6\VWHP $GPLQLVWUDWLRQ 0DGH (DV\

Chapter 11: Security AdministrationOperational SecurityYour external auditors should help you define these risky combinations. Testing forsegregation of duties is a standard audit procedure.Accounts Receivable and Cash CollectionThe purpose is to separate the person who collects and handles the cash from the personwho keeps the records of what a customer owes. In this combination, the cash received fromthe customer could be pocketed and the amount written off the customer’s account. Thisseparation explains why, in a restaurant, the waiter is not also the cashier, or why amechanic must get spare parts from a storekeeper.The review of segregation of duties should be completed with the various user owners (keyusers of each functional area).Out of necessity, smaller companies must assign multiple functions to a single person. Beaware of the potential security risks in this situation. If you must combine functions,combine them in a way that minimizes risks.These are system user IDs that have restricted uses for specific purposes.There are certain functions that can only be performed by SAP* or DDIC. If an R/3 userrequires similar functionality, they should have a copy of the SAP* profile. These usersshould be grouped as “super users,” with the appropriate security approvals.The security profile for SAP* is SAP_ALL. This profile is extremely powerful because itgrants the user complete access to the system. For more information, see chapter 12,Recommended Polices and Procedures: System Administration.A user with user administration rights cannot change the password to gain access to a userID and then change it back to the original password. Passwords are not visible to theadministrators, so they cannot restore the original password if they do not know it. At thenext logon, the owner of the user ID will know that the password has been altered becausethey will be unable to log on with their current password.11–26Release 4.6A/B