Who owns LS9 Security Maintenance

Brian: What we do here at Genesis Health System is IT handles it. We have an automated process for setting up users (new or re hire) with Employee Self Service... but any other roles has first got to come from the hiring manager. They fill out an access request form, it gets forwarded to IT. From there, if the user needs core access, or etc, me and/or a co-worker deal with it.
For simple group/role/name changes, I've created a SecuritySubAdmin role which I've granted to a couple of business analysts --- but they are still in the IT department.

All security changes happen in IT here at Moffitt. We do not let security out to the end users. It does two things for us, 1.) we can monitor the changes and react when issues arise. Without that, changes would happen in the business area and you are trying to troubleshott an issue without know the change made to security. 2.) it protects the business area during audit. The separation of duties is key to being successful here. If you allow the business area to make changes to security and that opens up the system to the possability of fruad, etc. then auditors will want to close that loop. I would run this discussion by your internal or external auditors before turning over the system to the business area to protect all party's from both perspectives.

In our IT orginaization we have a group who handles security provisioning (setting up users) and a group that handles Lawson application support and administration (my team). My team maintained the Roles and Classes, the provisoning team assigns them to people. Audit reports are run periodically to verify that this separation is maintained.

Brian: Yes, our security is handled by Super users within other depts and generally by suite, going on 3+ years & we have clean Audits. We have ~ 5,000 employees. The Super user is entirely responsible for their suites design, updates, upgrade testing, new users & troubleshooting existing user issues. I report to the Accounting dept & manage GL, CB, AC & AM. I also cross manage AP. Additionally we have Materials, HR & Payroll. Each suite has a related Lawson IT support person to assist with security or any Lawson issue. This was a big change for our organization given we've been on Lawson 11 years & prior to LSF9, our IT dept handled all Lawson security. Similar to Greg's process, the manager sends an online form to our IT dept but then if Lawson Financial, the request is sent to me. IT sets up the user, I do everything else including creating new roles, security classes, conditional rules & assigning to users. Only if I'm unable to fill the request do I invoke help from our Lawson IT support team however I’m either then updating the system upon their advice or they update & I test it (no changes are made without my knowledge). Procedurally, if I setup a new role or class, I request IT to "secure" it to my view only (each Super user can only see their related roles, classes). Thus I cannot in example give myself HR access.