Risk
Users have access privileges even though they transferred to a new business role, potentially creating a segregation of duties conflict or users who have been terminated are still active in the system, creating a security risk.
Control Description
This control focuses on ensuring the timely removal of access rights from users who have been terminated and those who have been transferred to new roles. The control also stipulates that removal or revision of access rights takes place in a timely fashion and is both verified and documented.
Background
One of the most common shortcomings in the handling of user is the issue of dealing with terminated or transferred users in a system. Access for terminated and/or transferred users is removed or modified in a timely manner.
How to obtain the populations:
(Please remember that the process might change with later releases)
A listing of active users can be obtained through application Identity & Access Management > Maintain Business Users > Download Users.
Listing of active user
A listing of change documents for users can be obtained through application Identify & Access Management > Maintain Business Users > Display Changes > Apply audit period and all filters > Download.
Change documents for users
Note 1: The deletion date will be stored for the year-end audit if a user is deleted but the retention period for deleted business users can be set individually by the client. This can be mitigated by authenticating via IAS.
Note 2: Users’ roles will be removed automatically with their deletion. Hereafter, the user enters the list “Maintain Deleted Business Users”. As long as the username is stored within this list it is not possible to assign it to a new user.
Risk:
Insufficient User Review can lead to the following risks:
Control Description:
To ensure the proper assignment of authorizations as well as a correct handling of all users, active or inactive, user access needs to be reviewed periodically.
Background:
The previous two topics (Authorization Assignment and Terminated or Transferred Users) have shown the fundamental role privileges play in any audit – therefore, it is as vital to regulary perform a review of the access users have to the system.
The following standard SAP reports can be used as basis for the user access review:
Navigate to application Identity & Access Management > Maintain Business Users > Download Users.
User access review
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”
Or contact us on LinkedIn.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
8 | |
7 | |
7 | |
5 | |
5 | |
4 | |
4 | |
4 | |
3 |