Our SAP system administrators have more or less very comprehensive authorizations.
For emergency cases we are looking for a "near-by-SAP_ALL" role which the administrators are able to assign themselves.
Does anyone have experiences which considerations must be taken into account?
There is a list of possible transaction codes for administrators like this one:
But this list is not complete, the guys sometimes need more...
careful. permitting admins to assign such a role to themselves may be a clear SoD violation not to mention an uncontrolled practice. emergency access is exactly what GRC Fireifghter is used for.
If you don't have it, then create a manual process that involves logging of all activities performed while the role was assigned, temporary assignment only, reviews and approval of logged activities. One way is to create a generic account that is always locked and is assigned to a user group that only certain people are allowed to maintain. Whenever the account is needed, it is "checked out" as if it was a firefighter. SM19 would be permanently set to log all activities for this account. To do this, you would have to close all loopholes to the process, such as tightly controlling who can change SM19 settings and who can unlock the account, who knows its password, and you would need periodic reviews of the account, showing the last time it was locked and password changed, the last time SM19 settings were change, and timely reviews of SM20 logs for the account.
your auditors probably have suggestions for your emergency access procedure too.
I don`t think there is a solution like "role I can assign to myself". Totally NOT under control.
There are emergency solutions that would solve your problem. Not just GRC. And these emergency procedure solutions often have a very good security logging/ reporting on what happened during the emergency access. And there is a LOT you mst check after granting the powerful emergency access....
Why do you give system admins very low authorizations?
By role they should have access to "basically" everything but the application itself. How on earth should they otherwie be able to administer the system?
The smartest way is to use client 000 for basis activities.This way the auditors will not complain if basis staff have high authorizations. You can almost assign SAP_ALL and still have happy auditors.
But the smartest authorization profile to use is S_A.SYSTEM.