User Access Rights 1259



  • Hi all,
    How important is user access rights in the development environment? There will be an entitlement review within our application development group. While we do realize the importance of user access rights in the testing and production environments we thought it would be less of an issue for development.

    Any comments would be highly appreciated.



  • Well I can only speak for the situation here but when Segregation of Duties was implemented for change control and user access we have the following contraints:
    1- 'Initiates change requests

    • should not overlap with 2 and 3’
      '2- Authorizes and approves change requests
    • should not overlap with 1, 3, and 5’
      3- 'Access to the Development (or non-Production) environment to make appropriate changes
    • should not overlap with 1 - 2, 4 - 5’
      4- 'Performs testing of requested change before moving to Production
    • should not overlap with 3, 5’
      5- 'Ability to promote change requests to Production (Access to Production)
    • should not overlap with 2 - 4’
      This is of course very difficult to achieve with a limited staff but we are doing our best.


  • Well I can only speak for the situation here but when Segregation of Duties was implemented for change control and user access we have the following contraints:
    1- 'Initiates change requests

    • should not overlap with 2 and 3’
      '2- Authorizes and approves change requests
    • should not overlap with 1, 3, and 5’
      3- 'Access to the Development (or non-Production) environment to make appropriate changes
    • should not overlap with 1 - 2, 4 - 5’
      4- 'Performs testing of requested change before moving to Production
    • should not overlap with 3, 5’
      5- 'Ability to promote change requests to Production (Access to Production)
    • should not overlap with 2 - 4’
      This is of course very difficult to achieve with a limited staff but we are doing our best.


  • We focused all of our SOX testing of access rights in production and QA testing. Our basic rule is that the development environment does not require the same level of controls as the production or QA environment. Therefore, developers can do what ever they want there.
    We did not have any problems with our external auditors using this approach and it was documented in our policies/procedures.
    If external auditors are looking at access to the developement environment then you have to ask ‘how is that an impact to the financials?’ or ‘how is it related to sox?’ or ‘do they have too much time on their hands?’.



  • Thank you very much for your replies.
    Yes I do agree with you ugogirl but as you mentioned in a previous post what if some others bring up the concept of ‘least privilege’ where you only provide access to necessary apps/environments. No more and no less.
    Our manager doesn’t seem to be very comfortable with people having access to applications or environments they do not need at all - even if it’s only in the development environment. For example, she mentioned she still has access to an application she used 5 years ago. She hasn’t used the application since, but because she knows she still has access to that environment she could actually use that access right with bad intention if she really wanted to.
    That was her opinion…


Log in to reply