Ensuring you have correctly set up your Emergency Access Management process, also known as the FireFighting process, is a key part of SAP security and risk management.
What is Emergency Access Management (also referred to as FireFighter)?
The Emergency Access Management (EAM) process refers to the configuration of SAP access, enabling users to effectively respond to emergency or business critical activities within the SAP system. A critical component involves the separation of sensitive access from a user’s everyday permissions. This is achieved by establishing emergency access through a distinct user or role, commonly referred to as the FireFighting user / role. This designated user or role not only enjoys elevated access levels within the SAP system but also incorporates extensive logging mechanisms, ensuring thorough auditing of their actions.
Why is an EAM Process Necessary?
The EAM process is the granting of temporary access to crucial accounts and authorisations for specific users.This temporary access empowers users to undertake tasks beyond their regular permissions, specifically aligning with responsibilities associated with the SAP FireFighter role. Consequently, individuals are equipped to address issues effectively while ensuring that all their actions are meticulously logged for comprehensive auditing purposes.
What is FireFighter ID in SAP?
A FireFighter ID provide a user with temporary access to vital accounts and authorisations. This temporary access enables users to perform tasks that extend beyond their typical permissions, aligning seamlessly with the responsibilities inherent in the SAP FireFighter role.
Challenges with Implementing an EAM Process
Here are three common challenges organisations face when implementing an EAM process:
1. Correctly Defining Regular User and FireFighting Accounts
Many companies face challenges when establishing an effective EAM (Emergency Access Management) process, particularly in defining the appropriate FireFighter access within SAP in comparison to regular user IDs. The difficulty lies in striking a balance between restricting a user to their necessary daily functions while preventing the unnecessary use of a FireFighter ID, reserved for emergency situations. Struggling to find this equilibrium often leads users to resort to utilising the FireFighter ID for their routine tasks. Consequently, this places a considerable workload on employees responsible for auditing FireFighter logs, given the overwhelming volume of logged actions. Despite this high volume, it remains crucial for these employees to diligently validate the legitimacy of every action executed under the FireFighter ID.
2. Delays with Auditing of Logs
Companies often face challenges when it comes to timely completion of necessary audits following the conclusion of an EAM (Emergency Access Management) process. When there’s a lack of documented reasons for emergency access requests, security administrators might forget the context behind a user’s request for FireFighting access in specific situations as time elapses. Furthermore, the failure to conduct audits promptly on logs can lead to unresolved issues like fraud or potential security vulnerabilities, leaving the company exposed until the logs are thoroughly audited and any outstanding concerns are addressed.
3. Understanding Standard EAM Process Logs
Numerous business users within companies encounter challenges when attempting to navigate FireFighter logs within SAP GRC. These logs, tailored for highly technical users, often present intricate details that can be perplexing for typical business users. Consequently, this lack of clarity may prompt business users to approve audits without comprehending the specific actions performed during the EAM process.
Different FireFighter Methodologies
There are multiple methodologies that can be used for the FireFighter process. These methodologies are:
- User methodology: Users possess a distinct ID for their routine SAP tasks and a separate FireFighter ID specifically designated for EAM process activities.
- Role methodology: Roles are structured such that users maintain a dedicated ID for everyday SAP operations, while the FireFighter role is allocated to their regular ID when engaging in EAM process activities.
The Pros and Cons of the User and Role Methodology
Each of these methodologies has its own advantages and disadvantages.
User Methodology Pros and Cons
The revised user methodology offers a more streamlined and concentrated approach by keeping the user account distinct from the FireFighter ID during operation. However, this separation could result in reduced visibility of specific activities previously accessible under the user’s account, as users would need to switch to the FireFighter ID.
Role Methodology Pros and Cons
The methodology enables the assignment of the FireFighter role to a user’s account, enhancing overall task visibility without requiring ID switching. Nonetheless, this approach logs all user actions, irrespective of their relevance to firefighting, leading to a more complex auditing process and reduced control potential.
Defining Access for the EAM Process
In addition to these two methodologies, there are two options around access that companies need to consider. These are:
- Pre-approved access: Pre-approved access grants users prior authorisation to access the FireFighter ID or role. This enables swift responses to any issues using FireFighter access. However, this method poses a lower level of security as it allows users with pre-approved access to automatically obtain FireFighting privileges whenever they require them.
- Additional approval access: The enhanced approval access process requires users to initially request access to a FireFighter ID or role and subsequently obtain approval before engaging in any FireFighting actions. While this approach offers heightened security compared to the prior method, it may lead to significant delays as users must await approval from the relevant approver before taking any action.
Implement an Automated Approach
Irrespective of the methodology or access method you choose, it’s crucial to implement an automated system to manage these processes efficiently when necessary. Relying on manual procedures would involve individuals going through the configuration of accounts and access, which could significantly slow down operations, particularly if EAM tasks need completion beyond regular business hours.
In contrast, an automated solution streamlines the process by generating logs automatically, sending workflows to users without manual intervention, and managing user or role methodologies as required by the system. Furthermore, an automated approach aids in converting audit logs into a user-friendly format, facilitating more effective auditing and quicker problem resolution for business users.
Find Out How Soterion Can Assist with EAM and FireFighting in SAP
Struggling with Emergency Access Management in your organisation? Soterion and our SAP security consultants can provide business-centric GRC solutions for companies running SAP that allow you to improve efficiencies, comply with regulations, provide accountability of access risk, and secure your SAP solution.
Contact us to find out more about Soterion’s Elevated Rights Manager tool can assist you to grant FireFighter Access effortlessly, whilst adhering to audit requirements.