SYS21 - /INP question

[Jeff_Klipa/Harvard@xxxxxxxxxxxxxx]

This sounds like it was a lively discussion...
I'm sorry I was away at Alliance (not really that sorry) and I missed the
thread...

For our situation we have mandated that the Plant Controller is responsible for
requesting all authority additions and changes and deletions for the people at
their plant...
We even perform regular internal authority audits using our auditing tool we
select some sensitive area of the package and ask each controller to review the
people who currently have access to a certain menu...  This is part of a
continuing improvement process...

I certainly have discretion when I see a request for something that seems
unusual...  For instance if anyone requests access to a U menu like - /INU or
/MDU or /PMU - I immediately deny that request...  Unless the specific option
requested is an inquiry like 24/MDU Transaction Input Inquiry - there is usually
no need for a user to have access to a U menu...

During our implementation we went through the exercise of creating an Excel
spreadsheet to determine reasonableness for authority requests...  We identified
options where it made sense for people at the plant level and corporate level to
have access to specific menus...  This is a good touchstone to have at your
disposal...

The crush of the avalanche of requests for authority was nearly overwhelming
during our implementation but now the trickle of requests is easily
manageable...

Ultimately someone has to be accountable for who has authority to what...  It is
a tedious and sometimes frustrating process to try to limit a person to only
what they need to do their job but if you leave it wide open and grant them
everything you are bound to get burned...  If you're a publicly traded company
then you're obligated to pass an IT audit where the issue of security will loom
large...

Good topic...