Background
In a cloud environment (Software-as-a-Service), the software is usually not maintained by the customer, but by the software/cloud provider.
Control description
Remote access to the SAP S/4HANA Cloud system for e.g. incident management or software maintenance by the SAP vendor is restricted, approved by management, and removed in a timely manner. Access to the SAP Support IDs is appropriately controlled when IDs are not in use.
Population
Application ‘Display Technical Users’ displays all technical users from SAP that are available in the customer system and the related SAP support request logs. Using the Incident ID, it is possible to display more information about when and why SAP Support Users requested a user for a customer system in the past twelve months:
Note 1: Column “Customer User” displays if SAP user used authorizations from a customer user.
Note 2: Access with the _SAPxxx users is only possible via special URLs, which are not reachable outside of SAP, therefore customers cannot access those technical user accounts.
Note 3: Technical users are only used on SAP side for defined activities. SAP Support User can only request a user if there is a valid and open customer ticket in place. It is not possible to bypass this process.
Using the Security Audit Log (SAL), the last log-on of the SAP technical users can be monitored. The SAL is per default activated in the SAP S/4HANA cloud system (for details please read blog post part 2 “SAP S/4HANA Cloud, public edition – Secure by Default”).
After the auditor has determined whether SAP employees had access to the productive customer system in the audited period, it should be evaluated, if the access to the SAP user accounts was reviewed by the customer timely after the fix / maintenance was completed.
Note: There is no explicit approval by the customer after SAP did a change in the productive system. This is done implicitly when opening a customer ticket to SAP. The review of the activities by the customer is solely a customer internal process to ensure, that only authorized and appropriate changes were conducted and that the impact on the Internal Control System is evaluated.
The access of SAP users to customer productive systems in case of e.g. incidents in also covered in the SOC1 type 2 report. For details please refer to our blog article Service Organization Controls Report Review (Part 4) | SAP Blogs.
Using the SAP Help portal, it is possible to get further information about the access levels and access categories for the SAP support to customer systems (https://help.sap.com/docs/SAP_S4HANA_CLOUD/55a7cb346519450cb9e6d21c1ecd6ec1/3cdb582583b342fd82b3caf3f3763af8.html):
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”
Or contact us on LinkedIn.
Your feedback
Feel free to share your feedback and thoughts in the comment section below.
A big thank you to my colleagues for their collaboration and support
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification. |
|
Florian Eller (SAP) – Product Management SAP S/4HANA Security Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security. |
|
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing. |
|
Patrick Boch (SAP) – Product Management SAP S/4HANA Security Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade. |
|
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance) Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |
|
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance) Christina Köhler has more than 6 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers. |