Sometimes it is necessary to intervene in the Production System to correct an extremely urgent problem. That is to perform an action which is not normally done.
What are we supposed to do in these situations? Do we really need specific tools or we can carry out what is required in a safe and secure way?
Usually access by external consultants or IT should not allow the possibility of modifying data in the Production System.
However, in certain circumstances and for certain activities this could happen. The definition of one or more emergency users (Super User SAP or Emergency SAP Users) and a procedure for their use might be the answer.
In addition is essential to track the activities carried out during this Emergency session.
SAP offers several log, some of these are:
Activating all these features, some of which are not active by default, can represent a way to figure out what a user did ex-post.
It doesn't exist in SAP a single dashboard to overview all changes made by a user regardless of the modified object.
We will see later how SAP tried to fill this gap.
The release of an Emergency user should have a well-documented procedure.
This procedure should at least contain:
As anticipated SAP provides a payment tool specifically designed for Emergency users management. This tool, called Emergency Access Management, is part of the GRC (Governance Risk and Compliance) Access Control suite.
This tool, integrated in the ABAP suite, allows to assign to a user (through an approval workflow or through the intervention of an administrator) a ready-to-use Emergency User.
The user in order to use it must only perform a transaction which allows in total autonomy to activate an emergency session (stating in advance the reasons for the use).
Attention! The Emergency User in SAP must be properly profiled (SAP Security logics are also valid for emergency users)
Downstream of user usage (called firefighter SAP user) from the Emergency User or Super User (called Firefighter ID) automatically the tool consolidates logs (if activated) and sends them to a super user manager for acknowledgment (Owner ).
In this case the application process is well defined (also through an approval workflow), the usage and activities carried out during the firefighting session are plotted.
Attention, any custom transaction without log entries are not even traced from the tool SAP GRC Emergency Access Management.
Do you need to profile your IT department and need SAP Security advice?
Blog post originally translated from: https://www.aglea.com/blog/per-gestire-una-super-user-in-sap-serve-sap-grc