Enhancement: SAP GRC - Support for Firefighter Provisioning

Announcements Product News
, , ,
1

Description

:bangbang: We are excited to announce the SAP GRC Integration now supports Firefighter role provisioning!

The new feature allows the SAP GRC connector to be leveraged for provisioning Firefighter IDs and roles directly from the SailPoint platform to SAP GRC on-premises.

In SAP GRC (Governance, Risk, and Compliance), especially within the Firefighter role management, the primary purpose is to provide immediate, elevated access to critical systems or sensitive data during urgent situations. Firefighters are typically used to ensure operational continuity without compromising security protocols.

Emergency Access: Firefighters are granted temporary, elevated privileges to perform critical tasks that standard users cannot execute.

Audit & Control: Every activity performed using firefighter credentials is usually logged and monitored by SAP GRC to ensure accountability. This helps in maintaining compliance and audit readiness.

Risk Mitigation: Firefighter access is time-bound and narrowly scoped, reducing the risk of misuse or abuse of high-level privileges.

Problem?

  • The SAP GRC connector didn’t have a way to bring and distinguish the Firefighter role from other entitlements in the SAP GRC.
  • Requesting the provisioning of the Firefighter role was not possible using the SailPoint platform, and users had to log in into GRC to access Firefighter role provisioning.

Solution?

Assigning a Firefighter role is a way to grant temporary Emergency access in SAP GRC. SAP users set up special Firefighter roles in SAP GRC, which they want to see in SailPoint as request-able entitlements.

  • With this enhancement, the SAP GRC integration can now include Firefighter IDs as entitlements during role aggregation.

If someone requests that set of “special” entitlements in SailPoint, the connector sends a special Access Request Type code for these requests. This is implemented this way because, in SAP GRC, there should be a special workflow (<Workflow name="SAP GRC Request Executer" type="Subprocess">) that can intercept this code to assign the privileged Firefighter access.

  • With this enhancement, the SailPoint SAP GRC integration users can add or remove entitlements for FireFighterID role type.
  • The source setup UI has been enhanced to provide mapping of different FireFighter IDs and the default time-bound access provisioning capabilities making the use of this feature easy and streamlined with SAP GRC configuration.

Important Dates

ISC: This enhancement is now GA for ISC!

IIQ: This will be released on IIQ with 8.4p3, 8.5p1, and 8.6. It is also request-able on IIQ 8.4 patches as an efix based on business justification provided.

Additional Resources

Documentation

3 Likes