SAST Super User Management

Share

SAST's Super User Management module offers a feature that allows users to work without privileges SAP_ALL or other critical authorizations in the production system.

User FireFighter it's temporary user, which provides extended privileges,
while allowing it to be controlled in the system.

Additional accounts are created by the SAP privilege administrator and assigns users who can use special privileges.

If emergency or extraordinary support is required and additional authorizations are needed, the assigned Support users have accounts available to them FireFighter (FF).

Privilege administrators can create new FF accounts for the activities of various business units in SAP. However, such accounts cannot be used for daily work in the system.

In the SAST tool, we can define appropriate accounts for FireFighter users and assign people to them who are responsible for controlling the use of designated FF users. In our case, they are called auditors. These people after the start and after the completion of the work by FireFighter users receive notifications to their email inbox.

After selecting the FF user from the list of available accounts and describing the planned activities in a new window, you can proceed as a FireFighter user.

Once the support work is completed, SAST records all activities performed by the Firefighter user and provides the responsible person (auditor) with the appropriate report.

Each report should be regularly reviewed and approved by the auditor.
If there is a discrepancy in operations, get the necessary clarification from the person who used the FireFighter user.

SAST User Access Management has two session activation options for the FireFighter user.
  1. Automatic session activation for FireFighter, which will start when the window fills up
    with planned activities
  2. Session activation for FireFighter using a token.

The procedure put in place further protects against the use of critical FireFighter users without prior auditor approval. A specially generated key is required to log in.

SAST also has an automatic function (Passive Monitoring) that records the activity for super users in SAP. This group includes: "SAP*", "EarlyWatch" and "DDIC".

Tomasz Jurgielewicz

Head of Security Department at Lukardi. For the past 10 years, he has led a team of SAP Security specialists, providing comprehensive services and tools to secure SAP systems and optimize licenses. Experience in the areas of: - identification of authorization conflicts and authorization reorganization, - identification of SAP vulnerabilities, - integration of SIEM solutions with SAP, - optimization of SAP licenses.