Is it really possible that external consultants do not have any access to SAP production systems?
Clearly there are various case studies, occasional or ongoing consultants, for example for maintenance contracts.
Is it really necessary to release an access to the production systems even in this last case? Can we control what happens and why it is requested?
A first discriminating factor could obviously be to avoid releasing external consultants with SAP_ALL but assigning specific authorizations limited to the type of work to be performed.
Remember, it is not always immediate to carve out a role “as a consultant” because due to the nature of SAP, a strongly integrated system, it is difficult to establish the boundaries of work.
Also, the advantages and disadvantages are correct.
Once the correct qualifications have been defined, which often in these cases may not be a defined transaction list but a very wide range of transactions, it is important to establish an access duration.
Very important is defining non-disclosure agreements or NDS ( Non-Disclosure Agreement) with its commercial partners, therefore also with consulting companies that have access to out IT systems.
In particular SAP. Without forgetting the application of data security policies for suppliers. For example, by requesting the encryption of company data (verifying through audit that this occurs).
The moment of release and post go-live support of the project is always a very critical moment.
If the issue of managing authorizations is not outlined in time, it will be difficult at the last moment to face this situation.
The result will be the assignment of SAP_ALL qualifications (which do not have an automatic expiration, unlike the roles where it is possible to establish a validity period a priori, after which they are automatically removed).
Of fundamental importance is tracking what happens in the production environment during use.
The GRC Access Control solution in the Emergency Access Management module can be a solution. Remember that massive uploads must be made with a dedicated user and not an emergency user (this is to avoid overloading the logs too much).
There are several possibilities, the most common being that of activating the Security Audit Log (read here for further details)
It can happen that consultants require the use of this particular feature. The DEBUG in production is one of the most critical activities as it allows to bypass any control (set by SAP or security).
Every action of this type should be classified, catalogued and the motivation for use identified. To put in place alternatives that avoid using this mode.
If you are asked to release DEBUG more than five times a year, it may be time to investigate the reasons for its use.
Blog post originally translated from: https://www.aglea.com/blog/consulenti-con-accesso-in-produzione-5-azioni-da-ricordare