02-28-2007 4:29 PM
Hi,
Im new to SAP security, but Ive worked with SAP for a number of years. A user is requesting SUIM access because she needs to review her roles bi-annually for SOX audits. I have never seen this transaction given out to the user community and just want to give an answer other than It just isnt done!. Can you please explain to me why or why not this transaction or part of this transaction should or shouldnt be extended into the user community? Thank you!
Regards,
Gregory A Pioch
SAP/EDI Analyst, Information Services
Inverness Medical Innovations/Unipath
2 Research Way
Princeton, NJ 08540
Work: (609) 627 - 8034
Cell: (201) 956 - 0038
Fax: (609) 672 - 8013
E-Mail: greg.pioch@invmed.com
02-28-2007 4:41 PM
Greg,
SUIM is a display only transaction. It is suitable IMHO to be given to end users for access reviews.
Also, you can review the different transactions on each of the nodes and restrict them as you feel appropriate. Such as not giving out change documents, role comparisons and by logon date password change.
Cheers,
Ben
02-28-2007 4:41 PM
Greg,
SUIM is a display only transaction. It is suitable IMHO to be given to end users for access reviews.
Also, you can review the different transactions on each of the nodes and restrict them as you feel appropriate. Such as not giving out change documents, role comparisons and by logon date password change.
Cheers,
Ben
03-01-2007 8:24 AM
Well, SUIM allows the user to determine not only his/her own authorizations / roles and to evaluate the corresponding change documents - but the user can also request information on other users.
Maybe transasction SU56 would be sufficient for SOX requirements.
SU56 does only list the authorizations assignments of the own user.
Unfortenately it refers to the technical assignments (profiles) rather than the more abstract role assignments.
Cheers, Wolfgang
02-28-2007 4:41 PM
I'm new to security as well, but I find SUIM very valuable to auditing authorizations. We've granted it to our security admin role as well as our security auditor role (which includes SM18, SM19, and SM20 as well).
I don't think its necessary for very many users, but I do think its appropriate for those who do security audits for compliance and SOX.
Regards,
Erik Jensen