Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Terminated or Transferred Users / User Access Review (Part 3.3/3.4)

patrickboch
Advisor
Advisor
‎02-24-2023 9:42 AM

3.3 Terminated or Transferred Users

 

Risk

 

Users have access privileges even though they transferred to a new business role, potentially creating a segregation of duties conflict or users who have been terminated are still active in the system, creating a security risk.

 

Control Description

 

This control focuses on ensuring the timely removal of access rights from users who have been terminated and those who have been transferred to new roles. The control also stipulates that removal or revision of access rights takes place in a timely fashion and is both verified and documented.

 

Background

 

One of the most common shortcomings in the handling of user is the issue of dealing with terminated or transferred users in a system. Access for terminated and/or transferred users is removed or modified in a timely manner.

 

How to obtain the populations:

 

(Please remember that the process might change with later releases)




    • Listing of active users



A listing of active users can be obtained through application Identity & Access Management > Maintain Business Users > Download Users.

 

 

Listing of active user




    • Change documents for users



A listing of change documents for users can be obtained through application Identify & Access Management > Maintain Business Users > Display Changes > Apply audit period and all filters > Download.

 

 

Change documents for users

 

Note 1: The deletion date will be stored for the year-end audit if a user is deleted but the retention period for deleted business users can be set individually by the client. This can be mitigated by authenticating via IAS.

 

Note 2: Users’ roles will be removed automatically with their deletion. Hereafter, the user enters the list “Maintain Deleted Business Users”. As long as the username is stored within this list it is not possible to assign it to a new user.



3.5 User Access Review

 

Risk:

 

Insufficient User Review can lead to the following risks:




    • Failure in implementation of proper access controls for cloud management interfaces

 

    • Inadequate logical access control options due to cloud service immaturity

 

    • Inability to restrict access or implement segregation of duties for cloud provider staff




    • Unauthorized access



Control Description:

 

To ensure the proper assignment of authorizations as well as a correct handling of all users, active or inactive, user access needs to be reviewed periodically.

 

Background:

 

The previous two topics (Authorization Assignment and Terminated or Transferred Users) have shown the fundamental role privileges play in any audit – therefore, it is as vital to regulary perform a review of the access users have to the system.

 

The following standard SAP reports can be used as basis for the user access review:

 

Navigate to application Identity & Access Management > Maintain Business Users > Download Users.

 

 

User access review


 

Engage with us

To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”

Or contact us on LinkedIn.

Popular Blog Posts