Solved: GRC:AC:SPM: How to ensure SAP_ALL in not deleting ...

Former Member · ‎11-13-2009

Hi Guys,

Due to some critical business requirements occuring occasionally, I wanted to set up a FF ID having SAP_ALL. This would be besides the other FF IDs, which I have already created for each of the modules. I.e basically this SAP_ALL FFID would be to handle emengency and cross module tasks.

Now, I have a limitation here that this FFID having SAP_ALL profile may do anything and then even clear all the logs for what all it did (as it would have unlimited access to even delete the logs for FFID usage). Any workaround solution for this?

Regards.

Hersh.

http://www.linkedin.com/in/hersh13

Former Member · ‎11-13-2009

Only solution is to create a role with the access that you want users to have in emergency situations, otherwise users with SAP_ALL can also cancel the job which sends data, do many things which he wants to.. so even if you have AIS (Audit information system) configured he can change that too.... but most likely you'll be able to catch that person with change history of what he changed... and he is still there in company, unless that was his last day in company...

Cheers !!

Zaheer

Former Member · ‎11-13-2009

Only solution is to create a role with the access that you want users to have in emergency situations, otherwise users with SAP_ALL can also cancel the job which sends data, do many things which he wants to.. so even if you have AIS (Audit information system) configured he can change that too.... but most likely you'll be able to catch that person with change history of what he changed... and he is still there in company, unless that was his last day in company...

Cheers !!

Zaheer

Former Member · ‎11-13-2009

Hi Zaheer,

Thanks for your view as well but what I need is to have unlimited access given to FFID. I already have other IDs for each module as you have mentioned. However, can't find a way using SAP_ALL for FFID, which can solve my problem fully.

Regards,

Hersh.

http://www.linkedin.com/in/hersh13

Former Member · ‎11-13-2009

Well, you may want to rethink over the SAP_ALL strategy and may be create a separate role for "the re-occurring" situation which has all the required roles and doesn't have access to FF transaction codes (GRC Authorization objects)...

With SAP_ALL assigned to user and then thinking of strategy to restrict them, will take you no where...there have been discussions like this in security forum.. you may want to peak into those too...

Cheers!!

Zaheer

Former Member · ‎11-13-2009

Zaheer is exactly correct. The main point of SAP_ALL is to be (almost) unrestricted and that is why it is recommended to not assign it.

Although Firefighter allows you to gain elevated access in a controlled manner, if you just assign firefighter ID's SAP_ALL then you will be allowing that access in the systems effectively, invalidating any controls which you had there previously.

There are loads of ways of trimming SAP_ALL but I would generate a role based on the SAP_ALL template and de-activate the key authorisations (GRCFF_0001).

Simon

koehntopp · ‎11-14-2009

Any design that starts with "limiting" SAP_ALL will have almost endless ways of circumvention available. You will not succeed in restricting this.

The answer is simple: if you do not want to allow that, don't give SAP_ALL, or rely on additional measures (there are tools that basically do a screen cam of a person working with SAP_ALL).

Or use a DVD-R for the FF logs file system

Frank.

Former Member · ‎01-29-2010

Thanks all for your views on the topic.

GRC:AC:SPM: How to ensure SAP_ALL in not deleting FF log files?