Terminated or Transferred Users / User Access Review (Part 3.3/3.4)
Users have access privileges even though they transferred to a new business role, potentially creating a segregation of duties conflict or users who have been terminated are still active in the system, creating a security risk.
This control focuses on ensuring the timely removal of access rights from users who have been terminated and those who have been transferred to new roles. The control also stipulates that removal or revision of access rights takes place in a timely fashion and is both verified and documented.
One of the most common shortcomings in the handling of user is the issue of dealing with terminated or transferred users in a system. Access for terminated and/or transferred users is removed or modified in a timely manner.
(Please remember that the process might change with later releases)
- Listing of active users
A listing of active users can be obtained through application Identity & Access Management > Maintain Business Users > Download Users.
- Change documents for users
A listing of change documents for users can be obtained through application Identify & Access Management > Maintain Business Users > Display Changes > Apply audit period and all filters > Download.
Note 1: The deletion date will be stored for the year-end audit if a user is deleted but the retention period for deleted business users can be set individually by the client. This can be mitigated by authenticating via IAS.
Note 2: Users’ roles will be removed automatically with their deletion. Hereafter, the user enters the list “Maintain Deleted Business Users”. As long as the username is stored within this list it is not possible to assign it to a new user.
Insufficient User Review can lead to the following risks:
- Failure in implementation of proper access controls for cloud management interfaces
- Inadequate logical access control options due to cloud service immaturity
- Inability to restrict access or implement segregation of duties for cloud provider staff
- Unauthorized access
To ensure the proper assignment of authorizations as well as a correct handling of all users, active or inactive, user access needs to be reviewed periodically.
The previous two topics (Authorization Assignment and Terminated or Transferred Users) have shown the fundamental role privileges play in any audit – therefore, it is as vital to regulary perform a review of the access users have to the system.
The following standard SAP reports can be used as basis for the user access review:
Navigate to application Identity & Access Management > Maintain Business Users > Download Users.
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”
Or contact us on LinkedIn.