|
These forums are for you, the Lawson user, to provide and solicit advice from your fellow Lawson users. The forums are currently unmoderated. Please refrain from profanity, name calling, disparaging remarks, etc. If there are additional forums you'd like to see, please email the webmaster.
A couple of "helpful hints":
-
Want to be notified when someone replies to your message? Make sure you put a checkmark in the box next to "Email me when someone replies to this thread" when you enter your message.
-
You can also "subscribe" to any desired forum, so that you receive a notification when someone posts a message to that forum. Just visit the desired forums, and click the checkbox labeled "Email me when someone posts to this forum.". Just like topica--but without the ads and out-of-office mail-storms!
| Author | Messages | |
John Henley
Posts:1053
 | | 9/14/2007 12:06 PM | | I wanted to poll the community and see how clients who are subject to SOx are dealing with daily/monthly processing. In various organizations I have consulted with, the daily/monthly scheduled jobs are usually run using a general userid, rather than being tied to a specific user. The advantage is that, given normal turnover, the jobs do go away when the employee terminates. In addition, the jobs / reports are accessible to a generic userid in the print manager, etc. This disadvantage is that, potentially, multiple employees know the password for that userid, which may have broader security access than the average user.
In these days of SOX 404, etc., I've been told by some organizations that they are no longer using this method.
Any thoughts on this? | |
Thanks for using the LawsonGuru.com forums!
John | |
| Shriniwas Ganediwal
Posts:4
| | 3/30/2008 10:54 PM | | As per SOX, use of generic IDs is big "NO". I have been with E&Y auditors several times on this issue. The issue here is if Generic IDs are used, it is very hard to pin point any perticular individual and typically users are less carefull in securing the password. So although this is very inconvinient at times, use of generic IDs should be avoided at all costs. | | | |
| Shriniwas Ganediwal
Posts:4
| | 3/30/2008 10:55 PM | | | Also as far as Jobs and reports are concerned, those can be copied to the new user ids. | | | |
| k-rock
Posts:85
| | 3/31/2008 8:43 AM | | | I have been told to eliminate generic ids by auditors as well. Even an IT id is frowned upon. Some companies use this to keep the number of named users down, but I don't think it will fly much longer. | | | |
| Shriniwas Ganediwal
Posts:4
| | 4/01/2008 6:34 PM | | | That's very true. Each ID needs to be deleted or modified every time the employee leaves or changes the job function. I guess this is the best way to hold people responsible, of course this is lot of inconvenience to business and additional work for IT and security group. | | | |
| bill ianni
Posts:41
| | 4/29/2008 7:31 AM | | EDI and Process Flow processes are typically run under generic users. These id's will often have expanded permissions and security access. I am uder the impression that Lawson documentation suggests using such id's when the product is installed. The output of their jobs however must be monitored by a real user.
Keys to SOX compliance are Monitoring and Evidence. These are two requirements stated within the law. As long as these requirements are being met, the type of user is not mandated. [The generic user must be subject to authenicatation and password security in the same fashion as a real user.] Thus, where a process has been automated with a generic user, AND a seperation of duties is required, you can implement an approval (validation) process to comply with SOX standards. | | | |
| k-rock
Posts:85
| | 4/29/2008 12:34 PM | | | how do you identify the actual person using the generic id if you find that the id is doing something that it should not? How do you enforce segregation of duties if the people in these roles all have the ability to login to the generic id? | | | |
| John Henley
Posts:1053
| | 4/29/2008 3:18 PM | | | You can't, but no user other than the administrator should ever know the passwords for those IDs. | |
Thanks for using the LawsonGuru.com forums!
John | |
| k-rock
Posts:85
| | 4/29/2008 5:34 PM | | Do you think that is true in practice? Or, how do you prove that to an auditor? | | | |
| riegerj
Posts:1
| | 7/01/2008 9:22 AM | | | We do use generic IDs for our daily/monthly recurring jobs and for interfaces that run into Lawson. We ran into a problem with auditing because IT's real user IDs were linked to changes in employee records due to the interfaces and recurring jobs so we use these generic IDs to keep the employee records clean. I understand that this could be a security risk if the passwords get out but this is what is best for us right now. | | | |
| Carol Sanguinetti
Posts:2
| | 7/01/2008 3:37 PM | | | Using the generic IDs to run the automated processes is not really the issue as long as it can be tracked back to being an automated process. The output of any automated job can be sent to distribution lists or ProcessFlow tasks which would not require anyone knowing the generic login and password to monitor and receive the automated data. The disrtribution lists and ProcessFlow tasks would need to be maintained as people come and go so that the data is still being sent to a real person for monitoring. | | | |
| Jon
Posts:4
| | 7/02/2008 7:50 AM | | You can also modify the automated jobs without having to log in as the generic user. I monitor all EDI, ProcessFlow and Fax jobs which run under a generic user. I have no access to the password for the generic id. When I need to modify or fix a job in recdef or jobdef I can access all jobs under that generic id logged in as myself in LID. Jon MMISS, MidMichigan Health | | | |
|
| | To join the discussion you need to register first. (Registration is free!) If you are already a registered user please login to join the discussion. |
|
| |
ActiveForums 3.7 |
|