As a best practice, user access rights must be defined based on the business functions a user performs. This can be found using the job role of the user. It is important to check user access rights from a functional point of view. Questions like do user have access to functions which they are responsible for should be looked into. Once a proper strategy for granting user access rights is defined, the same can be used to implement user access rights.

In the process of granting users access to the system, it is important to take into account potential SOD segregation of duties issues. In case SOD cases do exist, compensating controls in the process should be looked into. As a best practice in user access security, role based access controls RBAC should be adopted. ERPs like SAP and Oracle have inbuilt features for RBAC, like the profile generator in SAP. Lastly, once user access is granted, it is important to monitor such user access on a periodic basis. Changes should be made to user access in case SOD conflicts are noticed or users have excess rights for sensitive transaction.

Related Posts

Sarbanes Oxley IT Compliance
Sarbanes Oxley Balancing Risks and Controls
Sarbanes Oxley Record Retention
Indian Sarbanes Oxley Clause 49