Segregation of Duties is one of those business concepts that’s a bit abstract, but the…
Even the best run SAP environment will encounter emergencies that require a fast, agile response to put out fires that can start anywhere in the organisation. Situations such as fixing data or code problems, security issues, back-up support for smaller departments, or granting access to outside SAP support personnel or consultants requires providing users with special Firefighter IDs that enable access they would not normally have as part of their job.
Emergency Access Management – Straightforward and complex
The process of defining emergency situations and the approval needed to give access in tight “fire call” situations is the foundation of an organisation’s Emergency Access Management (EAM) plan, which is under the SAP Governance, Risk and Compliance (GRC) umbrella. While EAM may seem straightforward, it is nonetheless complex, and it opens the door to potential Segregation of Duties (SoD) conflicts and audit problems, such as giving an employee purchasing access to temporarily approve and pay purchase orders, while the approver is on leave to keep transactions flowing.
A well run SAP GRC EAM process must clearly define several types of access scenarios. Different areas within the organisation will require different SAP access, which increases the complexity of assigning, maintaining and managing SAP GRC Firefighter IDs. Scenarios include exception-based access for highly auditable items, standard emergency support for individual job areas or functions, and critical emergency support for super-user IDs to the entire SAP system.
Once the scenarios are defined, several attributes must be evaluated, such as which specific users within the organisation require one of the above scenarios. Process flows must be developed to address scenarios where pre-approved IDs are established or where emergency access requires approval. Developing a plan for auditing is a critical step in the EAM process. Many organisations stop defining their processes once they have achieved their main goal of granting SAP users their enhanced authorisations, and end up with audit deficiencies because they missed critical steps in defining their EAM approach.
It is imperative to periodically reaffirm the authorisations available in your EAM and review users that can activate each emergency access scenario. People frequently move throughout the organisation or leave. It is also important to review the owners who are approving and reviewing emergency access logs, as well as users with a high volume and frequency of using emergency access. These reviews must be done in a timely fashion, ideally as close to the access generation as possible. The more time that elapses between log generation and review, the more this can become a rubber stamp and a serious audit problem. This complexity also puts a heavy burden on an organisation’s SAP Security and Basis resources.
Automating EAM – Choosing the right solution
EAM, while complex, can be automated using a third-party solution. The right automation tool can alleviate the potential for human error and, ultimately, free up SAP Security and Basis resources to perform more high value activities within the organisation. A well-designed EAM automation tool should install quickly, be easy to use, provide a high degree of flexibility and be auditable.
Symmetry’s ControlPanelGRC® delivers an EAM solution that cost-effectively handles the complexity of emergency access scenarios and delivers significant benefit to an organisation. EAM is part of ControlPanelGRC®’s award-winning Access Controls Suite. It enables the tracking of all users’ SAP fire call activities and ensures an “always audit-ready” state by logging and tracking every activity each user performs during an SAP fire call session.
ControlPanelGRC®’s EAM solution can be deployed in under a day. Its capabilities provide peace of mind for auditors and the needed flexibility that lets fast-growing and dynamic organisations safely address SAP GRC EAM access scenarios.
ControlPanelGRC® gives users multiple options for pre-approval authorisations or authorisations requiring approval. It also mitigates risk with a workflow that tracks changes by user instead of a generic log-on. Each fire call session is carefully tracked. Users are required to provide detailed descriptions of their reason for activating a fire call session, in which EAM automatically captures the actions they took. This detailed documentation is automatically sent to a manager for review.
Automation delivers important benefits and adds value
ControlPanelGRC®’s EAM module helps resolve SoD conflicts by giving emergency access to pre-approved users and logging each session’s actions to individual users. It also eliminates manual security methods for issuing authorisation in SAP, such as adding and then removing a role or profile. The option of pre-approving users can be automatically provisioned with temporary access. ControlPanelGRC® EAM also reduces the time and cost of audit preparation. An easily accessible audit trail helps organisations maintain a state of continuous audit-readiness. Each SAP fire call session is tracked and reviewed with detailed documentation immediately after the event.
The Symmetry difference
Most organisations using SAP as a business-critical application will have a requirement for some form of emergency access. Having an EAM process that satisfies business needs and is compliant and easily auditable adds both flexibility and value in today’s complex business environment.
Symmetry’s ControlPanelGRC® EAM solution ensures that emergency access becomes a beneficial asset to the business. Your auditors and your SAP security and Basis teams can rest easy knowing that this vital function is working day in and day out to give your organisation the security and flexibility it needs to address any SAP emergency access scenario.
Talk to Symmetry to learn more about ControlPanelGRC® EAM. We have the experience and expertise to make EAM and all your GRC needs much easier.