Introduction: In the dynamic world of cloud computing, managing privileged access is crucial for maintaining security and operational integrity. SAP’s introduction of Privileged Access Management (PAM) for SAP S/4HANA Cloud, as part of the SAP Cloud Identity and Access Governance (IAG) release 2302, marks a significant advancement in this field. This feature streamlines access control, ensuring enhanced security and compliance within your SAP environment. In this blog post, we’ll explore the key steps and best practices for implementing PAM in SAP S/4HANA Cloud.

Understanding the Basics:

Privileged Access Management (PAM) in the context of SAP S/4HANA Cloud is a critical aspect of cybersecurity and compliance. It serves as the cornerstone of secure cloud operations. But what exactly is PAM, and why is it so vital in the SAP ecosystem? At its core, PAM is a security solution designed to monitor and control elevated (‘privileged’) access within an IT environment. Privileged accounts are those that have administrative or specialized access to critical systems. In SAP S/4HANA Cloud, these accounts could include system administrators, superusers, or any account with access to sensitive data and controls.

Privileged or Emergency Access Management in SAP refers to the process of securely granting and monitoring temporary, high-level access to critical systems and data in exceptional situations while ensuring strict controls, auditability, and accountability. This access is typically granted to authorized personnel for urgent tasks and it is closely managed to minimize security risks.

The figure below explains some of the scenarios where PAM can be potentially used.

PAM Usage Scenarios

The figure below explains the PAM process for SAP S/4HANA Cloud.

• Users can create self-service requests for emergency access to systems and applications.
• Approvers, reviewers and security can review requests for emergency access and grant access.
• Compliance persons can perform periodic audit and monitoring based on usage logs.

PAM Process

The benefits of PAM are:

• Enhanced Security: PAM ensures that only authorized personnel have access to critical systems, reducing the risk of security breaches.
• Audit and Compliance: It provides detailed logging and tracking of privileged activities, which is crucial for audits and regulatory compliance.
• Least Privilege Principle: PAM enforces the principle of least privilege, where users are granted only the access necessary for their role, minimizing the potential for unauthorized access or actions.

The various terminologies used within PAM process in SAP are:

• PAM User: The IT Support User who requires the elevated access.
• PAM ID: The PAM User Id with elevated privileges.
• PAM Approver: The person(s) who approvers the PAM ID assignment to a PAM User.
• PAM Reviewer: The person(s) who reviews the log request and investigates any differences between intended and actual usage.

The PAM ID is a generic ID created in SAP IAG and backend SAP S/4HANA Cloud system.

What is a PAM ID?

Implementation Steps:

1. Client Authentication Setup: This step involves creating a client ID and secret for the S/4HANA application in Identity Authentication (IAS). It is crucial for establishing a secure connection.
2. Destination Creation in BTP: We then proceed to create a destination in the BTP for PAM in the IAG Subaccount.
3. Privileged Access IDs Creation: This is a critical step where privileged access IDs are set up in PAM on IAG.
4. Provisioning Job Execution: Finally, running the provisioning job on IAG is essential to ensure that all configurations take effect.

Prerequisites:

Before diving into the implementation of Privileged Access Management (PAM) in SAP S/4HANA Cloud, certain foundational steps must be completed. Here’s what needs to be in place:

• IPS_PROXY destination has been set as per SAP documentation
• S/4HANA Cloud application setup has been completed as per SAP documentation
• Worker IDs have been created for the PAM IDs using the Manage Workforce app in S/4HANA Cloud.
• Business roles have been defined for PAM in IAG
• PAM access has been provided using BTP role collections for PAM to the administrators, approvers, reviewers, and the PAM end users. (Pre-delivered role collection CIAG_Privileged_Access)
• Access Request workflow has been set up for PAM as per SAP documentation. (Request Type: PAM and PAMREVIEW)

Request Type Rule for PAM Access Request Process

• The following communication scenarios have been added to the communication user in S/4HANA:

We started implementing PAM after we completed the implementation of the Access Request Service. So, some of these prerequisites were already in place.

Configuration Steps

Let’s walk through the key configuration steps.

• Client Authentication Setup for S/4HANA Application in Identity Authentication (IAS)

To integrate with IAG, we will create a Client ID and Secret on the S/4HANA application in IAS. This is because IAG currently only supports basic authentication. You will need to use this client and secret as your user and password when setting up the BTP destination for PAM.

• • Navigate to Applications and Resources  Applications.
  • Select the SAP S/4HANA Cloud Tenant and navigate to Trust  Application APIs  Client Authentication.
  • Go to the Secrets section and click on Add. Enter a description and click Save.

Add a Secret in S/4HANA API Authentication on IAS

• • Copy and securely store the Client and Secret values. They will be required to create the BTP destination for PAM.

