PAM: Privilege Access Management
Controlled access to data in the production environment is achieved with MARC’s Privilege Access Management (PAM) module.
With the PAM module can SAP_ALL (or a stripped-down version of SAP_ALL) be issued in a controlled manner for special (management) activities.
Whereas technical and functional administrators used to be able to do anything in SAP with their SAP_ALL account without anyone’s supervision, now they can be controlled from start to finish via the PAM module.
The process involved:
- Through a workflow, an SAP administrator receives a special PAM user id, after permission from an owner or a person responsible for the ECC system.
- The issuance has time limits. For example, issuance can be for only 10 minutes but also for a week. In addition, issuance can be scheduled for use in the future (pre-authorization).
- The transactions performed by the administrator during PAM user id usage are recorded with details of the changes (based on SAP log data). Risky actions can be highlighted separately.
- Reporting based on SAP logging remains available for later audits, for example by the external auditor.
- After the access has expired, the person responsible for the ECC system receives the report for review.
Advantages of the PAM module:
- Saving a 2nd person watching what the administrator is doing (four-eye principle / ‘Red Envelope’ procedure).
- You get a clear and consistent report. Good periodic comparison becomes possible and is simple.
- Custom reporting. For example, you can highlight important items, so crucial items can be seen at a glance.