Question:
Is there an auth objecy out there that would limit an admin from being able to grant access to themselves. I would like to avoid using a group to control this
Answer:
Activity 22 is assign access, if you do not use the user group and s_USER_GRP then you have to stop the admin from assigning ANYTHING. If you want to limit only their ID and allow everyone else, you have to put the admin in a group and exclude that access from the role.
Answer:
Jarboe - SEC_KB was ask 'How NOT TO USE Groups '...you answered the question with what was trying to be avoided.
Answer:
Well read the answer again...It answers their SPECIFIC question and the one they may have intended.
The question could be clearer "...being able to grant access to themselves." does not indicate they want the user to assign it to others and not themselves. Which one could assume. so as the question was asked and ANSWERED you can, just do not assign activity 22, but if the question was asked to assign to OTHERS and NOT themselves, it was ALSO answered, you may not have gotten it... let me make it clear. YOU CANNOT WITHOUT ASSINING USER GROUPS.
Answer:
Actually it is now possible to implement your Security Administrator team segregation without the use of the S_USR_GRP object.
To improve the security model of restricting the security administration team to segregated duties, a new object has been introduced.
S_USER_SAS
You may have to implement a support pack and a correction as well as execute a program RSUSR_S_USER_SAS_01 also in order to assign the object to your roles with the relevant user administration objects.
In otherwords, if you implement it, the security adminis have to have it in their role or they will not be able to administer any users.
I am actually implementing it now, so I will post if I run into any "gotchas"
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
S_USER_SAS uses User group of the user to control...
This type of control is one that gives everyone the "warm and fuzzies" and the auditors love it, however without the proper costly infrastructure it is a farse. The intent is not to allow the admin to get additional access so in a false sense of control you try to limit their ability to change their ID...SO. They do not need to use their ID!....They generally have the ability to create IDs and to add access to other IDs so they can "get" the access by creating an temp ID, add the access and do what they want. To fully control it you have to have one person that ONLY creates IDs, one person ONLY to create and change access, and ONE person to ONLY assign access to others. Most companies do not have the luxury of three people or can tolerate the poor service a three-person configuration causes.
Most opt for detective control that the supervisor periodically monitors the change,adds and deletes of their admins to ensure all is authorized.
Answer:
Thanks to everyone who got in on this one. I am going to explore the use of the new object. I know it is not fool proff but if auditin needs to occur then only new userid creations would require it and not all the changes.
Again..Thanks to everyone who gave input!
Answer:
S_USER_SAS uses User group of the user to control...
This type of control is one that gives everyone the "warm and fuzzies" and the auditors love it, however without the proper costly infrastructure it is a farse. The intent is not to allow the admin to get additional access so in a false sense of control you try to limit their ability to change their ID...SO. They do not need to use their ID!....They generally have the ability to create IDs and to add access to other IDs so they can "get" the access by creating an temp ID, add the access and do what they want. To fully control it you have to have one person that ONLY creates IDs, one person ONLY to create and change access, and ONE person to ONLY assign access to others. Most companies do not have the luxury of three people or can tolerate the poor service a three-person configuration causes.
Most opt for detective control that the supervisor periodically monitors the change,adds and deletes of their admins to ensure all is authorized.
I couldn't agree more.
_________________
bwSecurity