There should be proper documentatio

There should be proper documentation on the process of how a Super user id (DDIC, SAP* or Custom Super
user ids created with excessive access and critical transaction) is given to the user. The following guidelines
can help:
1. Whoever requires this kind of access should specify the exact reason why this is needed. He should
also specify the dates for which he needs it.
2. This kind of access should be approved through the approval process in place.
3. Open the Super user id for those many days and send the email with the user id and another email
with the initial password.
4. Make sure Security Audit log is enabled for these user ids.
5. Once the user is done, lock the super user id again and take approval for the functionality that user
has completed using this user id. Security Audit log can help you with this.
6. Make sure you are preserving the documents related to activation of the Super user id and the
subsequent documents of Audit log and its approval.
Note: Auditors might take a sample of the number of times your Super user ids were activated and ask for the various
documents on them.
Tip: Do not use SAP* as your Super user id. Remove SAP_ALL and SAP_NEW Authorization profiles from it and lock
it. Create your own Super user id and activate it on the need and approval and then lock it again after the job is
completed.
Auditors also might like to see how passwords are maintained for System user ids and how they are kept
Secured. Make sure there is process around the System user ids as well.