Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

Efficient and effective Internal Control Structure for Emergency Access IDs that are not FF IDs

0 Kudos

Are there guidelines or best practices to develop and maintain an efficient and effective internal control structure of Elevated/Emergency Access IDs that are not FF IDs ?(i.e. DDIC, OSS_ID, SAP*, etc.)? If I understand correctly, FF ID has internal controls built in via communication, approval, review hierarchies and related business process and owner(s). Is there a way besides (separate, disconnected) review of transaction, system, security logs which seems to require a lot of 'manual communication' across functions which can challenge efficiency and effectiveness? Sorry for the verbose presentation....:)


Community Manager
Community Manager

Welcome to the SAP Community! We're glad you've come here to get answers to your questions. If you're also interested in connecting with community members, please pay a visit to our Welcome Corner. You'll need to sign up, but it's a great way to interact with peers and connect with other experts!

Since you're asking a question here for the first time, I'd like to offer some friendly advice on how to get the most out of your community membership and experience.

First, please see, as this resource page provides tips for preparing questions that draw responses from our members. Second, feel free to take our Q&A tutorial at, as that will help you when submitting questions to the community.

You should also make sure your e-mail notifications are turned on for "Comments and answers to my questions and questions I follow" at #communications -- so you won't miss any replies to your question.

In addition, I recommend that you include a profile picture. By personalizing your profile, you encourage readers to respond:

I hope you find this advice useful, and please let me know if you require any additional guidance!

All the best,


Make sure to subscribe to What's New!

0 Kudos

Hi David

SAP Note 2253549 - The SAP Security Baseline Template provides baseline configuration recommendations for security settings including management of privileged/sensitive/powerful/super user accounts.

From a monitoring point of view - i.e. validate the implementation and effectiveness of the control you can look into

1. SAP Solution Manager - review alert monitoring, security optimisations, etc services to identify misconfigurations

2. SAP Process Control, SAP Business Integrity Screening or SAP Enterprise Threat Detection (ETD) - monitor and alert for security events or process control issues that may be an indicator of compromise or identify misconfigured settings that weaken the control

These options provide a mix of preventative and detective controls for management of privileged access outside of a Firefighter user management process.