Ownership should sit with identity, ERP security, and business process teams together, because no single group can see all the implications. Security teams need the entitlement data, ERP teams understand the configuration model, and process owners validate whether access still matches operational need. That shared ownership is what makes governance defensible.
Why This Matters for Security Teams
JD Edwards access risk becomes hard to own once roles, org structures, and business rules are changing faster than the control model can keep up. The issue is not just who has access today, but who is accountable when inherited access, temporary assignments, and workflow exceptions drift away from the real operating model. That is why identity, ERP security, and process ownership need to be treated as one governance problem, not three separate tickets.
In practice, the risk is amplified when teams rely on static role reviews that look complete on paper but miss how access is actually consumed in the ERP. NHI Management Group’s research on broader identity exposure shows why this matters: the Ultimate Guide to NHIs reports that only 5.7% of organisations have full visibility into their service accounts, a useful indicator of how often ownership gaps hide in plain sight. That same visibility problem appears in ERP governance when structure changes outpace review cycles.
Security teams need the entitlement evidence, ERP teams need the configuration context, and business owners need to confirm whether access still matches the actual process. The control objective is defensible ownership, not just a cleaner audit trail. In practice, many security teams discover JD Edwards access drift only after a process exception, merger, or reorganisation has already made the old approval chain obsolete.
How It Works in Practice
The practical answer is a shared ownership model with clear decision rights. Identity teams should own the risk methodology, the reporting layer, and the review cadence. ERP security teams should own the JD Edwards role model, technical entitlements, and segregation-of-duties logic. Process owners should own whether access is still operationally justified, especially where job functions are reorganised, duties are split, or plants, regions, or finance groups change their operating boundaries.
That structure works best when access reviews are tied to business events, not just calendar intervals. For example, a role may remain technically valid while the underlying process has changed, so ownership should trigger review on events such as org redesign, module reconfiguration, user transfer, or shared service consolidation. This is consistent with the risk-based direction of the NIST Cybersecurity Framework 2.0, which emphasises governance, identity, and ongoing risk management rather than one-time compliance checks.
- Define one named risk owner for the control, even if execution is shared.
- Map JD Edwards roles to business processes, not just job titles.
- Review inherited access after every structural change in finance, supply chain, or operations.
- Track exceptions separately so temporary access does not become standing access.
- Document who approves, who validates, and who remediates when access no longer fits the process.
This same ownership model aligns with the broader access-risk themes described in Top 10 NHI Issues, especially where entitlement sprawl and unclear accountability turn into latent control failures. These controls tend to break down when JD Edwards is customised heavily across multiple business units because role meaning changes faster than the governance process can be updated.
Common Variations and Edge Cases
Tighter ownership often increases administrative overhead, so organisations have to balance clearer accountability against the cost of more frequent review and coordination. That tradeoff is unavoidable in complex JD Edwards environments, especially where access rules are shaped by local operating practices rather than a single global template.
There is no universal standard for this yet, but current guidance suggests treating ownership differently for stable and volatile access structures. Stable baseline roles can be governed through periodic certification, while volatile or exception-driven access should use event-triggered review and stronger remediation SLAs. Where access changes frequently, ownership should follow the business process that creates the entitlement, not the team that merely administers the account.
Edge cases matter most during mergers, shared services transitions, and regional rollouts. In those environments, a single entitlement may support several processes, which makes “one owner” too simple unless the organisation defines a primary risk owner and secondary approvers. The practical test is whether someone can answer three questions at any time: who approved the access, which process justified it, and who must remove it when the process changes. In many enterprises, that answer only becomes visible after an audit finding or a failed segregation-of-duties review, not during the original design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Clear ownership is essential when identities and entitlements drift across changing access structures. |
| NIST CSF 2.0 | GV.RM-06 | Governance and risk ownership fit this question about accountability across security and business teams. |
| CSA MAESTRO | GOV-01 | Shared governance is required when access decisions span identity, platform, and business process owners. |
Assign a named owner for each non-human or system access pathway and review it whenever the process model changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 25, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
