Using Privileged Access Management Service

The PAM ID is enrolled and therefore fully active. The utilization of the PAM ID can be achieved by requesting it using an access request. The PAM user has to create an access request, including the PAM ID as request object to make it visible and usable for him in the privileged access management launchpad of the ABAP target system.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Access Request→Create Access Request / Create Access Request for Others.
   Note

   Based on your needs, you can request a specific access for yourself or any other person.
3. Filter and select the required access.
   Note

   In this case, the requestor will select the specific PAM ID, which will be used to perform the privileged access session.
   1. Select Request New Access.
   2. Click on the Show Filter bar.
   3. Select the Access Type, Privileged Access, to display a list of all available privileged accesses resp. PAM IDs.
   4. Search for the required PAM ID and select it using the checkbox.
   5. Choose Create Request.
4. Provide the access request data in the Request Details section.
   • Reason for Request = <Select one of the available and meaningful reason codes> (mandatory)
     Note

     Reason codes can be created using the Request Reason app in the Administration section of the SAP Cloud Identity Access Governance Fiori Launchpad. Take note that there exists 2 different types of reason codes. In this case, you will only select those reason codes of type, Access Request. If there are not any options available, you have to create them.
   • Priority = <Select one of the available priorities> (mandatory)
     Note

     Priority options can be created using the Access Request Priorities app in the Administration section of the SAP Cloud Identity Access Governance Fiori Launchpad. In case there are not any options available, you have to create them.
   • Manager = <Select one of the available manager options> (mandatory)
     Note

     Here you can see only those persons, who are assigned to the specific SAP Cloud Identity Access Governance group (IAS user group IAG_WF_MANAGER). In case the responsible manager is not visible, you have to assign them the respective group and trigger the "SCI User Group Sync Job" through the Job Scheduler app in the Administration section of SAP Cloud Identity Access Governance Fiori Launchpad.
   • User Email = <If the email is not populated automatically based of the configured user source, typically Identity Authentication system, you have to maintain it manually. You have to insert the email of the user, for whom you request the access.
5. Provide the access details in the Access Requested section.Validity Period = <Specify the validity period of the requested PAM ID>
6. Add an attachment in the Attachment section.

   In case you want to, you can include a supplemental document about the request for the approver to review.

   Note

   Allowed types are TXT, JPG, PNG, PPT, DOC, DOCX, PDF, XLS, XLSX with a maximum file size of 100MB.
7. Submit the access request by choosing the correct button.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/cda483dea8de471bb7c9de0f17c4cb67.html?locale=en-US

Based on the workflow and business rule configuration, the previously created access request of the PAM ID has to be passed through several approval steps prior to its enablement for the PAM user.

Thus it is needed that the various responsibilities (for example, manager, role owner, security admin) decide on whether to accept or reject the proper requests. This can be done in the Privileged Access Inbox of SAP Cloud Identity Access Governance Fiori Launchpad.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Privileged Access Management→Privileged Access Inbox.
3. Review and accept/reject the privileged access request:
   1. Choose the proper access request from the inbox list.
   2. Review the details and decide to accept or reject the access request using the dedicated button. In case you want to provide further comments of your decision, you can use the proper Notes section in the details view.

Repeat those steps for every approval stage in the overall workflow process. In case role owner, security admin or any other necessary responsibility is involved, they have to perform the above mentioned steps as well. When the access request is rejected by an involved party, the workflow instance will be stopped and finished with status "Rejected". If all approval steps are successfully passed through and the access request has been accepted, the system will initiate the provisioning and the PAM user can select the PAM ID using the privileged access management launchpad in the ABAP target system and start the elevated privilege session.

Additionally, notice that the inbox list of privileged accesses shows and updates the respective workflow stage after every performed decision (consult the figures above: first stage is "MANAGER", second stage could be "ROLEOWNER" , and so on).

All details about the previously passed through workflow stages will be written in the audit log of the respective access request as well. Thus it always ensures an end-to-end information chain.

Further explanations about the Privileged Access Inbox, the details screen, and their various sections, can be found on SAP Help:

After the successful approval process, the PAM user can utilize the requested PAM ID by selecting it using the launchpad of the privileged access management in the ABAP target system.

Perform the following steps:

1. PAM user logs in with its own credentials to the ABAP target system.
2. Call transaction SIAG_PAM_LAUNCH_PAD.
   Note

   The PAM User should already has the proper authorizations to do that, see lesson Prerequisites for the setup of SAP Cloud Identity Access Governance - Privileged Access Management.
3. Select the assigned and available PAM ID by choosing the Logon button.
4. Provide the following details:
   • Language = <Preferred language code>
   • Reason Code = <Select the corresponding reason code>
     Note

     The creation of a corresponding reason code is mandatory and has to be done beforehand. See also the Step 1: Create reason code in Reason Code app of SAP Cloud Identity Access Governance Fiori Launchpad.
   • Action Notes = <Actions that you anticipate to perform>
5. Choose Enter or select the proper button (green check-icon).

