You get a call at 2AM, informing you that your SAP ERP system has gone down due to unexplained software conflicts. A developer is available to investigate the problem, if you’ll allow her emergency access to the production system. Should you grant the access or not? Yes. That’s an easy call. There is even a standard process for doing this called SAP Emergency Access Management (SAP EAM). However, giving a developer access to a production system potentially exposes you to risks in terms of both security and compliance. Solving the problem requires placing SAP EAM within the purview of your Governance, Risk and Compliance (GRC) programs. We call this SAP GRC EAM.
What is SAP GRC EAM?
To understand the potential risks of SAP EAM in the context of GRC, it is first necessary to get a basic sense of how EAM works. SAP EAM is a set of features, mostly involving SAP Access Controls, that enables end users to step outside their regular roles in order to perform tasks required to resolve an emergency situation. SAP EAM is designed to assign the emergency access in a controlled and auditable process. For instance, SAP EAM logs all of the activities the user does while assigned the temporary ID. A number of workflows and functions flow from the role assignment and tracking process.
SAP GRC EAM Tcode
There are two basic ways to assign emergency access, also known as an SAP “firefighter” session. One is by user ID, creating what is known as a Firefighter ID or FFID. The other is a Firefighter Role or FFRole. In our view, the FFID approach exposes you to greater risk. This is because FFIDs link with specific roles, each with its own assigned tcodes. If a user wants to misuse the role (i.e. commit fraud), then he can execute tcodes from his own user ID and then from the FFID. Only extremely thorough monitoring would catch this person. In contrast, creating an FFRole with the same tcodes creates a scenario where every action taken by the user will appear with their user ID. This makes it easier to detect misuse of the emergency credential.
SAP GRC Firefighter Workflow
It is necessary to establish a workflow for assigning Firefighter credentials. Someone has to serve as an EAM Owner in the IT organization. This person, who should be a trusted individual, receives EAM requests. In a typical workflow, the EAM Owner is the first of two approvers of the EAM request. If he or she rejects the EAM request then that is the end of the workflow. However, if the EAM owner approves the request it should flow to a security approver. This person can also approve or reject the request.
SAP GRC Firefighter Log Report
SAP EAM generates a log of emergency access activity, known as the SAP GRC Firefighter Controller log. It exists inside SAP Access Controls. The log contains information on EAM requests and approvals as well as Firefighter sessions. It consists of separate logs for transactions (STAD), changes, debug and replace activities, OS commands and a security audit log. The system creates an SAP GRC Firefighter log report. The problem (one of several) is that someone has to analyze the report to make any sense of what’s going on.
Problems with Using SAP’s Built-In EAM Functions
Use of native SAP EAM is problematic because:
- The Firefighter assignment workflow is manual. This is inefficient.
- People have to make decisions, perhaps without all the information they need.
- It’s time-consuming. People have to conduct log analysis to detect potential security issues.
- Security risks may escape detection if people aren’t diligently monitoring.
- The process may inadvertently create violations of Segregation of Duties (SoD) controls, which are required for compliance with regulations like Sarbanes Oxley (SOX).
In general, companies have complied with SOX SoD requirements by reducing access to production systems. This conflicts with emergency access requirements. Using the manual SAP EAM process means the user who had the Firefighter role needs to contact security and get his or her role removed after completing whatever task was required. This creates a burden on security personnel and a high likelihood of never even occurring—in effective making temporary access permanently open and prone to misuse.
The Value of Automating SAP GRC EAM
Automation offers a way to balance emergency access needs with security and compliance policies. Our ControlPanelGRC Emergency Access Manager is an example of this use case. It automatically provisions pre-approved emergency access, thus mitigating risk through a workflow that tracks and documents user activities.
The automated process also eliminates manual security workflows for issuing emergency access credentials. This frees security personnel from this time-consuming obligation. And, by giving selected users immediate authorizations, it is possible to grant access that stays within SoD controls.
The solution automatically logs and tracks every activity undertaken by the user during an SAP firecall session. It creates an easily accessible audit trail and detailed documentation after the emergency session. In this way, Emergency Access Manager puts your organization in a state of continuous audit readiness. It cuts down on audit preparation work.
If you want to learn more about Emergency Access Manager and how it can help you be prepared for emergency access without compromising on security or compliance, reach out to our experts today.