Applications

 View Only
  • 1.  Roles and Responsibilities and SOD in EBS

    Posted 11-04-2021 03:38 PM
    I imagine this is not a new question so sorry if it has been covered before but I wasn't sure what to search for exactly.  As a DBA providing EBS support and looking after upgrades and technology aspects I am not that familiar with all the roles and responsibilities as our appsdba has looked after that more so.  Now after an audit review the topic of Segregation of Duties has come up and it wasn't specifically stated but perhaps I don't need say System Administrator to do my job which when I login would be more along the lines of checking concurrent processes and other functional aspects of services required to be running.

    So I guess my question is is there a guide or best practice or what are people doing that covers how to reduce a persons level of access yet still allows them to do their job and then only when required do they use a different account with additional responsibilities.  Like I know I could login with sysadmin but we don't want to do that either unless there was a way to track who logged in as that user I guess and for what purpose (audit record).

    I did find an old Collaborate presentation for 2014 that a Business Partner presented which refers to this so I may start there.

    ------------------------------
    Mark Schlechte
    DBA
    City of Regina
    Regina SK
    ------------------------------


  • 2.  RE: Roles and Responsibilities and SOD in EBS

    Posted 11-05-2021 11:54 AM
    Mark,

    We do this by creating a user account tied to an employee and assigning the System Administrator, System Administration, and Functional Administrator responsibilities to that account.  That way you know who actually accessed the system.  The only time we use the sysadmin account is when we want to start a cyclical concurrent process.

    An alternative is you can create a delegation from the sysadmin account to a user.  But you still have the issue of not knowing who is performing the action.


    ------------------------------
    Thomas Mullen
    Solutions Architect
    Sandia National Laboratories
    Albuquerque NM
    (505) 263-4507
    ------------------------------



  • 3.  RE: Roles and Responsibilities and SOD in EBS

    Posted 11-07-2021 10:45 PM
    We don't use System Administrator responsibility instead we created read only responsibilities for DBA's and assigned to individual DBA users to perform daily sysadmin work so that they can't make any changes to the system. DBA can't make any changes to prod unless they have an approved change request. If CR is approved and assigned to DBA in that case they assign system admin responsibility to their user to perform System Admin related work. On a weekly basis we run signon audit report, and validate who logged into the system using system admin responsibility. If a record is found in a sign-on audit report, we add a column and provide a CR number next to the user who logged in as system admin responsibility.  So far this process is working great even though this process is tedious but it is worth it as the auditor loves it.

    Thanks,
    Mugees





  • 4.  RE: Roles and Responsibilities and SOD in EBS

    Posted 11-05-2021 12:19 PM
    Mark,

    I cover this in my EBS security and controls book. If you email me at jhare@erpra.net I will send you a PDF of the book.

    Short answer... SYSADMIN login should never be used for application maintenance other than when the activity that can only be done via SYSADMIN and that is very, very rare.  99% of the time the activity can be done through a named user and using the System Administrator responsibility.

    Regards,
    Jeff Hare, CPA CIA CISA

    ------------------------------
    Jeff Hare CPA CIA CISA
    CEO
    ERP Risk Advisors
    Greeley CO
    (970) 324-1450
    ------------------------------



  • 5.  RE: Roles and Responsibilities and SOD in EBS

    Posted 11-08-2021 09:16 AM
    Just wanted to say thanks for the feedback everyone.

    ------------------------------
    Mark Schlechte
    DBA
    City of Regina
    Regina SK
    ------------------------------