A new (privileged access) session starts and you are logged on as the PAM ID (switch from PAM user account to PAM ID). You can perform the assigned activities and complete the tasks you want.

After login with a specific PAM ID  in the PAM launchpad, you will notice a red icon in the status column of this PAM ID. It defines a locked status, which means that no other PAM user can access another privileged access session using this PAM ID.

When you log out from the session, refresh the launchpad to update the status (red icon will change to green icon. The PAM ID is released for other PAM users and sessions). You can log on as often as you want during the assigned validity period. If the PAM ID assignment is no longer valid, then the PAM ID will no longer appear in the PAM launchpad.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/ed4f70175d2541c19313b2aa465ab469.html?locale=en-US

To review the log, when privileged access has been requested and by whom, you must do the following:

1. Schedule Privileged Access Log Sync Job in the Job Scheduler app of SAP Cloud Identity Access Governance Fiori Launchpad to capture the collected logs for review purposes.
2. Start the automated review process by triggering the job, Privileged Access Review Request, in the Job Scheduler app of SAP Cloud Identity Access Governance Fiori Launchpad and approve the logs through the Privileged Access Monitoring app.

During every privileged access session, there will always be a specific amount of log data collected using SAP standard logging capabilities. These session logs are retrieved from the ABAP system and synchronized to IAG. There they will be used for monitoring purposes and will be provided to the reviewer for further checks.

To capture those collected log data, you have to trigger the dedicated job named Privileged Access Log Sync Job in the SAP Cloud Identity Access Governance Fiori Launchpad.

Schedule the following job category:Privileged Access Log Sync Job(used to synchronize the collected log data of a privileged access session to SAP Cloud Identity Access Governance)

Perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Job Scheduler.
3. Schedule job and provide the necessary information:
   • Job name = <Any Job name>
     Note

     No spaces allowed
     .
   • Job category = Privileged Access Log Sync Job
   • Recurring Job = Yes or No
     Note

     Recurrence depends on your needs.
   • Start immediately = Yes or No
     Note

     Start time depends on your needs.
4. Choose Schedule Job.
5. Check the job status in the Job History List.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/5baf37c1c488489f990e446cf72680d2.html?locale=en-US

The review of privileged access sessions can be done on 2 different ways:

1. Manual option: There is no specific review workflow in place, which has to be performed. In this case, the reviewer itself or any other responsible person has the possibility to check the synchronized log data (for example, on a weekly basis) in the proper report, which can be found in Privileged Access Monitoring in the Reports section of SAP Cloud Identity Access Governance Fiori Launchpad.
2. Automatic option: The review process is triggered and initiated through the workflow (based on the workflow configuration there can be involved multiple reviewers - by default there are 2 stages: Roleowner and Security - who have to perform their checks to complete the overall review workflow). Consequently, the reviewer has to be proactively check the generated review items / requests of the privileged access session. The automatic review workflow can be started by triggering the Privileged Access Review Request job in SAP Cloud Identity Access Governance Fiori Launchpad. This job creates workflow items (in this case it is a review request), which has to be checked and approved by the reviewer using the Privileges Access Monitoring Review Inbox app in the Privileged Access Management section of SAP Cloud Identity Access Governance Fiori Launchpad.

Schedule the following job category:Privileged Access Review Request (used to trigger the automatic privileged access review workflow for privileged access sessions)

Perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Job Scheduler.
3. Schedule the job and provide the necessary information:
   • Job name = <Any Job name>
     Note

     No spaces are allowed.
     .
   • Job category = Privileged Access Review Request
   • Recurring Job = Yes or No
     Note

     Recurrence depends on your needs.
   • Start immediately = Yes or No
     Note

     Start time depends on your needs.
4. Choose Schedule Job.
5. Check the job status in Job History List.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/5baf37c1c488489f990e446cf72680d2.html?locale=en-US

This section describes how the automated workflow of privileged access sessions and their respective review requests can be handled (see the Automatic option of the previous paragraph).

Perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Privileged Access Management→Privileged Access Monitoring Review Inbox.
3. Choose the proper log review request from the inbox list.
4. Review the details, check the collected logs (that is, activities which have been performed during the privileged access session), provide at least one comment in the "Comments" section and then submit the request using the dedicated button.

Repeat those steps for every further review stage in the overall workflow process. As already described, there are 2 stages by default thus the security admin has to perform the above mentioned steps as well. When all required stages have been successfully submitted by the involved persons, the log review process is completed.

The reviewers can only submit the log review requests. There is no other option - for example, sent request back for further questions. If the reviewers recognize any misuse, it can be recorded in the comments section, but further actions has to be initiated on an organizational level outside the SAP Cloud Identity Access Governance.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/37bacb728d75468c92b1f1e20d5afbe2/5baf37c1c488489f990e446cf72680d2.html?locale=en-US