In firefighting, users are given a higher level of access in SAP, either to fix something or perform a task that goes outside their normal duties. Normally, SAP user provisioning and role management restricts users to their job tasks. If you’re not supposed to be tinkering with something inside SAP, then the system won’t let you tinker.
The system also logs user activities. If a user, for example, manages to take data they shouldn’t use or alter transaction logs, the system will (at least in theory) keep track of their actions. However, without the right emergency access management strategies, firefighters can cause serious harm.
SAP Firefighters Can Cause a Lot of Damage
When something breaks, someone from your SAP Basis support team needs to be able to go in and fix it, which requires a high level of privileges — i.e. the ability to perform actions they wouldn’t normally be able to perform. For example, a firefighter might be assigned to shut down access to part of the system to protect sensitive data during a breach, or delete and reinstall a corrupted application.
There are two major problems. First of all, a generic firefighter ID is like a uniform — it can only be “worn” by one user at a time, but multiple people may have access to it. If someone uses that ID improperly, it can be very difficult to figure out who was wearing it at the time. This problem is made more serious by the firefighter’s level of access. A knowledgeable firefighter could steal or alter confidential information, or even funnel money out of the organization, then could then alter logs to cover their tracks.
Not only does this pose a risk of fraud, but it also complicates compliance. Even if your firefighter did nothing wrong, it can be very hard to prove that fact when the firefighter had the ability to alter logs. SAP GRC SOX compliance requires executives to certify the accuracy of financial records — something that firefighting makes it very hard to do — unless you have emergency access management.
ControlPanelGRC® Emergency Access Management Provides Safe, Compliant Firefighting
SAP emergency access management provides accountability and oversight for firefighters, ensuring that they won’t burn you on your audit. Rather than using generic logins, emergency access management tracks firefighters as users, ensuring that no one has the cloak of anonymity.
ControlPanelGRC emergency access software also provides dramatically improved capture. The software logs access and actions taken by users, and notifies appropriate parties of everything, creating a complete record of all the firefighter’s actions. FIrefighters are also required to document their reasons for using emergency access management, which are likewise routed to a manager.
Not only does this improve oversight, but it also eliminates future compliance headaches. Combined with other ControlPanelGRC SAP Access Control features, this provides complete visibility into your system — both during day-to-day activities and in emergencies.
Contact us to learn more about how ControlPanelGRC can keep your business safe and compliant.