Firefighter user help to solve problems quickly and are used for infrequent or irregular activities. With firefighters, you can keep user authorizations lean because they can fall back on these emergency users in case of doubt. However, the use of firefighters in SAP systems is a critical issue for system security and compliance. That is why we are now taking a closer look at how you can secure the use of firefighters.
You probably know the situation: every few months, a user requests a highly critical authorization. When you ask what it is needed for, it turns out that it is for one-off activities. Extending authorization roles that would also grant these rights to other users is not a solution. The security risk would be disproportionate to the benefit. If your company now has a firefighter concept, you can refer the user to it and ask them to use one of these emergency users.
Firefighter application scenarios
Firefighters are deployed in various situations, e.g:
Activities that do not take place regularly: Tasks that are infrequent and unpredictable often require special authorizations (Ex: year-end activities or activities after system setup).
Substitution in case of illness or absence of employees: If an employee is absent at short notice, a substitute must be given quick access to necessary functions. However, as authorizations are assigned as sparingly as possible, the employee is not simply given the same rights from the outset, but can use a firefighter if necessary.
System failures and critical emergencies: In the event of technical problems or security incidents, administrators must be able to act quickly – even if their own users do not have the necessary authorizations.
Translated with www.DeepL.com/Translator (free version)
Mitigationsmöglichkeiten
Firefighters are deployed in various situations, e.g:
- Activities that do not take place regularly: Tasks that are infrequent and unpredictable often require special authorizations (Ex: year-end activities or activities after system setup).
- Substitution in case of illness or absence of employees: If an employee is absent at short notice, a substitute must be given quick access to necessary functions. However, as authorizations are assigned as sparingly as possible, the employee is not simply given the same rights from the outset, but can use a firefighter if necessary.
- System failures and critical emergencies: In the event of technical problems or security incidents, administrators must be able to act quickly – even if their own users do not have the necessary authorizations.
Emergency user concept
The basis for the safe deployment of firefighters in the company is a good emergency user concept, which should cover the following key points:
Authorized requesters and purposes
The authorization to request a firefighter should be limited to a defined group of people, such as department heads or IT managers. Firefighters may only be used for legitimate emergencies and time-critical tasks that cannot be carried out with regular authorizations.
Scope of authorization
Each firefighter type should have a clearly defined scope of authorization that is tailored to the respective emergency scenarios. It is advisable to define different firefighter roles for different areas of responsibility.
Process flow
It must be clearly regulated how the use of a Firefighter is requested and approved. For example, can any user submit a request or does this have to go through the line manager? Who can approve the use and under what conditions is an application approved? How does the user receive the access data with which they can use the Firefighter? Is there an automatic process via an IDM tool or SAP GRC or is it managed manually? Questions like these need to be answered in the concept.
Life cycle
The period of use of a firefighter should be limited to the necessary minimum, typically a few hours to a maximum of one working day. This section also describes how this time restriction is implemented. Is the Firefighter automatically locked after the time limit has expired or, for example, is the user’s password changed centrally when the authorized period has expired?
Approval and review Firefighter
Firefighter users are ideally approved by an IT security officer or an equivalent role. Just as important as the careful examination of the applications is the review of the usage logs. In terms of independent control, the approver and reviewer are two different people.
Logging and storage
All activities during a firefighter deployment must be logged in full. This is important because the extensive authorizations of an emergency user also facilitate misuse. The logs should include the following data:
- Timestamp
- transactions carried out
- changed data
In Germany, by the way, the logs must be stored in an audit-proof manner for at least 10 years.
Authorize Firefighter
Firefighters are dialog users. As already mentioned, the safest option is to provide different emergency users for different use cases or, for example, for different departments in the company. For example, you could provide HR firefighters with extensive HR authorizations, but only assign the most necessary FI authorizations and vice versa.
Firefighters are not to be authorized with profiles SAP_ALL and SAP_NEW. Instead, create tailor-made roles that only contain the authorizations that are actually required. This minimizes the risk of misuse and makes monitoring easier. In addition, SAP_ALL is monitored in every audit – even in the case of firefighters.
As with any other role, you have two options when setting up firefighter roles: You can copy SAP standard roles into the customer’s own namespace and work with them, or you can build your own Firefighter roles from scratch.
Conclusion Firefighter deployment
A well thought-out firefighter concept is essential for the security and compliance of SAP systems. By combining clear processes, granular authorizations and seamless logging, companies can master the balancing act between the ability to act in emergencies and security. However, for an automatic emergency user process that covers all requirements, you currently still need external tools such as IDM solutions or SAP GRC.