• Nederlands
  • Home
  • Privileged access solutions on SAP: great functionality but use it wisely!

Privileged access solutions on SAP: great functionality but use it wisely!

There are several solutions available in the marketplace for managing privileged access, with names as: ‘Firefighter’, ‘Emergency Access Management, etcetera.
In MARC it is the Privileged Access Management (PAM) module.

These solutions are meant for IT-users operating on production systems for issue resolving and critical updates. Those activities require temporary, elevated access rights. Such elevated access is usually also required for go-live support in the early days after a new release or application is launched in production. Sometimes it is even used for business (end)users to do special updates for master data or other incidental updates. Or worse: for temporary access (delegation) during a holiday period.

The use of these solutions by end users is often subject to discussion in many organizations. Not all auditors like that a privilege access tool is being used for other purpose then for system administration tasks.

Using a privilege access tool for end user activities is however not a good idea. These activities should be handled through regular authorization roles as much as possible. That way, a lot of hassle for arranging approvals and reviews per individual request, can be avoided. The often heard argument in favor of running certain end user activities through privilege access is that ‘all activities are much better logged’ in privileged access tooling.
That argument isn’t really valid. After all: the standard table logging option in SAP logs the changes in data as well.
On top of that, more sophisticated SAP controlling software, like Internal Control Monitoring module in MARC, is able to provide excellent (exception) reports.

Overall, we believe it is better to avoid the usage of privileged access solutions for end users. A good guideline could be: if occasionally required additional end user authorizations can be captured in a (separate) authorization role(s), then these can be assigned to users through the normal role provisioning process.

If you like to know more about how the MARC4GRC software suite can improve the management and monitoring of privileged access rights in your SAP system, don’t hesitate to contact me.

Jos de Waal