Is it really possible that external consultants do not have any access to SAP production systems? 

Clearly there are various case studies, occasional or ongoing consultants, for example for maintenance contracts.

Is it really necessary to release an access to the production systems even in this last case? Can we control what happens and why it is requested?

1.What kind of access and for how long?

A first discriminating factor could obviously be to avoid releasing external consultants with SAP_ALL but assigning specific authorizations limited to the type of work to be performed. 

Remember, it is not always immediate to carve out a role “as a consultant” because due to the nature of SAP, a strongly integrated system, it is difficult to establish the boundaries of work.

Also, the advantages and disadvantages are correct.

• Do I have to restrict authorizations? Probability of greater authorization errors to be managed. Do I have a team that is sufficiently ready and prepared to respond?
• Do I leave it too much open? Risk of damage, even involuntary, or the principle to the minimum privilege not applied.

Once the correct qualifications have been defined, which often in these cases may not be a defined transaction list but a very wide range of transactions, it is important to establish an access duration.

2.The importance of non-disclosure or confidentiality agreements

Very important is defining non-disclosure agreements or NDS ( Non-Disclosure Agreement) with its commercial partners, therefore also with consulting companies that have access to out IT systems.

In particular SAP. Without forgetting the application of data security policies for suppliers. For example, by requesting the encryption of company data (verifying through audit that this occurs).

3.Be careful, especially during projects.

The moment of release and post go-live support of the project is always a very critical moment.

If the issue of managing authorizations is not outlined in time, it will be difficult at the last moment to face this situation.

The result will be the assignment of SAP_ALL qualifications (which do not have an automatic expiration, unlike the roles where it is possible to establish a validity period a priori, after which they are automatically removed).

4.How to track these activities and these types of accesses?

Of fundamental importance is tracking what happens in the production environment during use.

The GRC Access Control solution in the Emergency Access Management module can be a solution. Remember that massive uploads must be made with a dedicated user and not an emergency user (this is to avoid overloading the logs too much).

There are several possibilities, the most common being that of activating the Security Audit Log (read here for further details)

5. The use of DEBUG

It can happen that consultants require the use of this particular feature. The DEBUG in production is one of the most critical activities as it allows to bypass any control (set by SAP or security).

Every action of this type should be classified, catalogued and the motivation for use identified. To put in place alternatives that avoid using this mode.

If you are asked to release DEBUG more than five times a year, it may be time to investigate the reasons for its use.

Blog post originally translated from: https://www.aglea.com/blog/consulenti-con-accesso-in-produzione-5-azioni-da-ricordare