Copy Client ID and Secret

• Create a destination in BTP for PAM in the IAG Subaccount
• • Login to the IAG Subaccount on BTP and navigate to Connectivity  Destinations.
  • Create a new destination with these values:

• • • Name: (e.g., S4C-IAG-PAM)
    • Description: PAM Destination for S/4HANA
    • Type: HTTP
    • Accept: */*
    • Authentication: BasicAuthentication
    • ProxyType: Internet
    • URL: [Your IAS URL, e.g.,https://<yourtenant>.accounts.ondemand.com]
    • User: [Client ID from IAS]
    • Password: [Secret from IAS]
    • USERSURL: /service/users

Destination for PAM in the IAG Subaccount on SAP BTP

• Update the S/4HANA destination with PAM parameters in the IAG Subaccount

Add these additional properties to the S/4HANA destination in BTP in the IAG subaccount.

• • IASApplicationName: Application name of Identity Authentication system in IAG
  • IASDestinationName: Name of the PAM destination created in the previous step
  • IASSubjectNameIdentifier: The Subject Name Identifier used for user authentication to S/4HANA in the IAS application configuration. E.g. UserID or Email
  • S4HCHomePageURL: URL to the S/4HANA system. If you have set up a corporate identity provider and if you are using IAS as a proxy then you will need the URL to bypass the corporate identity provider. This can be found under the conditional authentication of the S/4HANA application configuration in IAS.

Destination for S/4HANA Cloud in IAG Subaccount on SAP BTP

• Create Privileged Access Ids in PAM on IAG

You can now start creating the PAM Ids using the “Maintain Privileged Access” app on IAG.

• • Login to IAG and navigate to Privilege Access Management tab.
  • Open the app “Maintain Privileged Access”

Maintain Privileged Access App on IAG

• • Click on “+” button on the right.
  • In the attributes section enter all the mandatory fields.
  • Name: Same as Worker ID
  • Description: Provide a suitable description for the PAM ID
  • Business Role: Role defined for the PAM ID in IAG
  • PS: Upon selecting the business role, the Employee ID and Email fields are displayed. These fields are not displayed initially.
  • Employee ID: Same as Worker ID
  • Email: Same as the email provided for the Worker ID
  • Criticality: Can be CRITICAL, HIGH, MEDIUM or LOW
  • Duration in Days: Max number of days for which the PAM can be requested.

Attributes Section of a PAM ID on IAG

• • In the allowed activities, you will be provided with a list of catalogs based on the business role assigned. Here you can select the activities for which the PAM ID is designed to be used. This is not an authorization restriction for the PAM ID. It is just for documentation purposes only.

Catalogs allowed for the PAM ID based on the assigned business role

Allowed activities section of the PAM ID on IAG

• • In the Approvers / Reviewers section you will assign the users who should approve the PAM ID in the access request workflow in the “ROLE OWNER” stage and the person who will review the log access review request after the PAM ID has been used by a user. PS: All IAS users are listed for selection. There is no dependency upon any group to be assigned for users to be listed here.

Approvers and Reviewers section of the PAM ID on IAG

• • Click on Save and Activate to save the PAM ID.

• Run the provisioning job on IAG
  • Navigate to Administration  Job Scheduler
  • Provide a suitable job description and job category as Provisioning

Schedule Job for PAM ID Provisioning on IAG

• • Click on Schedule Job
  • Navigate to the Job History App to confirm that the PAM ID has been provisioned in the S/4HANA Cloud backend system.

Log of Provisioned PAM ID in the Job History app on IAG

• • Login to the backend S/4HANA Cloud to ensure the account has been created.

PAM ID displayed in Maintain Business Users app on S/4HANA Cloud

PAM Access Request Process

The Access Request app now allows you to request the PAM ID. Simply search for the PAM ID you need using the search field, or filter by “Access Type = Privilege Access”.

Search for PAM ID in Access Request on IAG

Once the PAM end user submits the request, the access request workflow for the “PAM” request type will be triggered. Note, the PAM end user is any IT support user who requires elevated access to perform a critical task in Production.

The defined workflow will send the request to the appropriate approver. In the case below, the approver is the PAM Owner defined in the Maintain Privileged Access app on the PAM ID. You can define your own workflow stages and have multiple stage approval as well as multiple approvers for a stage (except the Manager stage).

Note that the access request inbox for approving PAM requests is under the Privileged Access Management tab and the app is called “Privileged Access Request – Inbox”. This can cause confusion for approvers because the normal tendency would be to check the “Access Request – Inbox”. I hope that in future releases SAP would consolidate the different inboxes of the services that have workflow capabilities on IAG.

Approval work item in Privileged Access Request – Inbox app on IAG

PAM Request Details for Approval on IAG

Once the request is approved, the user who made the request is assigned an ID.

