cancel
Showing results for 
Search instead for 
Did you mean: 

Unpersonalized users

Former Member
0 Kudos

Hello All,

we are having a discussion about the use of unpersonalized (dialog) users for business in our organisation.

Business want's to use these for trainees and maintain a log who used the user when. Including usage of valid-to and valid-from dates. External auditor has agreed to that.

I don't like the idea at all, but lacking valid points to discuss this, as this was not an option in any of the companies I've worked so far, and with the auditor agreeing to this, it is even harder. Just want to avoid getting into trouble at some point in the future. Could you please share some impacts that this could have?

greetings

Alexander Walkenhorst

Accepted Solutions (1)

Accepted Solutions (1)

steverumsby
Active Contributor
0 Kudos

Have you checked that this complies with the wording of your SAP contract? You may find the term "named user" in there...

Steve.

Former Member
0 Kudos

Good point,

mentally I was on a different track. Any more aspects I miss here?

steverumsby
Active Contributor
0 Kudos

As Gretchen says below, I'm staggered than an external auditor approves of such an arrangement. I wouldn't, for all the reasons she mentions. The first sign of fraud and all involved will instantly regret it.

Security is like insurance - it is often a pain in the neck, and wallet, and when you don't need it (all your users are behaving themselves) you'll wish you didn't have to bother. But when something goes wrong you'll be glad you've got it...

Steve.

Answers (3)

Answers (3)

pmuschick
Participant
0 Kudos

Hello,

from an auditor perspective I would not agree to any anonymous users für business in a productive enrionment. Only emergency or service accounts, sometimes admins should have such an access.

If you can make proposal: set up a management process and assign roles to trainees (with named users) only for the dedicated period they are working a department. Mostly trainees have a predetermined schedule of their departments and therefor it should be possible to assign the roles according to their actual department schedule. This would help to decrease the management effort. If this is not possible (no plan existing) then always limit roles to the available date - no unlimited assignment.

former_member188433
Participant
0 Kudos

Could you install a separate training system?

Former Member
0 Kudos

Jeff,

requirement is that these trainees should take part in day-to-day business. But only for four weeks.Most of them won't touch SAP again. Business wants to avoid creating users for only four weeks and fears that they gather roles from multiple departments and become to powerful. I understand the concern.

steverumsby
Active Contributor
0 Kudos

How would "gathering roles from multiple departments" be any different if you used shared users?

Steve.

Former Member
0 Kudos

They would tend to gather faster if you have a shared user ID, as there are more people moving around and the likelihood of forgetting to remove the role again is very real in the real world. Or one apprentice does PO approvals and accounts payable in the morning and another (with the same ID) does vendor master maintenance in the afternoons.

When they are prompted to change the password at end of validity they will also not know how many others to tell the new password to, so they will probably write it on a post-it on the inside of the laptop screen so that it can be passed on...

I am speculating now, but one reason why the auditors might be OK with it is concience -> they are known to do exactly that as well and have a user ID called AUDITOR01 because every year they send you a different auditor.

Cheers,

Julius

steverumsby
Active Contributor
0 Kudos

We don't give auditors access to our systems...

Matt_Fraser
Active Contributor
0 Kudos

What is the point of training these users if, after the four weeks are up, they will never touch SAP again? I do get the concern about the churn created by constantly creating and then invalidating accounts every four weeks. Seems like something IdM could help with, but I haven't used that tool so wouldn't know for sure.

Former Member
0 Kudos

My current organization does not give external auditors access to the systems, so we have to pull the data for them. At my previous customer organization, external auditors, like everyone else who wanted an SAP account, were required to have HR records, and the auditor role was assigned to the audit org unit.

Shared IDs for *auditors*? <smh> They better hope no auditor like me comes along one of these years.

Gretchen

Matt_Fraser
Active Contributor
0 Kudos

Wise!

We are audited by the State annually, and in the fourteen years I have been with my current employer, managing our SAP system, only once has a State auditor asked for direct access to the system. Every other year they just ask for reports or extracts from it and are happy to let us provide them. Actually, most years the auditors don't even talk to IT; Finance deals with them and it is Finance that asks us for the extracts and reports. We have had a couple years, though, where the auditors wanted to look at things like the history of all transports to production in the course of a given year, and then they picked two (seemingly at random) and asked for the documented approval chain for them.

A few years ago our internal auditor asked for access, and so we do have an auditor role for that. However, as that person is an employee, they would have an account anyway for ESS purposes, so it was just a matter of adding the additional role.

Former Member
0 Kudos

The idea is that they (treinee, apprentice) are on a training for two to three years and are working with most departments (not IT of course ) for a while to get an complete overview of processes in a company. Most employees did that (me oo) at the beginning of their career.

They would use a department trainee user and switch to the next department user when they switch to the next department.

Colleen
Advisor
Advisor
0 Kudos

Normally I make auditors sit with me and extract the data to stop them pulling tables and data without the context. It's frustrating as once the put a risk in a report that is invalid it takes a lot of effort and grief to explain why their assessment is wrong or there is a control in place already

but then I worked on a few government systems and the internal auditors has legislation or frameworks that gave them the right to access all data. Its amusing when they demand a generic user to use in their team which contradicts a heap of items they would mark as a violation for anyone else

LIke Gretchen, I would be concerned with an external auditor supporting shared account with modify access. An xls spreadsheet to track probably would not stand up in court to prove who had access and if fraud occurred to identify which person of the group had access. Possibly a password change each time might reduce it but I suspect the team leader would track password.

does the system have SSO in place as well?

Matt_Fraser
Active Contributor
0 Kudos

It seems to me that it would be easier, then, to still assign them their own named user accounts, which follow them for the duration of their stay at the company. Just switch the role assignments as appropriate as they change departments for their apprenticeship.

Colleen
Advisor
Advisor
0 Kudos

I had an old team leader say to me if I ever become an auditor and have to look in her area she would be taking leave. And she already had pretty tight controls and rules.

Former Member
0 Kudos

Alexander,

That is rather suprising that an external auditor would agree to such a plan. All it will take is one time when there is fraud committed by one of these accounts, and the manual log shows a mysterious gap during the time when it occured. That will be the end of  anonymous shared dialog accounts and perhaps also the employment of the manager who signed off on that scheme. Configuring the system to ensure accountability for the business transactions is a key control for most organizations.

Regards,

Gretchen

Former Member
0 Kudos

Gretchen,

that is my experience too. I wouldn't even consider that. But such is life.