Using a generic userid for processing

Name	Points
Greg Moeller	4184
David Williams	3349
JonA	3291
Kat V	2984
Woozy	1973
Jimmy Chiu	1883
Kwane McNeal	1437
Ragu Raghavan	1372
Roger French	1315
mark.cook	1244

John Henley

Posts: 3353

9/14/2007 4:06 PM

I wanted to poll the community and see how clients who are subject to SOx are dealing with daily/monthly processing. In various organizations I have consulted with, the daily/monthly scheduled jobs are usually run using a general userid, rather than being tied to a specific user. The advantage is that, given normal turnover, the jobs do go away when the employee terminates. In addition, the jobs / reports are accessible to a generic userid in the print manager, etc. This disadvantage is that, potentially, multiple employees know the password for that userid, which may have broader security access than the average user.

In these days of SOX 404, etc., I've been told by some organizations that they are no longer using this method.

Any thoughts on this?

sganediwal

Posts: 3

3/31/2008 2:54 AM

As per SOX, use of generic IDs is big "NO". I have been with E&Y auditors several times on this issue. The issue here is if

Generic IDs are used, it is very hard to pin point any perticular individual and typically users are less carefull in securing the password.

So although this is very inconvinient at times, use of generic IDs should be avoided at all costs.

sganediwal

Posts: 3

3/31/2008 2:55 AM

Also as far as Jobs and reports are concerned, those can be copied to the new user ids.

k-rock

Veteran Member

Posts: 142

3/31/2008 12:43 PM

I have been told to eliminate generic ids by auditors as well. Even an IT id is frowned upon. Some companies use this to keep the number of named users down, but I don't think it will fly much longer.

sganediwal

Posts: 3

4/1/2008 10:34 PM

That's very true. Each ID needs to be deleted or modified every time the employee leaves or changes the job function. I guess this is the best way to hold people responsible, of course this is lot of inconvenience to business and additional work for IT and security group.

Bill Ianni

Veteran Member

Posts: 111

4/29/2008 11:31 AM

EDI and Process Flow processes are typically run under generic users. These id's will often have expanded permissions and security access. I am uder the impression that Lawson documentation suggests using such id's when the product is installed. The output of their jobs however must be monitored by a real user.

Keys to SOX compliance are Monitoring and Evidence. These are two requirements stated within the law. As long as these requirements are being met, the type of user is not mandated. [The generic user must be subject to authenicatation and password security in the same fashion as a real user.] Thus, where a process has been automated with a generic user, AND a seperation of duties is required, you can implement an approval (validation) process to comply with SOX standards.

k-rock

Veteran Member

Posts: 142

4/29/2008 4:34 PM

how do you identify the actual person using the generic id if you find that the id is doing something that it should not? How do you enforce segregation of duties if the people in these roles all have the ability to login to the generic id?

John Henley

Posts: 3353

4/29/2008 7:18 PM

You can't, but no user other than the administrator should ever know the passwords for those IDs.

k-rock

Veteran Member

Posts: 142

4/29/2008 9:34 PM

Do you think that is true in practice? Or, how do you prove that to an auditor?

riegerj

Veteran Member

Posts: 44

7/1/2008 1:22 PM

We do use generic IDs for our daily/monthly recurring jobs and for interfaces that run into Lawson. We ran into a problem with auditing because IT's real user IDs were linked to changes in employee records due to the interfaces and recurring jobs so we use these generic IDs to keep the employee records clean. I understand that this could be a security risk if the passwords get out but this is what is best for us right now.

csang@mail.com

New Member

Posts: 2

7/1/2008 7:37 PM

Using the generic IDs to run the automated processes is not really the issue as long as it can be tracked back to being an automated process. The output of any automated job can be sent to distribution lists or ProcessFlow tasks which would not require anyone knowing the generic login and password to monitor and receive the automated data. The disrtribution lists and ProcessFlow tasks would need to be maintained as people come and go so that the data is still being sent to a real person for monitoring.

JonA

Veteran Member

Posts: 1163

7/2/2008 11:50 AM

You can also modify the automated jobs without having to log in as the generic user. I monitor all EDI, ProcessFlow and Fax jobs which run under a generic user. I have no access to the password for the generic id. When I need to modify or fix a job in recdef or jobdef I can access all jobs under that generic id logged in as myself in LID.

Jon

MMISS, MidMichigan Health

Rob Conrad

Veteran Member

Posts: 73

8/3/2011 6:48 PM

Hi All -

Another thought here is to keep the generic ID for the system jobs and use Process Flow to actually trigger the jobs from a "Job Approval" inbasket, thereby capturing the WF-ID in the WFACTIVITY / WFMETRICS tables for the SOX Auditors.

Control User Security access through the BPM Menu and RM etc.

You could also add Job Error Handling & Notification in your flow by querying QUEUEJOB table as well as limit any user induced process variation on job execution.

A client last week completely hosed their payroll when their Payroll manager ran the job with incorrect parameters, causing the ACH to be stopped at the bank, checks cancelled and later retransmitted. PFI submitting the job would have prevented this catastrophe caused by the functional user....

Ashish Karkera

New Member

Posts: 2

6/10/2012 4:06 PM

Dear All,

The genric Id's scenario can be handled by PIM solutions (Privilege identity management).
There are tools that helps in logging, monitoring and keeping track of each and every activity performed by each and every individual in your organization.
One such tool is ARCOS. Well even though we use Generic Id's, but the user has to first login through his Unique id. And ARCOS will take care of the rest.

:)

Regards,

Ashish Karkera,
ANB solutions,
India

Ashish Karkera

New Member

Posts: 2

6/10/2012 4:07 PM

Dear All,

The genric Id's scenario can be handled by PIM solutions (Privilege identity management).
There are tools that helps in logging, monitoring and keeping track of each and every activity performed by each and every individual in your organization.
One such tool is ARCOS. Well even though we use Generic Id's, but the user has to first login through his Unique id. And ARCOS will take care of the rest.

:)

Regards,

Ashish Karkera,
ANB solutions,
India