Emergency Access Management for SAP (EAM)

 
EAM4SAP_First_Aid.jpg

That's what it's all about

Any direct access to the SAP production systems with superuser permissions represents a high risk. Fraud and unintended activities may result in financial loss or incorrect financial reporting with potential serious consequences. That is why they are under particular observation from auditors and tax authorities.

 
SAP_Emergency_Access_Protocols.jpg

Best practices

A good emergency user concept assures that,

  • a documented emergency access concept exists

  • the Superuser credentials are secured against unauthorized access

  • every Superuser deployments are logged

  • any use of emergency user credentials is subject to an approval and notification process 

  • The review of every Emergency User operations is mandatory and documented

Emergency_Access_Management.jpg

A specialized software is crucial

The traceability of each and every Emergency User operation with SAP standard functionalities is almost impossible (audit trail). This comprises the assignment of Superuser credentials itself, the protocoling of any actions (Security Audit Log) during the emergency access and ends with the review of all log files. When you have multiple instances and distributed clients, the centralized monitoring and reporting is also challenging. And, at the end you need to provide internal end external auditors with evidences.

 
SAP_Emergency_Access_Request.jpg

A revolutionary concept – ISPICIO_E

We came up with an unusual approach: Our Emergency Access Management software (EAM) is based on a web server application and connects to SAP via RFC. To start an emergency access, entitled users browse to ISPICIO_E (Intranet) and log-in with their individual credentials. Here they enter a reason and a ticket reference ID. After doing so, they obtain an one-time Superuser ID. In the background, ISPICIO_E creates a dedicated Emergency User and links it to the Security Audit Log (SAL). Then, ISPICIO_E checks continuously if the Superuser is still active. If not, ISPICIO_E deletes this particular Superuser again and downloads the SAL log file to the internal database. In the aftermath, a mandatory review of the Security Audit Log file is assigned to a reviewer for approval, which is documented, too.

SAP_Emergency_Access_Dashboard.jpg

Key Benefits

Our approach meets all the requirements for a compliant management of SAP Emergency Users and has many advantages:

  • Installation and setup is straightforward: Rapid implementation, no specialists, no training is needed

  • an unlimited number of SAP systems can be connected, regardless of their location and without additional license costs

  • each and every emergency user incident, its protocols and reviews are stored centrally for monitoring, reporting and auditing

  • Best of all: ISPICIO_E is reasonably priced