Medium Sized Companys: Super User Management in SAP

The compliant use of super users in SAP is an ongoing issue in the annual audit. This article discusses the design of an emergency user concept.

The creation of a emergency user concept for SAP should start with the definition the “emergency” itself. For us, an emergency event is essentially characterized by two criteria: First, time-critical business processes can not be carried out, where the emphasis is laid on “time critical”. Other measures or justifications should, in our opinion, not be carried out via super users, but via the standard process. And secondly, SAP administrators or developers have direct access to the tables of the production system, bypassing the transport system.

Having defined the “emergency” (and documenting it), the question then arises about the right approval process for the emergency user incidents. There are two different views: In the first approach, each emergency user assignment must be approved in advance, subject to a separation of duty. This approach is often combined with a differentiation of super user privileges, for which there are good reasons. For example, an emergency user role can be assigned for the first deployment, in which the authorization object “S_DEVELOP” has display rights only in order to delimit the error and, if possible, to already fix it. The argument here is, that otherwise a developer could bypass all control mechanisms in the system by means of “debugging and replace” rights. Here, the logging has no real use because the damage has already taken effect until the review takes place.

We, on the contrary, have a different approach, which we have implemented in our emergency user suite ISPICIO_E. As already mentioned, we advocate a very restrictive handling of super user usages. And in a real emergency, where time-critical business processes jeopardize corporate goals, we think that no time should be lost. For this reason, in our solution an authorized person immediately receives comprehensive access to the production system (SAP_ALL). To accomplish this, our suite creates a unique user ID in the SAP for each emergency user application and links it with the Security Audit Log (SAL). After completion of this emergency user usage, the user ID is deleted again and the corresponding SAL entries are downloaded from SAP to our software database.

To ensure the integrity of the system and the external financial reporting, we have implemented several security features. First, in normal operation, there exists no emergency user in the production system. So there is no way that this user will be used unnoticed. In addition, we have implemented a mandatory, 100-%-review of super user usages in our software. After each use, the corresponding entries in the Security Audit Log is automatically submitted to a reviewer for approval and therefore subject a segregation of duty (via e-mail notification). The reviewer then has to check the corresponding SAL-entries and close the ticket (Approve / Reject). The entire track record of an emergency user usage is thus stored in a searchable database and can be displayed on a dashboard (Who has used the emergency user? What was the reason? What was done? Who conducted the review and what was the result?).

This setup particularly pleases the audit (internal / external). Because they can take samples and query, for example, from the rejected super user usages the remediation measures.