Emergency Access Management - Control Superuser Access - SafePaaS

Emergency Access Management
Control Superuser Access

SafePaaS FireFighter ID Capability (Privileged Access Management)

SafePaaS FireFighter ID is part of the AccesPaaS™ suite that includes Policy Manager for Segregation of Duties, Access Monitor for Access Certification, Roles Manager, and iAccess™ for fine-grained Identity Governance and Administration. FireFighter ID is a secure process for controlling super-user access across multiple systems with an independent system of record to provide an audit-trail for privileged or super user access. SafePaaS enables pre-authorized users to request temporary access to elevated privileges to an organization’s business applications. The enhanced Firefighter request processing enables System Administrators or managers to grant immediate access to pre-approved users with assigned fire fighter access to be able to get immediate access without any bottlenecks. The elevated access is logged and reported for management review.

How it works:

FireFighter ID can be enabled through iAccess™. Only certain users can execute this capability. Unless the user is assigned this permission, the requester won’t even see this option in SafePaaS. By enabling Firefighter, the list of responsibilities is reduced to only those that will be subject to transaction monitoring. In addition, upon selection there are certain tasks that are initiated as part of the process to monitor the assigned privileged access user activities in the ERP capturing what forms were visited and what transactions were processed. Automatically, upon providing Firefighter emergency access the end date is extended to one day (can be configured differently) from the start date, limiting the user’s access to these capabilities for a limited time, thus reducing and controlling access risk. The next step is to submit this request for review and approval. This will workflow the approval to the appropriate individuals requiring them to accept or reject the request. iAccess™ workflow communicates with the designated users for approvals via email and a SafePaaS user’s inbox, while informing the privileged access user of the status. Details of the request and any policy violations generated based on the requested responsibility and others that may be assigned to the user are shown in the email received by the approvers. Upon final approval, the user information will automatically be updated in the ERP and an email notification will be sent to the privileged access user, and will receive an email notifying them of their new access. If they are a new ERP user, the notification will include a username including a temporary password. The last step of a Firefighter Access request is the tracking and certification of the activities of the privileged access user. Since this is a privileged access user request, a SafePaaS MonitorPaaS™ control is initiated automatically to track and report the user’s activities in the ERP using the designated responsibility. This control is to certify the user’s activities have not processed transactions that would be considered fraud or a risk to the organization.