Do you need SAP GRC to manage a Super User in SAP?

Posted by Marta Ortona on Sep 2, 2022 8:15:00 AM
Marta Ortona

 

Sometimes it is necessary to intervene in the Production System to correct an extremely urgent problem. That is to perform an action which is not normally done.

 

SAP GRC Firefighter EAM

 

What are we supposed to do in these situations? Do we really need specific tools or we can carry out what is required in a safe and secure way?   

Why is it useful to define an Emergency User? (Super User in SAP) 

Usually access by external consultants or IT should not allow the possibility of modifying data in the Production System. 

 

However, in certain circumstances and for certain activities this could happen. The definition of one or more emergency users (Super User SAP or Emergency SAP Users) and a procedure for their use might be the answer.   

 

In addition is essential to track the activities carried out during this Emergency session.

 

How to trace the activities carried out?

SAP offers several log, some of these are:  

  • Change Log (Tables CDHDR e CDPOS)
  • Table trace (Tables DBTABLOG)
  • System Log (Transaction SM21)
  • Security Audit Log (Transaction SM19 ed SM20N o RSAU_CONFIG)

 

Activating all these features, some of which are not active by default, can represent a way to figure out what a user did ex-post.  

 

It doesn't exist in SAP a single dashboard to overview all changes made by a user regardless of the modified object.

We will see later how SAP tried to fill this gap. 

 

What process should be followed? 

The release of an Emergency user should have a well-documented procedure. 

This procedure should at least contain:

  • Which/how many are the emergency users
  • Who can request emergency user 
  • The expiry time of the emergency user (for SAP the minimum time unit is the day, no restrictions, by standard, can be made on an hourly basis ) 
  • Any approvals after the request 
  • Path Logs Verification 
  • Disclosure Super User credentials (should be stressed that must always be communicated in safe mode. Obviously an email is not a good way)

 

SAP Governance Risk and Compliance Emergency Access Management

As anticipated SAP provides a payment tool specifically designed for Emergency users management. This tool, called Emergency Access Management, is part of the GRC (Governance Risk and Compliance) Access Control suite. 

 

This tool, integrated in the ABAP suite, allows to assign to a user (through an approval workflow or through the intervention of an administrator) a ready-to-use Emergency User. 

 

The user in order to use it must only perform a transaction which allows in total autonomy to activate an emergency session (stating in advance the reasons for the use).

Attention! The Emergency User in SAP must be properly profiled (SAP Security logics are also valid for emergency users) 

 

Downstream of user usage (called firefighter SAP user) from the Emergency User or Super User (called Firefighter ID) automatically the tool consolidates logs (if activated) and sends them to a super user manager for acknowledgment (Owner ).

 

SAP ERP GRC Firefighter

 

In this case the application process is well defined (also through an approval workflow), the usage and activities carried out during the firefighting session are plotted. 

 

Attention, any custom transaction without log entries are not even traced from the tool SAP GRC Emergency Access Management.   

 

Do you need to profile your IT department and need SAP Security advice?

 

Blog post originally translated from: https://www.aglea.com/blog/per-gestire-una-super-user-in-sap-serve-sap-grc

 

Topics: sicurezza sap, sap consulenza security, sap super user, emergency users, super utenti sap

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy