Handling emergency with SAP BusinessObjects Superuser Privilege Management

Abstract

This blog attempts to identify the ways and give examples of how SAP BusinessObjects GRC Superuser Privilege Management (SPM) can enable privileged access for regular users to perform emergency activities outside the parameters of their standard role. I will also briefly walkthrough a few scenarios where SPM can bring benefits to surveillance teams and allow Superuser to operate within a controlled and fully auditable environment. These benefits include Superuser activity audit trail, quality of reporting, and also the opportunity to review a company’s emergency situations and enhance the efficiency of all financial and operating departments. Some of the frequently asked questions are also provided in the end.

Introduction

SAP Superuser Privilege Management (SPM) is an emergency access management solution which comes with SAP BusinessObjects GRC Access Controls Suite. SPM is also known as SAP Firefighter. SPM is one of the strongest weapons in the arsenal of SAP GRC which enables audit trail recording of all the activities performed by the Superuser, Contract users and provide need based access. It must be verified that, unintended authorizations are not given to any external/internal user although in emergency situations the Superuser access provisioning has to be standardised and expedited to maintain/enhance the performance level without compromising the activity oversight.

To my knowelege  SPM is the only matured R/3 Superuser emergency protocol that brings the classic reason and activity based access administration and reporting. It also integrates well with Risk Analysis & Remediation module for critical transaction level risks which can also be maintained within the tool. The application not only makes the emergency access provisioning easy but also saves enormous amount of time and truly fits into access management scaffold as a key ingredient of the recipe.

The Business Need

Diversified business processes demands special and exceptional access rights to considered users for a particular period of time. To carry out necessary tasks that fall outside of their regular job needs to be highly supervised. Despite the need these activities are still considered as potential Risks and need to be mitigated. It is also required by various compliance regulations, to maintain an audit log of Superuser activities even if it is for a short period of time.

Organizations get never ending threats from volatile markets, pressure from investors, business impacts like financial loss, physical damage, decreasing demand and frauds. Therefore many obligatory compliance regulations have been introduced by governing bodies ensuring the safety and precision of the Business Processes. Growing application functionality, changing technology, the introduction of internal IT systems, and increasing national and international regulations like SOX (Sarbanes Oxley Act in USA) necessarily produce new requirements for secure processes.

Some important questions to be asked are –

The key challenge for businesses is to determine the ways to give users privileged emergency access on enterprise systems without violating regulatory mandates. Superuser Privilege Management bridges this security gap for emergency access by establishing a highly supervised emergency access protocol that acts within the scope of regulatory compliance. SPM is one of the best compliance focused emergency access solution in the market for managing super user access activities effectively and efficiently to address the most common open audit issues today.

The solution provides a well controlled way of access to emergency or highly sensitive activities that are performed either on an ad hoc basis by the support user or the super business users, or scheduled activities that need to be restricted at other times within the production environment. All activities undertaken by users granted access via Firefighter IDs or Roles are fully tracked and logged providing management and auditors with a full audit trail reference.

SPM enables end-users to perform emergency activities outside the parameters of their standard role, but within a controlled and fully auditable environment. The application assigns a temporary Firefighter ID that grants the super-user broad yet regulated access, and logs every activity the super-user performs using a temporary ID.

SPM provides flexibility, control and transparency to help your organization limit, document and audit non-standard access required for emergency situations. The SPM solution reduces the risk of misuse of accounts and vitally allows your support personnel to focus on the challenging issues.

The following are the Key Points:

• Emergency access management
• Audit log trails
• Multiple Firefighter ID assignees
• Web and ABAP based reporting
• Complete control over Superuser activities
• Automated e-mail alert of access logs
• Enhanced management Oversight

SPM provides a solution for systematic handling of emergency situations whereas other tools within the Access Controls Suite delivers a comprehensive set of access management capabilities that identify and prevent access and authorization risks in cross-enterprise systems to prevent fraud and reduce the cost of continuous compliance and control.

