I’ve been watching television specials and reading some articles this week about Joe Frazier, a former heavyweight champion who died this week. Of course, “Smokin’” Joe Frazier’s name is linked with that of another former heavyweight pugilist, Muhammad Ali. In three fights, the two fighters brought out the best in each other — at least in the ring. Each fighter tried to get a chance to exploit the other’s vulnerabilities. For example, Frazier was often not at his best in early rounds of a fight, so Ali would try to exploit that weakness. In contrast, Frazier would bob and weave while looking for an opening to deck Ali with a left hook (he succeeded in the last round of the first fight, but could not do it to Ali again in either of the other two bouts).
In the access management arena, security administrators face the challenge of granting users exception-based access without leaving processes vulnerable to an audit violation or creating segregation of duties (SoD) issues. The administrator’s access privilege jab could be countered by an auditor’s hook. In the following excerpt from his article for GRC Expert titled “Turn Emergency Access Management into an Auditable, Centralized Process for Your SAP Landscape,” Frank Rambo addresses this issue:
“Emergency access management is the process to grant temporary critical access privileges in IT systems required to execute an exceptional task and review the system activities performed by the privileged users during that time. This process is a frequent target during system audits as it typically reveals vulnerabilities in the following areas:
• An all-or-nothing approach in the design of emergency access privileges exceeding required privileges to tackle a given exceptional situation by far.
• Business owners hardly involved in the approval and review of emergency access.
• A review of system activities executed with emergency access privileges often is not an auditable process.
Additionally, a tendency to grant business users excessive access privileges to tackle all kinds of rather exceptional situations, such as period-end closing activities or master data maintenance, often leads to segregation of duties (SoD) issues throughout their access privileges.”
How does SAP BusinessObjects Access Control 10.0 solve this problem? According to Frank’s article, the “centralized emergency access management capability of SAP BusinessObjects Access Control 10.0 addresses these vulnerabilities and has been significantly improved in the current release. Critical access privileges for different purposes are assigned locally in your SAP systems to a set of firefighter IDs, each one owned and supervised by individual owners and controllers in the responsible business departments. Business users can submit access requests per workflow to obtain access to these fire
fighter IDs. The responsible owners approve the requests triggering automated provisioning. All maintenance of the assignments between firefighter IDs, owners, controllers, and firefighters — that is, business users with access to firefighter IDs — is done centrally in SAP BusinessObjects Access Control.”
Of course, these are just a few points that Frank makes in his article. The key point is that SAP BusinessObjects Access Control 10.0 enables security administrators to initialize and maintain firefighter sessions from the SAP BusinessObjects GRC platform.
To read more about centralized emergency access management with SAP BusinessObjects Access Control 10.0, GRC Expert subscribers can go here. Have you started using SAP BusinessObjects Access Control 10.0 for emergency access management? If you have, post any questions or comments you have related to this solution here.