Skip to Content

Granular permission

Dear all

we are on the way to apply SoD , we read on granular permission , we wonder if it will help us to make segregation of duties between system administrator and security administrator , also we want to know it's advantages and disadvantages

Thanks in advance

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    Posted on Oct 03, 2018 at 10:39 PM

    The biggest challenge on this is no different to business challenge: the team structure and roles and responsibilities. Do you currently have a dedicated security team or are the security administrators also the system administrators?


    If you just mean SAP systems, then you can start to segregate admin functions by

    1. Building more granular roles and split out the security access (split to system admin display, system admin maintenance which could be smaller roles), user administrator, role administrator, security display). You might even split user admin out to be end users maintenance versus system users (SUPER user group)

    2. Identify which users are allowed which access

    3. Consider maintenance access to be via Firefighter so it can be logged



    The advantage of all of this is you are remediating and mitigating access risk. You may also be adhering to compliance requirements and policies but you still have an organisational change, training, security build work (if the access is not split out, etc) You also need to review the ruleset to ensure the system admin/technical access, etc is sufficiently defined for your organisation - again just like a business end user.

    But something to keep in mind: System Admins - sometimes we focus on restricting their application layer access only to discover they have full admin rights to OS/DB.

    Add a comment
    10|10000 characters needed characters exceeded

    • Thanks Colleen for your reply and your explanation

      we (security team) target to apply segregation of duties (between system admins and security admins) on SYBASE Data Base.

      Also i have inquiries about applying SoD

      1- is it worth to apply SoD using Granular permission

      2- is any other way to apply SoD

      3- best practice to apply SoD


      Thanks in Adavnce

  • Posted on Oct 08, 2018 at 07:54 AM

    HI Mohamed


    Your Questions:

    1. Is it worth it? I can't answer that for your. This is a risk based question and will depend on the size of your organisation and compliance requirements. Remediation through separation of duties is one option but your business may decide a detect control to review user logs, etc is more manageable

    2. I'm not across technical aspects of SYBASE to comment

    3. Again can't comment on SYBASE but in an SAP application environment, I do typically split security administration out from system.



    To reiterate: it comes down to the risk definition and what your company is willing to allow.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.