System Administrators Access in a HR/Payroll System
Access Rights, Administration tools, Administrator account, Compliance, Security, System administrator
Hi
I have taksed to define the access rights for sys admins for a HR/Payroll system. The thoughts are divided among the groups here - one, the segretion of duties that should limit any type of user to perform tasks end to end since this is a payroll system; two since it is a sys admin access the user should have full access to manage and maintian the system effectively such as trouble shooting and supporting.
My question is what is the right approach. Personally I feel the sys admins should have full access, however I need hard convincing to do. Can Bill 198 shed some light on this? How do I pitch it to senior management?
Any help from IT security/compliance/bill 198 experts or anyone who had a similar situation would be GREATLY appreciated.
Software/Hardware used:
HR/Payroll System
I have taksed to define the access rights for sys admins for a HR/Payroll system. The thoughts are divided among the groups here - one, the segretion of duties that should limit any type of user to perform tasks end to end since this is a payroll system; two since it is a sys admin access the user should have full access to manage and maintian the system effectively such as trouble shooting and supporting.
My question is what is the right approach. Personally I feel the sys admins should have full access, however I need hard convincing to do. Can Bill 198 shed some light on this? How do I pitch it to senior management?
Any help from IT security/compliance/bill 198 experts or anyone who had a similar situation would be GREATLY appreciated.
Software/Hardware used:
HR/Payroll System
ASKED:
August 10, 2010 2:05 PM
UPDATED:
August 23, 2010 9:55 PM
Answer Wiki:
Sometimes you just have to let go. Separation of duties is very real, and can actually help keep your sys admin out of unexpected scrutiny, questioning or accusations.
Just because you’re an admin on a server doesn’t mean you have to have access to the box. I have a few servers that I built, then moved to a secure location (like an HR area), and then had them change the password so I would no longer have an account to get in on.
When work or maintenance needs to be done they log in for me and get to sit and wait until I am done.
To see all answers submitted to the Answer Wiki: View Answer History.
I concur with Wiki’s comment. Most of the corporations face this type of situation. Separation of duties is very essential and needed. In our situation – since we have many databases/files encrypted – system adm. have right to copy, load/reloads data but only on encrypted format. They can not “view” the data. Security auditors have bought into this scenario.