Even the best run SAP environment will encounter emergencies that require a fast, agile response to put out fires that can start anywhere in the organization. Situations, such as fixing data or code problems, security issues, back up support for smaller departments, or granting access to outside SAP support personnel or consultants requires providing users with special Firefighter IDs that enable access they would not normally have as part of their job.
Emergency Access Management – Straightforward and Complex
The process of defining emergency situations and the approval needed to give access in tight “fire call” situations is the foundation of an organization’s Emergency Access Management (EAM) plan, which is under the SAP Governance, Risk and Compliance (GRC) umbrella. While EAM may seem straightforward, it is nonetheless complex, and it opens the door to potential Segregation of Duties (SoD) conflicts and potential audit problems, such as giving an employee purchasing access to temporarily approve and pay purchase orders, while the approver is on vacation, to keep transactions flowing.
A well run SAP GRC EAM process must clearly define several types of access scenarios. Different areas within the organization will require different SAP access, which increases the complexity of assigning, maintaining and managing SAP GRC Firefighter IDs. Scenarios include exception-based access for highly auditable items, standard emergency support for individual job areas or functions and critical emergency support for super-user IDs to the entire SAP system.
Once the scenarios are defined, several attributes must be evaluated, such as which specific users within the organization require one of the above scenarios. Process flows must be developed to address scenarios where pre-approved IDs are established or where emergency access requires approval. Developing a plan for auditing is a critical step in the EAM process. Many organizations stop defining their processes once they have achieved their main goal of granting SAP users their enhanced authorizations and end up with audit deficiencies because they missed critical steps in defining their EAM approach.
It is imperative to periodically reaffirm the authorizations available in your EAM and review users that can activate each emergency access scenario. People frequently move throughout the organization or leave. It is also important to review the owners who are approving and reviewing emergency access logs, as well as users with a high volume and frequency of using emergency access. These reviews must be done in a timely fashion, ideally as close to the access generation as possible. The more time that elapses between log generation and review, the more this can become a rubber stamp and a serious audit problem. This complexity also puts a heavy burden on an organization’s SAP Security and Basis resources.
Automating EAM – Choosing the Right Solution
EAM, while complex, can be automated using a third-party solution. The right automation tool can alleviate the potential for human error and, ultimately, free up SAP Security and Basis resources to perform more high value activities within the organization. A well designed EAM automation tool should install quickly, be easy to use, provide a high degree of flexibility and be auditable.
Symmetry’s ControlPanelGRC® delivers an EAM solution that cost effectively handles the complexity of emergency access scenarios and delivers significant benefit to an organization. EAM is part of ControlPanelGRC®’s award winning Access Controls Suite. It enables the tracking of all users’ SAP fire call activities and ensures an “always audit ready” state by logging and tracking every activity each user performs during an SAP fire call session.
ControlPanelGRC®’s EAM solution can be deployed in under a day. Its capabilities provide peace of mind for auditors and the needed flexibility that lets fast growing and dynamic organizations safely address SAP GRC EAM access scenarios.
ControlPanelGRC® gives users multiple options for pre-approval authorizations or authorizations requiring approval. It also mitigates risk with a workflow that tracks changes by user instead of a generic log-on. Each fire call session is carefully tracked. Users are required to provide detailed descriptions of their reason for activating a fire call session, in which EAM automatically captures the actions they took. This detailed documentation is automatically sent to a manager for review.
Automation Delivers Important Benefits and Adds Value
ControlPanelGRC®’s EAM module helps resolve SoD conflicts by giving emergency access to pre-approved users and logging each session’s actions to individual users. It also eliminates manual security methods for issuing authorization in SAP, such as adding and then removing a role or profile. The option of pre-approving users can be automatically provisioned with temporary access. ControlPanelGRC® EAM also reduces the time and cost of audit preparation. An easily accessible audit trail helps organizations maintain a state of continuous audit readiness. Each SAP fire call session is tracked and reviewed with detailed documentation immediately after the event.
Most organizations using SAP as a business-critical application will have a requirement for some form of emergency access. Having an EAM process that satisfies business needs and is compliant and easily auditable adds both flexibility and value in today’s complex business environment.
ControlPanelGRC®’s EAM solution ensures that emergency access becomes a beneficial asset to the business. Your auditors and your SAP security and Basis teams can rest easy knowing that this vital function is working day in and day out to give your organization the security and flexibility it needs to address any SAP emergency access scenario.