Lenny, If you have one or two, and no more than two admins, typically I have seen clients do some variation to the following: 1) Document an audit exception, because the point of having two admins is one is a backup to the other. If you segregate one from PROD completely, you lose some of the benefit to fall back. 2) Setup a system to audit access to both the 'root'/'administrator' and 'lawson' accounts, by using 'su' (for UNIX), or some type of OTP (for Windows). Direct 'root'/'administrator' and 'lawson' access is forbidden, and the logs are sent to some other server the admins don't have access to. Kwane
|