856#M66875 <HTML><HEAD></HEAD><BODY><P>To cut down on the administrative burden of mitigating the users you could create a critical transaction role and assign the users you want to mitigate to this role and then assign the role to the mitigating control. This way you'll only be adding user to the SAP role to consider them mitigated. </P><P></P><P>Dave wood</P></BODY></HTML> Tue, 11 May 2010 16:15:56 GMT Former Member 2010-05-11T16:15:56Z https://community.sap.com/t5/additional-q-a/critical-actions/qaq-p/6857854 <HTML><HEAD></HEAD><BODY><P>Hi Everyone, </P><P></P><P>I'm trying to establish what is a good practice to follow on how to deal with critical actions. </P><P></P><P>Our thinking is that even though they are critical actions people will still need to have access to them. </P><P></P><P>Here are some options with the cons we have been considering: </P><P></P><P>1. Add the actions into Firefighter id's &amp; roles. We don't necessarily want to add actions into a firefighter role that someone is expected to do during their daily/weekly/routine activities. </P><P></P><P>2. Disable the Critical Actions rules. This will disable your ability to easily identify when an unwanted user has access to these actions. </P><P></P><P>3. Create mitigation controls for these critical actions and assign them to the specific users. This is quite and administrative burden due to the number of critical actions. We would not want to mitigate at the Higher risk level but rather at the individual rule level. </P><P></P><P>We are leaning towards option 3 but would appreciate some other options and input on how to deal with these? </P><P></P><P>Kind Regards</P></BODY></HTML> Mon, 10 May 2010 06:27:28 GMT https://community.sap.com/t5/additional-q-a/critical-actions/qaq-p/6857854 Former Member 2010-05-10T06:27:28Z https://community.sap.com/t5/additional-q-a/critical-actions/qaa-p/6857855#M66874 <HTML><HEAD></HEAD><BODY><P>We are going through the same process and are using a combination of your suggestions. First we are going through the critical actions and determining if our company (business reps and auditors) agrees with SAP standards. Some of the transactions we don't consider as being critical so those will be disabled. Next, we will put some critical actions in our firefighter ID's and not allow an end-user to have them in production. Then, we will mitigate the users who use some of the transactions regularly. And lastly, we will run the critical action notify job weekly or maybe even monthly. </P><P></P><P>Peggy</P></BODY></HTML> Tue, 11 May 2010 13:12:35 GMT https://community.sap.com/t5/additional-q-a/critical-actions/qaa-p/6857855#M66874 Rich_Turnquist1 2010-05-11T13:12:35Z https://community.sap.com/t5/additional-q-a/critical-actions/qaa-p/6857856#M66875 <HTML><HEAD></HEAD><BODY><P>To cut down on the administrative burden of mitigating the users you could create a critical transaction role and assign the users you want to mitigate to this role and then assign the role to the mitigating control. This way you'll only be adding user to the SAP role to consider them mitigated. </P><P></P><P>Dave wood</P></BODY></HTML> Tue, 11 May 2010 16:15:56 GMT https://community.sap.com/t5/additional-q-a/critical-actions/qaa-p/6857856#M66875 Former Member 2010-05-11T16:15:56Z