Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Emergency role" for system administrators

Former Member

‎12-12-2011 2:28 PM

0 Kudos

Hello

Our SAP system administrators have more or less very comprehensive authorizations.

For emergency cases we are looking for a "near-by-SAP_ALL" role which the administrators are able to assign themselves.

Does anyone have experiences which considerations must be taken into account?

There is a list of possible transaction codes for administrators like this one:

http://www.sap-img.com/basis/useful-sap-system-administration-transactions.htm

But this list is not complete, the guys sometimes need more...

Any ideas

Thanks

BEO

3 REPLIES 3

Former Member

‎12-14-2011 7:40 PM

0 Kudos

careful. permitting admins to assign such a role to themselves may be a clear SoD violation not to mention an uncontrolled practice. emergency access is exactly what GRC Fireifghter is used for.

If you don't have it, then create a manual process that involves logging of all activities performed while the role was assigned, temporary assignment only, reviews and approval of logged activities. One way is to create a generic account that is always locked and is assigned to a user group that only certain people are allowed to maintain. Whenever the account is needed, it is "checked out" as if it was a firefighter. SM19 would be permanently set to log all activities for this account. To do this, you would have to close all loopholes to the process, such as tightly controlling who can change SM19 settings and who can unlock the account, who knows its password, and you would need periodic reviews of the account, showing the last time it was locked and password changed, the last time SM19 settings were change, and timely reviews of SM20 logs for the account.

your auditors probably have suggestions for your emergency access procedure too.

good luck!

OttoGold
Active Contributor

‎12-17-2011 11:27 PM

0 Kudos

Hi.

I don`t think there is a solution like "role I can assign to myself". Totally NOT under control.

There are emergency solutions that would solve your problem. Not just GRC. And these emergency procedure solutions often have a very good security logging/ reporting on what happened during the emergency access. And there is a LOT you mst check after granting the powerful emergency access....

Cheers Otto

fredrik_borlie
Contributor

‎12-21-2011 8:37 AM

0 Kudos

Why do you give system admins very low authorizations?

By role they should have access to "basically" everything but the application itself. How on earth should they otherwie be able to administer the system?

The smartest way is to use client 000 for basis activities.This way the auditors will not complain if basis staff have high authorizations. You can almost assign SAP_ALL and still have happy auditors.

But the smartest authorization profile to use is S_A.SYSTEM.