SafePaaS FireFighter ID is part of the AccessPaaS™ suite that includes Policy Management for Segregation of Duties and Privileged Access Policies, Policy-based Access Lifecycle Management, User Request Management, Access Certification, Roles Management, Integrated Fulfilment and Orchestration.
Privileged user access is a necessity for managing most any IT application. Someone or a group must have the ability to maintain the application as needed to support the organization’s business processes when issues arise. Numerous situations occur where an organization needs to grant “superuser” access to employees under unusual circumstances. These are instances of “exceptional access” that fall outside the user’s typical job role or responsibilities and will typically create access policy violations that need to be highly supervised. Despite the need, access privileges that create risks, such as segregation of duties conflicts, need to be mitigated and require the maintenance of an audit log of all superuser access activities in order to satisfy regulatory compliance requirements.
SafePaaS FireFighter is a secure process for controlling super-user access across multiple systems with an independent system of record to provide an audit-trail for privileged or super-user access. SafePaaS enables pre-authorized users to request temporary access to elevated privileges to an organization’s business applications. The enhanced Firefighter request processing enables System Administrators or managers to grant immediate access to pre-approved users with assigned firefighter access to be able to get immediate access without any bottlenecks. The elevated access is logged and reported for management review.
By enabling Firefighter, the list of responsibilities is reduced to only those that will be subject to transaction monitoring. In addition, upon selection, there are certain tasks that are initiated as part of the process to monitor the assigned privileged access user activities in the ERP capturing what forms were visited and what transactions were processed.
Automatically, upon providing Firefighter access the end date is extended to one day (can be configured differently) from the start date, limiting the user’s access to these capabilities for a limited time, thus reducing and controlling access risk. The next step is to submit this request for review and approval.
How it works:
FireFighter ID can be enabled through iAccess™. Only certain users can execute this capability. Unless the user is assigned this permission, the requester won’t even see this option in SafePaaS. By enabling Firefighter, the list of responsibilities is reduced to only those that will be subject to transaction monitoring. In addition, upon selection there are certain tasks that are initiated as part of the process to monitor the assigned privileged access user activities in the ERP capturing what forms were visited and what transactions were processed. Automatically, upon providing Firefighter emergency access the end date is extended to one day (can be configured differently) from the start date, limiting the user’s access to these capabilities for a limited time, thus reducing and controlling access risk. The next step is to submit this request for review and approval. This will workflow the approval to the appropriate individuals requiring them to accept or reject the request. iAccess™ workflow communicates with the designated users for approvals via email and a SafePaaS user’s inbox, while informing the privileged access user of the status. Details of the request and any policy violations generated based on the requested responsibility and others that may be assigned to the user are shown in the email received by the approvers. Upon final approval, the user information will automatically be updated in the ERP and an email notification will be sent to the privileged access user, and will receive an email notifying them of their new access. If they are a new ERP user, the notification will include a username including a temporary password. The last step of a Firefighter Access request is the tracking and certification of the activities of the privileged access user. Since this is a privileged access user request, a SafePaaS MonitorPaaS™ control is initiated automatically to track and report the user’s activities in the ERP using the designated responsibility. This control is to certify the user’s activities have not processed transactions that would be considered fraud or a risk to the organization.