SAP SECURITY

SAP Security & GRC made easy

SPM - FirefighterSuperuser Privilege Management - Firefighter

by

 Access Control 5.3 Implementation Considerations for SPM Version 1.1

1. Management Overview

Superuser Privilege Management (SPM) in SAP GRC Access Control enables users to perform tasks beyond their regular job responsibilities during emergency situations. It helps managers control and monitor access exceptions by extending permissions and providing an auditing mechanism to log and track activities.

SPM is an ABAP-based application with web-based reporting features. It automates key firefighting tasks, such as:

  • Defining firefighter IDs/roles and assigning users.

  • Designating owners and controllers.

  • Logging and auditing all firefighting transactions.

SPM is exclusively available for ABAP-based SAP applications.

2. Key Features and Benefits

SPM offers the following benefits:

  • Monitors Firefighter Access: Tracks activities performed during privileged access sessions.

  • Automates Firefighting Tasks: Defines firefighter IDs/roles, assigns owners/controllers, and logs transactions.

  • Enhances Security and Compliance: Provides detailed audit reports for oversight.

3. Key Stakeholders

SPM is relevant to the following users:

  • Firefighters: Require temporary elevated privileges to perform emergency tasks.

  • Firefighter ID Owners: Manage firefighter access permissions and duration.

  • Firefighter Controllers: Monitor and review firefighter sessions.

  • SPM Administrators: Configure and maintain SPM settings.

  • Auditors: Review reports and audit trails.

4. Implementation Preparation

To implement SPM effectively:

  1. Assess the Need for Privileged Access Monitoring:

    • Do you have an existing process for emergency access?

    • Who typically requires privileged access?

  2. Define the Scope of SPM:

    • SPM tracks emergency access only.

    • Routine sensitive tasks should be monitored through Risk Analysis and Remediation (RAR).

  3. Choose Between ID-Based and Role-Based Firefighting:

    • ID-based firefighting allows users to check out a special Firefighter ID.

    • Role-based firefighting grants temporary roles without a separate login.

  4. Determine Controller Notifications:

    • Notifications can be sent via email, SAP mail, or logs.

    • Email notifications require maintaining email addresses in user records (SU01).

5. Implementation Scenarios and Use Cases

Before configuring SPM, complete the necessary backend ABAP setup as per the Access Control 5.3 Configuration Guide, including:

  • Creating an RFC destination for SPM.

  • Defining background jobs for log reports.

  • Configuring Firefighter IDs or Roles.

The guide is available on the SAP Service Marketplace.

5.1 ID-Based Firefighter Use Cases

5.1.1 Concept

In ID-based firefighting:

  • Each Firefighter ID has a unique User Master Record.

  • Users check out the ID to perform emergency tasks.

  • Only one user can check out an ID at a time.

  • All changes are logged under the Firefighter ID.

5.1.2 User Interface

SPM is pre-configured for ID-based firefighting by default.

5.1.3 Process

  1. Create Firefighter ID:

    • Use SU01 to create a user type "S" account.

    • Restrict direct logins using SAP Note 992200.

  2. Assign Firefighter ID & Password:

    • Store the credentials securely in SPM.

    • Passwords are encrypted for security.

  3. Assign Firefighter Owner:

    • Owners can assign roles but cannot assign IDs to themselves.

  4. Assign Firefighter Controller:

    • Controllers review log reports and receive notifications.

  5. Assign Firefighter User:

    • Users access the Firefighter ID within assigned validity dates.

Refer to the Access Control 5.3 Application Help for more details.

5.1.4 Reporting

SPM provides detailed reports on Firefighter ID activity, available via:

  • Email/SAP mail notifications to controllers

  • SPM Toolbox and Web Interface

Reports include:

  • Log Summary Report – Overview of Firefighter activity.

  • Transaction Usage Report – List of transactions executed.

  • SoD Violations Report – Identifies any Segregation of Duties violations.

5.2 Role-Based Firefighter Use Case

5.2.1 Concept

In role-based firefighting:

  • End-users receive temporary Firefighter Roles without needing a separate ID.

  • Their actions are logged under their normal SAP user ID.

5.2.2 User Interface

SPM displays different configuration options based on role-based settings.

5.2.3 Process

  1. Create Firefighter Role:

    • Use PFCG to define a secure Firefighter role.

    • Avoid assigning overly broad permissions (e.g., SAP_ALL).

  2. Assign Firefighter Owner:

    • Owners assign roles but cannot assign roles to themselves.

  3. Assign Firefighter Controller:

    • Controllers review logs and receive notifications.

  4. Assign Firefighter User:

    • Users gain temporary access as defined by role validity settings.

5.2.4 Reporting

SPM provides reporting for role-based firefighting, including:

  • Log Report – Details of Firefighter Role usage.

  • Configuration Change Log Report – Changes made to Firefighter settings.

By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)