Overcome a Top Auditing Issue with Superuser Privilege Management

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • May 26, 2009
Procedures for granting emergency access to SAP systems often raise concerns during a system audit. SAP BusinessObjects Access Control can provide an effective solution. The Superuser Privilege Management (SPM) capability manages access to emergency users in a secure and auditable manner. See how it works in the SAP back end and the different reporting measures you can take.
Key Concept

Superuser Privilege Management (SPM) is a product capability of SAP BusinessObjects Access Control 5.3. It consists of an ABAP component shipped with Real-Time Agents (RTAs) that are installed as add-ons in each one of your SAP back-end systems. It also is shipped with a Java front-end reporting component that is installed with the SAP BusinessObjects Access Control application on an SAP NetWeaver 7.0 Application Server Java. For risk detection and provisioning of super user access, SPM runs highly integrated with the Risk Analysis and Remediation (RAR) and Compliant User Provisioning (CUP) capabilities. SPM was formerly called Firefighter.

Emergency access to SAP systems for troubleshooting or problem-fixing purposes often requires critical access permissions that can’t be granted to end users on a permanent basis because they would represent a high risk to overall system security. For this reason, in many cases companies create additional users with extensive access privileges and keep them locked until emergency access is needed to resolve an exceptional situation. Then, an emergency user is unlocked and its password is made available to a specialist who undertakes the required actions in the system.

The process of requesting, approving, granting, and documenting access to an emergency user (and its password) happens completely outside the affected SAP system through different means (e.g., ticketing systems, email, and phone calls). Auditing companies often complain about this practice and demand better control, complete audit logs, and more accountability in this area. Consequently, management procedures for granting emergency access are a typical pain point during an SAP audit.

As one of the four main product capabilities of SAP BusinessObjects Access Control 5.3, Superuser Privilege Management (SPM) provides an audit-proof solution for the management of emergency access to your SAP back-end systems and helps with risk remediation in the context of Sarbanes-Oxley compliance. A particular advantage of SPM is that emergency users are made available up-front to a selected number of end users who could potentially require emergency access. This eliminates time-consuming approval and password transmission procedures during emergency situations. Security and auditability, however, are maintained because the responsible system owners are notified immediately upon activation of an emergency user. All transaction details are recorded in depth, establishing auditing accountability.

SPM runs in a highly integrated fashion with Risk Analysis and Remediation (RAR) and Compliant User Provisioning (CUP), which are both also capabilities of SAP BusinessObjects Access Control (Figure 1). For example, based on best practice or customized segregation of duties (SoD) rules, integration with RAR enables SPM to generate SoD reports listing conflicting transactions executed by emergency users. CUP provides approval workflows and provisioning features for granting up-front emergency user access to end users in a controlled manner, providing complete audit trails.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.