Are there guidelines or best practices to develop and maintain an efficient and effective internal control structure of Elevated/Emergency Access IDs that are not FF IDs ?(i.e. DDIC, OSS_ID, SAP*, etc.)? If I understand correctly, FF ID has internal controls built in via communication, approval, review hierarchies and related business process and owner(s). Is there a way besides (separate, disconnected) review of transaction, system, security logs which seems to require a lot of 'manual communication' across functions which can challenge efficiency and effectiveness? Sorry for the verbose presentation....:)
Welcome to the SAP Community! We're glad you've come here to get answers to your questions. If you're also interested in connecting with community members, please pay a visit to our Welcome Corner. You'll need to sign up, but it's a great way to interact with peers and connect with other experts!
Since you're asking a question here for the first time, I'd like to offer some friendly advice on how to get the most out of your community membership and experience.
First, please see https://community.sap.com/resources/questions-and-answers, as this resource page provides tips for preparing questions that draw responses from our members. Second, feel free to take our Q&A tutorial at https://developers.sap.com/tutorials/community-qa.html, as that will help you when submitting questions to the community.
You should also make sure your e-mail notifications are turned on for "Comments and answers to my questions and questions I follow" at #communications -- so you won't miss any replies to your question.
In addition, I recommend that you include a profile picture. By personalizing your profile, you encourage readers to respond: https://developers.sap.com/tutorials/community-profile.html.
I hope you find this advice useful, and please let me know if you require any additional guidance!
All the best,
SAP Note 2253549 - The SAP Security Baseline Template provides baseline configuration recommendations for security settings including management of privileged/sensitive/powerful/super user accounts.
From a monitoring point of view - i.e. validate the implementation and effectiveness of the control you can look into
1. SAP Solution Manager - review alert monitoring, security optimisations, etc services to identify misconfigurations
2. SAP Process Control, SAP Business Integrity Screening or SAP Enterprise Threat Detection (ETD) - monitor and alert for security events or process control issues that may be an indicator of compromise or identify misconfigured settings that weaken the control
These options provide a mix of preventative and detective controls for management of privileged access outside of a Firefighter user management process.