SPM Approach

SPM automates all activities related to firefighting, including Creation/Assignment of Firefighter IDs, Firefighter ID Owners and Controllers, and the logging of all transactions executed during firefighting. SPM temporarily redefines the IDs of users when assigned with solving a problem, giving them provisionally broad, but regulated access. There is complete visibility and transparency to everything done during the period. SPM provides a solution for systematic handling of emergency situations and at the same time managing the risk for the special access necessary to resolve the issues. The logging of transactions during the process provides the capability to review activities used during an emergency situation.

Firefighter IDs are issued to Firefighters so that they can logon to the considered sap system and perform emergency tasks easily. Each and every activity of Firefighter users is logged and later can be tracked. There is no need to share Firefighter ID credentials among Firefighter users because the privileged access is granted to Firefighter users automatically and they can logon from their own account and by executing transaction /n/virsa/vfat to perform emergency activities.

Following snapshot shows the SPM logon screen.

Document Reason and Activity

Backend Log Reports

SPM Challenges and important tasks

As per my personal experience and general observations, following are the SPM challenges and important tasks:

• Identification of Business Processes and Creating dedicated Firefighter IDs
• Identification of Firefighter Owners, Controllers, and Administrators with respect to Functions and Business Processes.
• Identification/Standardization of Reason Codes
• Maintaining Critical Transactions in SPM table in SPM cockpit when it’s not integrated with Risk Analysis & Remediation module for critical transactions.
• Gather information from FF Owners and Controllers if they want alerts of type E-mail, workflow or logs.
• Scheduling background Jobs
• Consistency of naming conventions for Firefighter IDs and Reason Codes, Input from Functional team is required from customer side.
• SPM functional training to Trainer from customer side
• Archival policy for the Firefighter Logs
• SPM usage policy should be created to identify tasks which can be positively supported by SPM.
• Last but not least, performance optimization.

How SPM gathers Logging Information 

Firefighter gathers logging information from the following:

• Statistical Records/User Activities (STAT) The SAP Systems also log activities categorized by transaction and user in statistical records.

• Change Documents (CDHDR) the SAP Systems capture changes with change documents, i.e. entries into the CDHDR table.

• All transactions that are successfully entered are reported (whether any updates were made or not).

• Programs executed if transactions SA38 or SE38 are executed and a program is run, the program name will be reported.

SPM Reports 

SPM assures that Managers have effective and comprehensive oversight through roles and audit trails for role provisioning, user provisioning and emergency access along with user access reaffirms and reviews of access-risk.

Management can easily monitor and keep a track on user activities using SPM Web Reports. Additionally backend reports are also generated which brings flexible advantage to Monitors, Controllers, Auditors, and security personnel. There are three types of reports available for SPM front-end. 

1. User Reports
2. Role Reports
3. Change Log

-SPM User Reports

• Log Summary Report

This report provides Firefighter usage lists by Firefighter ID, Firefighter ID Owner, or Firefighter.

• Reason / Activity Report

This reports the reasons and expected activity as entered by the Firefighter user when initiating a Firefighting session. Reports can be generated by Reason Code, Firefighter ID, Firefighter ID Owner, or Session Date.

• Transaction Usage Report

This reports transactions which were executed during the Firefighting session. The option to report only critical transaction usage is provided.

• Log Report

   This reports usage details from the Firefighter Session

• Invalid Firefighter IDs, Controllers or Owners Report

This reports IDs defined in Firefighter which are no longer valid because they are expired, deleted, or locked.

• SOD violations Report

This reports whether a Firefighter has violated a Segregation of Duty rule as defined in Compliance Calibrator.

• Configuration change log Report

This report lists changes made to configuration

-SPM Role Reports:

• Log Report

This report usage details from the firefighter session.

• Configuration change log Report

This report lists changes made to the configuration.

• Connector configuration change log Report

This reports the changes made to the connectors.

Apart from the frontend (portal) the SPM backend reports are also generated:

Functional Scenarios

Firefighting is used in emergency situations when a normal support user or a business user needs extended privileges to carry out tasks urgently. Principally there is no such regulated requirement and different organizations use SPM in various scenarios.

Ideally SPM should be used whenever any Support, Developer or any contract user needs extended access and management want to keep an oversight on the activities in order to establish mitigation controls. Following are some of the functional scenarios when SPM application can be used to speed up emergency activities. 

- Additional resources with additional roles-

Approaching month end closer and need additional resources to speed up certain activities. Additional resources are required but they don’t have enough authorizations. This task can be easily automated by SPM and individual activity log would be generated for later review.

- Developer access on production system-

Developer access on production systems is one of the most critical scenarios, but at times it becomes necessary to allow developer access to fix certain bugs urgently. This is an idol emergency scenario for assigning firefighter id to track each and every activity a developer or a group of developers perform. However developer access on production is never recommended but when you can’t wait for a bug-fix to travel from a lengthy procedure (dev-qa-prod) then SPM works as a mighty mitigation control.

- Contract user access

To maintain track of contract users activities for a certain period of time. This can be achieved by assigning Firefighter IDs to contract users for access on the considered system. This allows all their activities to be recorded for an extended review and hence management oversight is achieved.

SPM FAQs

Q1- What does firefighting means?

A1- Firefighting is a process of allowing business users to perform emergency activities outside of their standard roles with super user privileges that employ a controlled, auditable environment meeting both operational and control requirements.

Q2- Is there a limit to firefighter activity usage?

A2- Technically it depends upon the availability of hardware (DB size, storage etc.) But as such there is no limit set by the application. It should be noted that, a firefighter ID or role should not be used for creating huge amount of data or to perform lengthy tasks. The reason is that, SPM records every activity that user performs in order to maintain audit trail. So the database size may increase un-necessarily. The database archive policy should also be in place for regular backups of firefighter usage. If SPM is used for regular activities the server performance has to be compromised So it is recommended for emergency activities only.

Q3- Does SPM replaces Mitigation Controls created using Risk Analysis & Remediation module?

A3- No, SPM is not a replacement to RAR mitigation controls but it is also a type of mitigation control with limited validity, So it goes well with emergency situations with limited timeline.

Q4- What is the procedure to assign Firefighter Id’s to developers, do most of the developers have their own firefighter Id’s or do they share a common Firefighter?

A4- Single or multiple firefighter IDs can be assigned. In case you have assigned single firefighter ID to multiple users, only one user can logon to system at a time. So if you have a situation when users need the access concurrently you can assign separate firefighter IDs. The activity log would be generated separately for individual users. However developer access in normal conditions is not recommended.

Q5- Does Firefighter IDs involve extra license cost? What is the Firefighter ID limit?

A5- No there is no extra license cost involved; however you should limit the no. of firefighter IDs per business process. Having too many or too less firefighter IDs would require additional administration efforts. Regarding product license cost you should contact SAP sales.

Q6- How do we send firefighter ID password to firefighter users and is it fine for firefighter ID password to share among users?

A6- The firefighter ID credentials which include password as well is not required to be known by the user. Any user who is assigned a firefighter ID doesn’t require to enter user or password or any other credentials apart from his/her own user name and password to logon to system. So Firefighter user credentials are never shared among different users.

Q7- Does SPM usage affects system performance?

A7- In an ideal environment with proper measures SPM should not affect system performance. However, if you use SPM to execute too many activities, the change log table may become very large and may affect overall system performance. SPM retrieves change logs from table CDHDR. In productive systems this table can become very large (several millions of data records). In order to gain an acceptable performance level it is strongly recommended to archive this table and follow the instructions given in SAP notes 1039144 and 1049512. 

Note: This is Amol Bharti’s personal technical blog and has not been sponsored or assessed by SAP in any manner. The information provided here may get outdated, So make sure you check with SAP sales for product insights and updates.