Turn Emergency Access Management into an Auditable, Centralized Process for Your SAP Landscape

  • by Frank Rambo, PhD, Director, Customer Solution Adoption (CSA), EMEA
  • November 7, 2011
SAP BusinessObjects Access Control 10.0 centralizes what has traditionally been the disparate process of administering exception-based access. In the past administrators maintained firefighter, owner, and supervisor assignments locally in each system, and business users initiated firefighter sessions in these systems. In version 10.0, however, the process of maintenance and initialization of firefighter sessions is done from the SAP BusinessObjects GRC platform. Additionally, a new workflow provides an auditable process for ensuring that supervisors review the new consolidated log reports following firefighter activity. Examine how log reports are augmented, providing a more complete tracking of firefighter activity. Learn how to use new features available with version 10.0 adding significant value around your emergency access management process.
Key Concept
The product capability emergency access management included in SAP BusinessObjects Access Control 10.0 had several different names in previous releases. In version 5.3 it was called superuser privilege management and before that firefighter, a version that is still popular. Its main purpose is to separate critical access privileges from your business users and assign them to firefighter IDs. Business users are then granted access to one or several firefighter IDs so that they can initiate a session and work in their user contexts (e.g., access privileges).

Emergency access management is the process to grant temporary critical access privileges in IT systems required to execute an exceptional task and review the system activities performed by the privileged users during that time. This process is a frequent target during system audits as it typically reveals vulnerabilities in the following areas:

  • An all-or-nothing approach in the design of emergency access privileges exceeding required privileges to tackle a given exceptional situation by far.
  • Business owners hardly involved in the approval and review of emergency access.
  • A review of system activities executed with emergency access privileges often is not an auditable process.

Additionally, a tendency to grant business users excessive access privileges to tackle all kinds of rather exceptional situations, such as period-end closing activities or master data maintenance, often leads to segregation of duties (SoD) issues throughout their access privileges.

The centralized emergency access management capability of SAP BusinessObjects Access Control 10.0 addresses these vulnerabilities and has been significantly improved in the current release. Critical access privileges for different purposes are assigned locally in your SAP systems to a set of firefighter IDs, each one owned and supervised by individual owners and controllers in the responsible business departments. Business users can submit access requests per workflow to obtain access to these firefighter IDs. The responsible owners approve the requests triggering automated provisioning. All maintenance of the assignments between firefighter IDs, owners, controllers, and firefighters — that is, business users with access to firefighter IDs — is done centrally in SAP BusinessObjects Access Control.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.