PAM Execution

The PAM end user can now log in to IAG and execute the PAM ID session using the “PAM Execute Session” application.

Assigned PAM ID displayed in PAM Execute Session app on IAG

Upon clicking “Execute Session”, the user is presented with a popup with a link to activate the PAM ID.

Access Link to activate PAM ID for the session

Click the link to open a new tab. The message displayed states that you are required to sign out from the current application to activate the new account. Click on Sign out and continue.

Sign Out page for activating the PAM ID

On the next page, enter a password for the account and click on continue.

IAS Password entry page for activating PAM ID

You will now be logged in to the target S/4HANA Cloud system with the PAM ID.

S/4HANA Account to confirm the logged in PAM ID

If you go to your IAS Tenant and navigate to the User Management section, you will see that the PAM ID is created after this step. Once the PAM session is terminated, the ID will be removed from IAS. This process will be repeated each time the user logs in and terminates the PAM session.

IAS User Management displaying the activated PAM ID

Once you have completed the PAM tasks, sign out of the PAM ID from S/4HANA.

PAM Sign Out after completion of the session tasks

Navigate back to the IAG tab. If you have been logged out of IAG then close the browser and log back into IAG using a new browser window. Navigate back to the “PAM Execute Session” app.

PAM Execute Session app on IAG after Signing Out of PAM from S/4HANA

Click on “Terminate Session”. A pop up message confirms that the session has been terminated.

Termination Confirmation

The “Execute Session” button is displayed once again.

PAM Execute Session app on IAG after session is terminated

If you check the user in IAS you will find that the user has been deleted.

PAM ID is deleted from IAS after session is terminated

PAM Log generation and review

To proceed, we need to schedule the Log Sync and Access Request Review jobs. It’s recommended to schedule these jobs to run regularly, particularly in a production scenario.

Using the Job Scheduler application on IAG, you can schedule the “Privileged Access Log Sync” job. This job syncs the logs from the S/4HANA backend system to IAG.

Scheduling the Privileged Access Log Sync Job on IAG

Check the Job History to confirm the job is completed. Next use the Job scheduler app on IAG, to schedule the “Privileged Access Review Request” Job.

Scheduling the Privileged Access Review Request job on IAG

The second job creates a log review request and sends it to the PAM ID reviewer for approval. The PAM reviewer can access the PAM Logs review request in the app “Privileged Access Monitoring – Inbox”.

Log review work item in Privileged Access Monitoring – Inbox app on IAG

The log review request has three files as attachment.

1. Business Role Changes: An excel file with changes made to the business role using the PAM ID during that PAM session.
2. Business User Changes: An excel file with changes made to any business users using the PAM ID during that PAM session.
3. Security Audit Log: An excel file with the details of the login session and the apps used during the PAM session.

Log attachments for the PAM session in the review work item

Important Note on PAM Log File Generation

As of the writing of this content, there is a known challenge with the consistent generation of log files in the Privileged Access Management (PAM) system. This issue primarily arises from a timing discrepancy between the PAM log generation process on SAP Cloud Identity Access Governance (IAG) and the synchronization with the SAP S/4HANA backend system. SAP is actively aware of this issue and is diligently working towards a resolution.

In the interim, SAP has proposed a manual workaround for this issue. It involves the use of the “Click to upload attachment” feature to manually add log files from the SAP backend system. This method ensures that crucial log files are not missed and maintains a comprehensive audit trail for privileged access activities.

To aid in the prioritization and rapid resolution of this issue, I have initiated a customer influence request. If you, like many others, are keen on seeing a more streamlined and automated solution to this log file generation challenge, your support would be invaluable. By voting on this customer influence request, you can significantly contribute to highlighting the importance of this issue to SAP, thereby potentially accelerating its resolution.

https://influence.sap.com/sap/ino/#/idea/314189

Completing the Privileged Access Management Cycle

The final step in the Privileged Access Management (PAM) process within SAP S/4HANA Cloud is crucial and signifies the completion of a comprehensive cycle of secure access management. Once a PAM ID has been used, it undergoes a thorough review process. This review is essential to ensure that the privileged access was utilized appropriately and by the established guidelines and policies.

The PAM reviewer, a designated authority within the system, plays a pivotal role at this juncture. After the PAM ID usage, the reviewer meticulously examines the access logs and activities performed. This step is not just a formality but a critical component of maintaining the integrity and security of the system. It helps in identifying any discrepancies, unauthorized activities, or potential security risks.

Upon a detailed review, when the PAM reviewer approves the review request, it marks the successful conclusion of the PAM process. This approval indicates that the privileged access was managed, executed, and reviewed in line with the stringent security standards set by the organization.