We help IT Professionals succeed at work.
Get Started

SaaS Third Party Support/Suppliers Access

Last Modified: 2018-06-12
I have asked a similar question recently but I need a little clarification.

When you have an ERP system that is hosted and supported by the ERP supplier, what is best practice for controlling their access?

I fully appreciate that they need access and this is all part of a SaaS implementation, I just don’t think the supplier should be saying, we have highly privileged access to your system whenever we want because that’s what you signed up for.  Surely access can be controlled in someway to give our company assurance that data is protected from unauthorised access by the supplier whilst not preventing them being able to effectively support the system.

There are two ways that access can be gained, 1) Directly to the database 2) through the application.
1)      As a company we don’t have access to the database, so I can understand they will need access to this in order to provide support.  But is access given to 100+ techies in the suppliers business or just a handful of people who are managing our support contract?
My understanding is that direct access to the database isn’t that easy in terms of just having a browse through our data and committing fraudulent transactions.

2)      I understand they will need some access and no doubt highly provided access to the application, but realistically does this need to be enabled all the time.  If we have an issue, but the system is still live and working we just need some assistance, surely we would have more control if their accounts are disabled by default, then in this scenario we can enable them until their work is complete.  However I’m not sure how this works if the system is down and we can’t access it from our location.  If their accounts in the application are disabled, can they still support the system in this type of event?

Like I said, I understand they need access but I think this needs to be balanced with securing our data from a free for all access from the supplier and still being able to effectively support the system.

From the previous question I know there are specific products that can be used like DB Vault for Oracle, but I think this is more about accounts and whether these remain enabled or can be disabled.  Or any other way just to give some control over the access by the supplier.
Watch Question
Distinguished Expert 2019
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE