sharfuddin2 Absent Member.
Absent Member.
1494 views

PAM - monitoring SAP admins


Hello,
I have a potential PAM customer running SAP(ERP Software). They **also**
badly wants to monitor(record) SAP Administrator activities, and
challenge here is that SAP Administrators use a client(SAP GUI) for SAP
administration which installs/runs on their workstations.

How PAM can help this customer ? any suggestions ?

Regards,


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=56454

0 Likes
8 Replies
Micro Focus Expert
Micro Focus Expert

Re: PAM - monitoring SAP admins

I believe PAM for Desktop OS is being considered. Please feel free to get into contact with the Product Manager who will be making decisions about priority of features. I'll relay this post so they are aware of the interest. Currently, you can enable the password check-out feature to access the SAP application: https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/b1jrx1im.html#b1jtgupe.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: PAM - monitoring SAP admins

I found out that Desktop support for Windows 7 and 8.1 is included in PAM 3.1.. and Windows 10 is planned for 3.2.. for 7 and 8.1 though, I don’t think SAP Client was officially tested yet, but there are plans for that
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: PAM - monitoring SAP admins


I don't understand why there is an agent available for Desktop OS ?
what's the purpose ? if PAM agent is installed on a workstation of a
System/Mail/ERP/DB admin then that agent not just monitor/record
admin's "administrative" activities but obviously would also
record/monitor non-administrative(personal/private) activities e.g IM
and Email Clients, Web Browsers etc and recording/monitoring such apps
are neither required nor acceptable.

I think a "Desktop Specific" agent is required which can monitor/record
all activities of users except web browsers, IM and E-mail clients, so
that any administrative tool be it Putty, Database
Administration/Management Tool, Mail Server Administration tools, or
SAP Administration tool(SAP GUI) would be recorded.


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=56454

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: PAM - monitoring SAP admins

I recall these scenarios being discussed in implementation of Desktop OS monitoring and there are plans to address these concerns as I recall. I'll forward this thread to the Product Manager and see if a response can be posted here.
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: PAM - monitoring SAP admins


thanks and appreciate if you can share with us the response of Product
Manager.


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=56454

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: PAM - monitoring SAP admins

This is being discussed in Enhanced Access Control for Windows, which is a planned feature as I understand it. There's also the option to 'Run as User' that could be a workaround approach to have only specific applications monitored rather than all applications. See https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/bzmp2jy.html.
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: PAM - monitoring SAP admins


>There's also the option to 'Run as User' that could be a workaround

approach
>to have only specific applications monitored rather than all

applications.


I don't thing "Run as User" could be a workaround here, as how can one
restrict an Admin to only run the console/tool(e.g SAP GUI or Putty) via
"Run as User".
SAP GUI is a tool that any ordinary(non-priviledged) user can run if
installed on his/her workstation, its the credentials that authorized
what a user can/can't do within SAP. Similarly any one can run the
"Putty" if available on his/her system(yes we can track/monitor direct
ssh logins via PAM too), successful login and rights are dependent on
the credentials provided, but Putty does not require any special
permissions.

So in all such scenarios where tools/consoles could be run by any
ordinary user "Run as User" feature won't help because we can't restrict
users to run the consoles/tools via "Run as User" feature only.

Regards,


--
sharfuddin
------------------------------------------------------------------------
sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=56454

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: PAM - monitoring SAP admins

Yah you are right, this makes total sense. I understand this use-case is being considered by Engineering for enhancement in the near future as we see the need.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.