Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GRC 10.0 : EAM Implementation Strategy & Role Design Best Practices

Former Member

‎08-28-2013 6:54 AM

0 Kudos

Hi all,

It's been a while but hey I'm still here....

I know this has been asked before but I haven't found a satisfactory answer as of yet. I'd like your advice as to what are considered or what has worked for you in implementing Emergency Access Management or SPM as was known in previous versions.

Lets say you have a complex landscape with various systems and modules FI/CO, MM, SD, HR, APO, and so forth and Firefighter roles need to be given for each of these modules and respective functions as elevated access as and when needed.

Would it be advisable to create a Super Role (so to speak) for each respective module (FF, MM, SD...) which has all the relevant TCodes for that module and when a user is requests elevated access outside their normal tasks they be given this Super Role for their respective domain, which will contain all the necessary access privileges. It is the log and controller to ensure that what was actually executed is monitored?

Any advice would be highly appreciated.

Paul

4 REPLIES 4

alessandr0
Active Contributor

‎08-28-2013 7:10 AM

0 Kudos

Dear Paul,

from my point of view there are more than one recommended scenario with firefighting. I will share my thoughts regarding firefighting in our corporation.

In one special case (Finance) we have segregated different functions into several firefighters which are used in case of temporary replacement. For example one firefighter for payment run only, one for month end closing, etc. etc. These single firefighters are assigned to some users in finance so in case of vacation they can execute a single function. Some of the finance staff do have more than one firefighter assigned and they have to chose which function the want to execute (more than one is showing up in the log-in screen).

In another case we have firefighters for a wide range of activities, for example for key users or SAP CC employees. There several functions are collected and can be executed.

In both cases we are using the approval workflow for firefighter log review which is automatically sent to a controller. Basically the FF log is not fully accurate, means not all changes are getting logged or sometimes you do not see what has been executed in detail.

In all I would recommend to have firefighters for a single task as it can be better monitored.

Hope this helps.

Regards

Alessandro

Former Member
In response to alessandr0

‎08-28-2013 11:19 AM

0 Kudos

Thanks Alessandro,

Very useful information there. Further questions:

1. Would it be an audit issue if say, you had a firefighter role which had full privileges for a given module. So lets say a FF Role for MM had all the privileges for MM, one single FF Role for SD had all the required SD roles? ...

...this way you would minimize the required FF Roles.

2. If you have a single FF role for a given high sensitive TCode for an domain (e.g CRM) then you would end up with many FF Roles ? However having one composite role with all access would also allow full monitoring via consolidated reports and other granular reports.

Any thoughts anyone else?

Regards

Paul 

alessandr0
Active Contributor
In response to alessandr0

‎08-28-2013 11:34 AM

0 Kudos

Dear Paul,

1. As I am not an auditor I cannot really answer this question. Even tough we have also "full privileged" roles for FF and we never got a claim from audit I would say it might be okay. But better to check with your auditor directly.

2. Actually we do not have separate roles for firefighters. We have assigned already existing roles (same as business uses) to a firefighter user. So in that case the number of roles hasn't increased.

Regards

Alessandro

Former Member
In response to alessandr0

‎08-29-2013 9:07 PM

0 Kudos

Hi Paul

To answer your query pertaining to FF.Consider below points.

1.It's strongly recommended not to give full access to FF ids.Always involve Business Process owners and understand from them which all activities are mainly used during emergency for example Month End closing .By using this data you can create specific FF Roles.Then based on which FF id should have which FF role you can easily monitor.

2.Auditors normally bypass even if you give full access like for MM (Full MM) etc.Since they already know that these FF ids are being monitored and we can easily get the detailed report.So from Auditor perspective it's fine.But as a GRC consultant you should not provide the full access.

Hope it answers your questions.

Regards

Pradeep