Privacy of Data – SAP Implementation

50 pts.
Data privacy
IT Compliance
Privacy rights
SAP implementation
[dd class="desc">Our SAP Implementation Consultant is insisting on a point which is in our opinion against the privacy of the companies real time historical data. The management is not willing to permit him or any consultant to view our historical data (such as , item master, price lists, costing details etc). The management is prepared to generate test data in as much qty as may be required by the consultant. But the consultant insists that he must have superuser accesses for all three environments i.e. (Dev, QA & Production) until the very day of Go-Live . Is he justified in asking for that? [/dd]

Software/Hardware used:

Answer Wiki

Thanks. We'll let you know when a new response is added.

<i>Is he justified in asking for that?</i>

If the privilege is granted, yes. Otherwise, no.

Regardless, the consultant should have no difficulty in providing acceptable justification. He should know enough about what he’s doing to be able to explain — assuming that it’s actually required. And it might be.

A SAP implementation is no trivial task. It’s not unheard of to take many months. Even if not technically required, a lot of tasks may be done much sooner with high authority. If a longer implementation schedule is acceptable, things can be done the long way.

For example, a given important task might actually be done by a staff member who has the required authority. The consultant could take the extra time to provide necessary training and then perform any subsequent verification of proper task completion.


Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • AmjadM
    Thanks Tom, I liked your approach. One of my friends on a separate forum has responded as follows: Is the implementer justified in asking for super user password for production env.? Answer is 'no, as long as you can provide suitable data to mimic the normal operations and are prepared to sign off on acceptance testing with falsified data, he is way out of line asking for anything else. If you insist he's responsible for perfect operation in the real life environment, then there could be some area of concern for him to access to check things, but not until it goes live. Even then you could get by by having someone else with the relevant access codes working hand in glove as required. Tom , any comments on this please.
    50 pointsBadges:
  • DoneThat
    AmjadM: You lost me when you said "provide suitable data". You got me right back when you qualified with "prepared to sign off on acceptance testing with falsified data". These days, smart executives do not sign off on anything less than "100% guaranteed". Because they recognize loopholes and are not about to put their neck in one. I know I would not be able to provide that guarantee unless I tested on a copy of live data. The deliverable's reliability would have to be qualified - and that's a Catch 22. Both camps have reasonable positions. There will have to be some sensible negotiation.
    830 pointsBadges:
  • AmjadM
    I haven't tested or certified new software for over a decade but the last time I did it we had a bunch of false data for use by the development team. Once we were happy with that, we took a copy of the program and ran it on our own, using the last backup copy of the real data - none of the development team were allowed to see the data we used. The final test was to set it up on a server in parallel with a production server and run it in real time with the same data being fed to both - again, the development team weren't allowed to view the data or the output. In both these last two tests all data was purged from the test systems immediately we were finished with the tests. We did find a couple of things that needed correction in the final test and changes were made and a retest done. At no time did the development people ever lay eyes on real data. By suitable data, I meant it had data of the correct types and sizes in the layouts and style in which the production side uses data - for example a database that's supposed to have name address etc has fake names and addresses, but they are laid out like real ones, as per the Data Dictionary said for that database - and do the same for the rest of the test data. To sign off on the acceptance, the company execs will probably want to see it run with live data, but that doesn't mean the developer has any need or right to watch that test or see the data used. If the execs come back and accept, the developer walks away happy, if they say it doesn't work, yet it works with the fake test data, then it's up to the company to identify why the two data sets are different and provide that information to have the problem fixed. Often, an issue at this point is not a data difference, but the data input is NOT exactly as it was specified in the project proposal at the start because someone missed out on a minor data input method.
    50 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: