Introduction
In emergencies or extraordinary situations, Superuser Privilege Management, a capability of SAP GRC Access Control, enables users to perform activities outside their roles under Superuser-like privileges in a controlled, auditable environment.
A temporary ID is assigned that grants the user privileged, yet regulated, access. This transfer of privileges from one person or role to another is called firefighting. Such a firefighting event might occur, for example, if an employee is injured and another employee has to perform the injured employee’s duties.
Superuser Privilege Management is an ABAP and Web-based capability that tracks, monitors, and logs the activities that are performed by a Superuser with a privileged user ID. Superuser Privilege Management also automates firefighting tasks such as defining firefighter IDs and assigning owners and controllers.
This capability is a back-end systems activity with limited interfacing to Compliant User Provisioning where related reports may be generated.
Superuser Privilege management helps to eliminate/reduce superusers in the landscape.
- Superuser Privilege Management (SPM) can be used to monitor sensitive access.
- Provides compliant controls for granting and monitoring emergency access.
- Close #1 open audit issue.
- Avoid Business obstructions with faster emergency response.
- Reduce audit time.
- Reduce time to perform critical tasks.
SPM Design
Firstly we need to create FFID’s in the SAP system, these FFID are service users created in SU01. Nobody can login to the system using these FFID’s, this is prevented by GRC tool itself.
Next step will assigning required authorizations to FFID’s. Assign role/profile to FFID. Different FFID’s are designed so that in advance particular emergency access is mapped to particular FFID. That will be requested by end users in real time. Now we will assign these FFID to user in SPM application for a particular validity period as in when required. FFID is just like firecall ID but here the difference is that user is not given the password of FFID to login, but user is assigned FFID in SPM application. So after that user will login to sap system than navigate to SPM application using transaction \n\virsa\vfat. From SPM application a new session will be open for end user for the required emergency access. Changes done by End user in the system are captured by SPM application. Tool provides different reports for audit purpose.
Users in SPM
Superuser Privilege Management users include administrators, owners, controllers, and firefighters.
Administrators
Administrators run reports and maintain the data tables.
Owners are also table administrators, and can assign firefighter IDs to firefighters and controllers. Only administrators can access the toolbox and generate reports, with the exception of the log report. The log report is available from the Administration menu and the Superuser Privilege Management Administrator toolbar. Administrators also make sure that the Critical Transactions table is current. Administrators have complete access to this application capability. Administrators can also define firefighter IDs to owners and to firefighters.
Owners
Owners can assign firefighter IDs to firefighters and define controllers. Owners can view the firefighter IDs assigned to them by the administrator. When an owner assigns a firefighter ID in the Controller table, the owner becomes a controller. Owners must ensure that at least one controller for each firefighter ID is on call to receive e-mail notifications and to review the log report. Owners cannot assign firefighter IDs to themselves.
Controllers
Controllers view the log report and receive e-mail notification of firefighter ID logins. Controllers can view the log report from the toolbox or can view the Log report as an e-mail text file attachment. Administrators enable e-mail notification through the Controllers table and the Configuration table.
Firefighters
Firefighters can access all firefighter IDs assigned to them and can perform any tasks for which they have authorization. Firefighters use the firefighter ID logins to run transactions during emergency situations. Controllers monitor firefighter ID usage by reviewing the log report and receiving e-mail notifications of firefighter ID logon events
Approach (SPM with CUP workflow):
Process flow:
Step 1: End User creates a CUP request, requesting FFID access.
Step 2: CUP request is approved by Function Business Owners and issued FFID to end user in SPM application with validity dates.
Step 3: End User login to SPM application using the transaction \n\virsa\vfat application. From SPM application a new session will be open for end user for the required emergency access.