Is creating users by copying wrong?

Posted by Klea Duro on May 12, 2023 12:00:00 AM

How many times have we heard in the company when creating a new user, "give me a colleague as a reference," that is, in the process of defining a new user, we reason more by copy than by corporate trade.

Copia utenti

 

But is this approach correct? Or does it present some possible problems?

 

What are some ways to create the users?

There are several options here as well.

 

  • Creating from scratch a user in its own system or in the n systems where it must be defined. Beware, it is one thing to create the user's master data another to know what entitlements to assign (in the case of SAP roles usually)

  • Using a corporate identity management system

  • Getting a reference of a colleague and going by copy, precisely

  • Others less structured scenarios

 

Each of these has pros and cons. But today let's talk about user copying. It is always considered a "bad practice" because in the long run it leads to layering of entitlements and a loss of control of the system. But is this really the case?

 

But then is going by copy wrong?

In identity management tools or in the SAP GRC Access Control system, there are specific starting features for creating a request based precisely on the user copy from.

 

Is it wrong? No. I find it absolutely useful and correct. If I have a new colleague from my own unit why couldn't I have to say, let's copy it from XY...

 

When in my opinion can this practice lead to a critical path start, and thus take a model "off the rails"? When, for example, you apply it and:

 

  • you do not have a process for periodic user re-validation (e.g., User Access Review)
  • you do not have a process for approving roles assigned to users

 

This last aspect is particularly important because while starting with user copy in these cases, where the role approval process is active, the user copy function is only a simplification in the construction of the request.

 

Once the user copy request is started, if the starting user has assigned five roles, they must be approved by the respective approver(s) in the new request.

 

This ensures or should limit the proliferation of role-by-copy assignments. And it is precisely this aspect that makes the difference. If I copy by default without asking myself any questions I may end up in a "dangerous" path, if I copy with control systems active, it may be entirely legitimate and even convenient!

 

 

Topics: User Access Managementuseridauthorization concept

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all