DataNub Technologies

PAM REVIEW PROCESS IN

SAP IAG
~By Sarveshvaran Rajendran

www.datanub.in
 INTRODUCTION
SAP Identity Access Governance (IAG) is a solution that helps organizations manage the access rights of their users across
different SAP and non-SAP systems. IAG enables users to request, approve, certify and monitor access rights in a
centralized and compliant manner. One of the features of IAG is privileged access management (PAM), which allows
users to request and grant temporary elevated access to sensitive systems or data for a specific purpose and duration.

This document explains the process of reviewing and approving PAM requests in IAG. It covers the following topics:
• What is a PAM request and why is it needed?
• Who can review the PAM
• What is the use of allowed activity
• Example

[email protected] www.datanub.in +91-98802-36389

 WHAT IS A PAM REQUEST AND WHY IS IT NEEDED?

A PAM request is a request for temporary elevated access to a system or data that is normally restricted or protected. For
example, a user may need to access a production system to perform an emergency fix or a user may need to access a
confidential report to conduct an audit. A PAM request specifies the following information:
The system or data that the user needs to access
The reason or purpose for the access
The duration or validity period of the access
The approval workflow or the approvers who need to authorize the access

[email protected] www.datanub.in +91-98802-36389

 WHAT IS A PAM REQUEST AND WHY IS IT NEEDED?

A PAM request is needed for several reasons, such as:

To ensure that the access is granted only for a legitimate and justified purpose
To minimize the risk of unauthorized or inappropriate access to sensitive systems or data
To comply with the security policies and regulations of the organization and the system owner
To track and monitor the usage and activities of the privileged access
To revoke the access automatically after the validity period expires

[email protected] www.datanub.in +91-98802-36389

 WHO CAN REVIEW THE PAM REQUEST ?
Review of PAM can be done by the user who is selected as reviewer in PAM ID maintenance.

Note- PAM review workflow users the "privilege access review" template and this cannot be changed. The Role Owner is
PAM Reviewer, and the Security is the admin.

[email protected] www.datanub.in +91-98802-36389

 ALLOWED ACTIVITY IN PAM
When a PAM ID is created, a Business Role needs to be assigned to it. The business role defines what
activities/transactions can be used for the PAM ID. In the definition of the PAM ID, there is also a section, Allowed
Activities for users to manually add activities/transactions of the assigned Business Role.
However, the activities manually added to this list are for PAM ID reviewer to review later and provide a reference to
PAM ID creators/reviewers if they would like further to restrict allowed activities in the future.
When a user is assigned with the PAM ID and logs into the target system, the user can run all the activities defined by
the Business Role of the PAM ID, which are not limited to the activities manually added the "Allowed Activities" list.
The target system will log all the activities of this PAM ID and send the log back to IAG system. Later during PAM
review process, IAG system will compare the activities performed on target system with the ones manually added to
"Allowed Activities" list.

[email protected] www.datanub.in +91-98802-36389

 ALLOWED
ALLOWED ACTIVITY
ACTIVITY IN
IN PAM
PAM

If the activity is not listed in the list, PAM review logic will give a warning saying: "Transaction not part of Allowed
activity set".
This warning message just provides a reference to PAM ID reviewer that she/he can further restrict the allowed
activities via Business Role design in the future.
The reviewer can continue processing the review of the PAM ID without being blocked by this read-only waring
message.

Example –

The business role has 4 T-codes and we marked only 2 t-codes for followed activity, during the review process process
– the transaction code which are not listed in allowed activity are displayed separately with the warning message

[email protected] www.datanub.in +91-98802-36389

 EXAMPLE –

[email protected] www.datanub.in +91-98802-36389

PAM reviewer will see the below message when PAM user executes transaction which are not listed in allowed activity -

[email protected] www.datanub.in +91-98802-36389

DataNub Technologies

THANK YOU

Have any question?

+91-98802-36389
[email protected]

www.datanub.in