Skip to content

Managing Emergency Access

Use Access Risk Management's Emergency Access Management (EAM) feature to grant temporary elevated access to users who need it, without exposing the company to unnecessary risks. Automate and track the process at each step -- from requesting, approving, and granting, to the revoking of access when the request period has elapsed. Access Risk Management provides the most pertinent utilization details to streamline and improve the reliability of reviews. This also better prepares your organization for audits.

To get started, you'll need to create one or more emergency access profiles for users to request.

Creating Emergency Access Profiles

  1. Select the menu icon in the top right and select EAM PROFILES. Select + New and enter a profile name and description.

  2. Select the rulebook(s) that are associated with this emergency access. You may want to create more granular, profile-specific rulebooks to help reviewers determine which transactions should considered sensitive.

  3. Set the default duration for an EAM request. The reviewer can request a shorter or longer duration up to the maximum allowed.

  4. Set the maximum duration. This is the maximum amount of time that an EAM requestor can request emergency access for. Fourteen days is the default duration. This is helpful to know what you may be overwriting when setting a maximum duration of a request.

  5. Select + Add Roles to specify which roles will be assigned to a requester within SAP. Roles assigned in the EAM profile are assigned to that user within the SAP system.

The next section is where you'll select the users who will be part of the EAM workflow.

Adding Emergency Access Workflow Participants

Each emergency access profile includes the users who will serve as owners, requesters, approvers, and reviewers for the elevated access request associated with the profile.

  1. Add users who will function as profile owners, primarily by maintaining and updating the profile and participants.

    Note

    The owner can submit requests on behalf of a requester, however they cannot make a request for their own user ID.

  2. Select the users who can request elevated access within the application.

    Important

    • A requester's Access Risk Management ERP User ID must match their SAP User ID so the system knows which user should get the access. See Adding Users.

    • If a user is added as a requester, they cannot be added to another role within the same profile. This prevents users from bypassing the process to obtain elevated access.

  3. Select the Pre-Approved checkbox to skip the approval stage for giving access to those requesters. The review step will still be required to ensure those privileges are not abused.

  4. Select the users who can approve requests for this access profile, whether by email or using the EAM dashboard.

    Important

    If multiple approvers are assigned, all approvers receive emails, but the decision is based on the first approver to respond.

  5. Select the users who can review the temporary elevated access to ensure it was used appropriately. When access is removed from a user and utilization is pulled from the system, the reviewer will receive an email so they can review the report and sign off.

    Important

    If multiple reviewers are assigned, all reviewers receive emails, but the decision is determined by the first reviewer to perform the review.

  6. When you've finished choosing appropriate users for each category of participant in the access profile, select Save to add it to the system.

    Note

    To edit an existing emergency access profile, select the edit icon next to it in the list.

    To download a .zip of a profile, select the download icon .

    To delete a profile, select the delete icon .

Configuring Emergency Access Admin Notifications

You can configure Access Risk Management to send emails to the Emergency Access profile owners. This summary email notifies the profile owner of outstanding EAM requests awaiting review so they can follow up with those reviewers.

To enable EAM Admin notifications:

  1. Select the menu icon and choose SYSTEM SETTINGS.

  2. Select the toggle to enable Administrator Summary Emails.

  3. Choose the frequency, date, time, and time zone for when you want the notifications to be delivered.

Requesting Emergency Access

When users need emergency access, they must request that access. After it's been submitted, the request for elevated access will go through the approval, reviewing, and accepting/contesting process.

  1. Select EMERGENCY ACCESS in the left menu to see the Emergency Access Dashboard.

  2. Select the + to create a new emergency access request.

  3. Select the name of the access profile you're requesting. Only profiles that you've been designated as a requester for are displayed.

  4. If you are submitting the request for yourself, your name will be autopopulated in the requester field. If you are the EAM profile owner and are requesting access on behalf of another user, select that user's name from the Requester dropdown menu.

  5. Select the start date and time. This defaults to the current time but can be changed to submit a request for a future date or time.

    Tip

    This is particularly helpful if elevated access is needed during non-business hours. The request can be submitted when the approver is more likely to be available.

  6. Select the time zone to use for the start date that the access will be used in.

  7. The duration shows the default duration for the access specified in the access profile. When requesting access, you can change the duration up to the maximum specified in the profile. If a maximum duration is not set for the profile, the default maximum duration is 14 days.

  8. Enter the reason for the request. This is used to help the approver understand the purpose of the request and for auditing purposes. Some organizations use this field to add a ticket number from their enterprise ticketing system for reference.

  9. Use the Transaction Requested field to specify the transactions that you expect to be used during the time of elevated access. This information will help the approver understand what access is needed and the reviewer to compare the requested transactions to what was used during the time of elevated access.

    Note

    Even though specific transaction codes can be specified, the requester will still be assigned the entire SAP role that is associated with the EAM profile being approved.

  10. Optionally add any additional information that can help approvers and reviewers in the Comments field.

  11. Select Submit Request to start the emergency access workflow and send an email to approvers.

Approving Emergency Access Requests

If you're a designated approver for an access profile, you can approve an emergency access request through email or using the Emergency Access Dashboard.

Approving Requests Through Email

Approvers have three options:

  • View Request -- Selecting this option opens the Emergency Access Dashboard where you can make your decision.

  • Approve Request -- Selecting this option opens a tab in your default web browser showing your approval.

  • Reject Request -- Selecting this option also opens a web browser so you can enter your reason for rejecting the request.

Approving Requests from the Dashboard

To approve the request using the Dashboard, log in to Access Risk Management and select EMERGENCY ACCESS.

The approval options are:

  • -- Select the accept button to verify that the requester used the access as intended.

  • -- Select the contest button if the requester used the access in unintended ways and you want to mark it appropriately for audit purposes.

  • -- Select the history button to see a log of the stages the request has gone through.

    This log is available throughout the process and shows when the request was submitted, approved, reviewed, and the users who performed those approvals.

After a request is approved, the system will provision the additional role(s) to the SAP user based on their associated SAP User ID. That user will receive an email to let them know that access has been granted and for how long. When the approved time period expires, the system will remove the additional role(s) automatically.

Note

There is a delay for collecting the utilization data, generally 24 hours depending on agent settings. During this period, Access Risk Management can collect the SM20, CDHDR, CDPOS, and STAD utilization data from SAP. After that data is collected, the request will move to the review stage.

Reviewing Emergency Access Requests

After all utilization data has been collected, an email will be sent to reviewers so they can log in and perform their review activities.

Reviewers can access the review screen by selecting View Request in the email or by selecting Emergency Access in Access Risk Management.

From the EAM dashboard, reviewers will see the pending review and can download the utilization report using the download button . After completing their review, they can:

  • -- Select the accept button to verify that the requester used the access as intended.

  • -- Select the contest button if the requester used the access in unintended ways and they want to mark it appropriately for audit purposes.

  • -- Select the history button to see a log of the stages the request has gone through. This log is available throughout the process and shows when the request was submitted, approved, reviewed, and the users who performed those approvals.

Viewing Emergency Access Requests and Utilization

You can see multiple Excel reports detailing how emergency access was used: