Elevate Your Emergency Access Management: A Guide to Soterion’s Elevated Rights Manager

Every organisation occasionally needs to grant certain users elevated access in SAP, either periodically or on an ad-hoc basis, to perform business-critical or sensitive activities. This process, commonly known as the Fire-Fighter process, plays a crucial role in SAP security and Governance, Risk, and Compliance (GRC).

In this article, we will first explore SAP security and GRC control activities from a broader perspective, before diving deeper into the Emergency Access Management process. We’ll discuss how the effectiveness of this control is shaped by the interaction between people, processes, technology, and design.

Finally, we will explain how Soterion’s Elevated Rights Manager offers a unique, workflow-driven solution for granting sensitive fire-fighting access, ensuring a seamless and effective Emergency Access Management process.


SAP Security & GRC – Implementing Effective Controls

Effective controls are critical for organisations to manage and reduce risks. While accepting some level of risk is inherent in business operations, SAP users often encounter Segregation of Duty (SoD) risks due to limited resources. Therefore, the true value of a GRC program lies in establishing and maintaining effective controls that address these risks.

To manage risks associated with SAP user access, organisations must first understand these risks. Once identified, it’s crucial to define the controls needed to mitigate them and establish control activities to ensure their effectiveness.

We recommend that organisations incorporate the following control activities into their GRC program to effectively manage SAP access risks:

  • Access Risk Assessment
  • Access Risk (What-If) Simulation
  • Rule Set Management and defining Mitigating Controls
  • Emergency Access Management
  • User Access Reviews
  • Continuous Control Monitoring

The diagram below demonstrates these essential control activities and how they mitigate SAP access risks within an organisation’s GRC program.


Now let’s take a look at the Emergency Access Management process.


Emergency Access Management and the Role of People Process, Technology, and Design

The effectiveness of this control is influenced by the interplay between people, process, technology, and design. Identifying the right individuals to participate in compliance tasks, defining clear processes, selecting the appropriate technology, and implementing a robust design are critical.

Let’s examine the common challenges organisations face during the elevated rights access period and provide key considerations for addressing these issues.


People

Challenges with elevated access:

  • Lack of clarity on ownership of the process within the organisation.
  • Reviews are often technical, making it difficult for business owners to make informed decisions.
  • Differentiating between who uses the elevated access – IT Users or Business Users.

Considerations

  • Identify the appropriate software and resources to support users managing elevated rights access.
  • Designate a technical resource to assist the business in the review process. While business owns the process, the expertise of a technical user is essential for providing guidance during reviews.
    – Determine the type of data that requires review, and why technical understanding is necessary (e.g., sensitive table-field relationships, interpretation of change values, and the risks associated with modifying these fields).

Process

Challenges

  • Lack of clearly defined processes or non-compliance against defined processes. Log review processes, if they exist, are often not thorough enough.
    – Reviews are not conducted in a timely manner.
    – Reports are overly complex, making it difficult to make informed decisions.
    – Log approvers are often too technical, limiting broader oversight.
    – Incomplete reviews, especially regarding Sensitive Table/Field relationships.
  • Validity of access durations (e.g., extended access for days instead of hours) and use of access for multiple purposes that don’t align with the initial request.

Considerations

  • Document policies and procedures for elevated rights access, covering how access is requested/assigned, the timeframe for log reviews, sensitive Table/Field relationships, and the appropriate reviewers.
  • Establish policies and procedures which would include appropriate log approvers, defining the timeframe for reviewing and approving activities, specifying the activities that require elevated access (for both Business and IT Users), and outlining which users should be pre-approved versus those requiring additional approval.

Technology

Challenges

  • Lack of technology to facilitate elevated rights access.
  • Preparing audit activities for review is often done manually rather than through automation.
  • The process of requesting access versus the time taken to assign it is also manual, impacting efficiency.
  • The complexity of technology affects not only the processes for managing elevated rights access but also the users involved in those processes. This complexity influences the representation of activity log reports.

Considerations

  • Identify suitable software to facilitate the elevated rights process, emphasising ease of setup and configuration, user experience for both requesting elevated access and conducting reviews, and clearly defining sensitive changes that should be part of the review process.
  • Select a solution that maximises effectiveness, particularly in how elevated rights results are presented / reported on.

Design

Challenges

  • Identifying the appropriate Users for Elevated Rights Access.
  • Defining the correct level of access in SAP for both regular day-to-day activities and for Elevated Access.
    – Defining the methodology for granting the Elevated Access (User or Role Methodology).
    – Balancing wide access permissions vs SAP Module based access.

Considerations

  • Document policies and procedures that define the Elevated Rights Methodology, specifying the activities that require elevated access, and determining the appropriate access levels for each SAP user and/or role with elevated rights.
  • Identify sensitive or emergency activities that should be conducted through elevated access, while keeping all routine, day-to-day tasks assigned to the user’s regular SAP User ID.

How does Soterion help organisations overcome the challenges they encounter during the elevated rights access period?


  • Detailed Logging and Business Process Flows
    – Soterion logs elevated rights activities with supporting Business Process flows.
    – Converts SAP technical language into business-friendly language for easier review.
    – Enables business users to interpret activity logs without reliance on technical resources.
  • Automation of Elevated Rights Process
    – Soterion automates the management of the elevated rights process, streamlining operations.
  • Sensitive Field Monitoring
    – Defines Sensitive Table/Field relationships for targeted oversight.
    – Generates workflow activity reports that highlight changes to sensitive fields.
    – Allows reviewers to focus on critical changes.
  • Compliance and Efficiencies
    – Facilitates compliance tasks associated with elevated access.
    – Enhances efficiency in both assigning and reviewing elevated access.
  • User Definitions for Elevated Rights
    – Supports the definition of both Business Users and IT users for elevated rights access.
    – Provides comprehensive activity reports to assist in role redesign of elevated rights access.
  • Business-Centric Control Effectiveness
    – Emphasises a business-centric representation of results.
    – Improves control effectiveness through detailed reporting and integrated Business Process Flows.

Watch Soterion’s Elevated Rights Manager Demo Video


Key Benefits of Soterions Elevated Rights Manager

  • Lower Risk Exposure: Implementing a well-defined emergency access process ensures that elevated access is only granted when necessary. 
  • Control of Support and IT Personnel: Elevated access is temporary and granted only when required, rather than permanently.  
  • Enhanced Business Oversight: By granting access only with necessary business approvals and sending detailed activity logs to relevant business owners for review, organisations can ensure transparency and accountability in privileged access management. 
  • Detailed Logging of Activities: Comprehensive logging ensures that all actions taken are documented, facilitating audit trails and compliance with regulatory requirements. 

Feel free to email us on [email protected] if you have any questions or would like to know more. We will gladly assist with a demo to see how we can help.

You may find this interesting