Using a generic userid for processing

 14 Replies
 0 Subscribed to this topic
 2 Subscribed to this forum
Sort:
Author
Messages
John Henley
Posts: 3362
I wanted to poll the community and see how clients who are subject to SOx are dealing with daily/monthly processing. In various organizations I have consulted with, the daily/monthly scheduled jobs are usually run using a general userid, rather than being tied to a specific user. The advantage is that, given normal turnover, the jobs do go away when the employee terminates. In addition, the jobs / reports are accessible to a generic userid in the print manager, etc. This disadvantage is that, potentially, multiple employees know the password for that userid, which may have broader security access than the average user.

In these days of SOX 404, etc., I've been told by some organizations that they are no longer using this method.

Any thoughts on this?
Thanks for using the LawsonGuru.com forums!
John
Deleted User
New Member
Posts: 0
New Member

As per SOX, use of generic IDs is big "NO". I have been with E&Y auditors several times on this issue. The issue here is if

Generic IDs are used, it is very hard to pin point any perticular individual and typically users are less carefull in securing the password.

So although this is very inconvinient at times, use of generic IDs should be avoided at all costs.

 

 

Deleted User
New Member
Posts: 0
New Member
Also as far as Jobs and reports are concerned, those can be copied to the new user ids.
k-rock
Veteran Member
Posts: 142
Veteran Member
I have been told to eliminate generic ids by auditors as well. Even an IT id is frowned upon. Some companies use this to keep the number of named users down, but I don't think it will fly much longer.
Deleted User
New Member
Posts: 0
New Member
That's very true. Each ID needs to be deleted or modified every time the employee leaves or changes the job function. I guess this is the best way to hold people responsible, of course this is lot of inconvenience to business and additional work for IT and security group.
Bill Ianni
Veteran Member
Posts: 112
Veteran Member
EDI and Process Flow processes are typically run under generic users. These id's will often have expanded permissions and security access. I am uder the impression that Lawson documentation suggests using such id's when the product is installed. The output of their jobs however must be monitored by a real user.

Keys to SOX compliance are Monitoring and Evidence. These are two requirements stated within the law. As long as these requirements are being met, the type of user is not mandated. [The generic user must be subject to authenicatation and password security in the same fashion as a real user.] Thus, where a process has been automated with a generic user, AND a seperation of duties is required, you can implement an approval (validation) process to comply with SOX standards.
k-rock
Veteran Member
Posts: 142
Veteran Member
how do you identify the actual person using the generic id if you find that the id is doing something that it should not? How do you enforce segregation of duties if the people in these roles all have the ability to login to the generic id?
John Henley
Posts: 3362
You can't, but no user other than the administrator should ever know the passwords for those IDs.
Thanks for using the LawsonGuru.com forums!
John
k-rock
Veteran Member
Posts: 142
Veteran Member

Do you think that is true in practice?  Or, how do you prove that to an auditor?

riegerj
Veteran Member
Posts: 44
Veteran Member
We do use generic IDs for our daily/monthly recurring jobs and for interfaces that run into Lawson. We ran into a problem with auditing because IT's real user IDs were linked to changes in employee records due to the interfaces and recurring jobs so we use these generic IDs to keep the employee records clean. I understand that this could be a security risk if the passwords get out but this is what is best for us right now.
Deleted User
New Member
Posts: 0
New Member
Using the generic IDs to run the automated processes is not really the issue as long as it can be tracked back to being an automated process. The output of any automated job can be sent to distribution lists or ProcessFlow tasks which would not require anyone knowing the generic login and password to monitor and receive the automated data. The disrtribution lists and ProcessFlow tasks would need to be maintained as people come and go so that the data is still being sent to a real person for monitoring.
JonA
Veteran Member
Posts: 1163
Veteran Member

You can also modify the automated jobs without having to log in as the generic user.  I monitor all EDI, ProcessFlow and Fax jobs which run under a generic user.  I have no access to the password for the generic id.  When I need to modify or fix a job in recdef or jobdef I can access all jobs under that generic id logged in as myself in LID. 

Jon

MMISS, MidMichigan Health

Jon Athey - Sr. Supply Chain Analyst - Materials Management - MyMichigan Health
Rob Conrad
Veteran Member
Posts: 73
Veteran Member
Hi All -

Another thought here is to keep the generic ID for the system jobs and use Process Flow to actually trigger the jobs from a "Job Approval" inbasket, thereby capturing the WF-ID in the WFACTIVITY / WFMETRICS tables for the SOX Auditors.

Control User Security access through the BPM Menu and RM etc.

You could also add Job Error Handling & Notification in your flow by querying QUEUEJOB table as well as limit any user induced process variation on job execution.

A client last week completely hosed their payroll when their Payroll manager ran the job with incorrect parameters, causing the ACH to be stopped at the bank, checks cancelled and later retransmitted. PFI submitting the job would have prevented this catastrophe caused by the functional user....

Ashish Karkera
New Member
Posts: 2
New Member
Dear All,

The genric Id's scenario can be handled by PIM solutions (Privilege identity management).
There are tools that helps in logging, monitoring and keeping track of each and every activity performed by each and every individual in your organization.
One such tool is ARCOS. Well even though we use Generic Id's, but the user has to first login through his Unique id. And ARCOS will take care of the rest.

:)

Regards,

Ashish Karkera,
ANB solutions,
India
Ashish Karkera
New Member
Posts: 2
New Member
Dear All,

The genric Id's scenario can be handled by PIM solutions (Privilege identity management).
There are tools that helps in logging, monitoring and keeping track of each and every activity performed by each and every individual in your organization.
One such tool is ARCOS. Well even though we use Generic Id's, but the user has to first login through his Unique id. And ARCOS will take care of the rest.

:)

Regards,

Ashish Karkera,
ANB solutions,
India