Configure Emergency Access (EAM) in GRC 10 or 10.

1
created by Diego I. Yaryura on Nov 3, 2012 5:18 AM, last modified by Diego I. Yaryura on Dec 11, 2012 2:14 AM
Version 5
inShare0
Tweet
Hello!
Configuring EAM in GRC 10 isnt a difficult task, but therere some details you have to take into account. The
document AC 10.0 Pre-Implementation From Post-Installation to First Emergency Access is useful, but it doesnt not
consider all the details. Here Ill try to give you a complete explanation about how to configure EAM successfully.
Configure Parameters:
In GRC Box, execute transaction SPRO and navigate to here:

The following parameters should be set according to the table:

Parameter

Recommended value
(for initial
configuration)

4000Application type

4001Default Firefighter
Validity Period (Days)

30

4002Send Email

YES

Immediately

4003Retrieve Change
Log

YES

4004Retrieve System
log

YES

4005Retrieve Audit log

YES

4006Retrieve OS
Command log

YES

4007Send Log Report

Execution Notification
Immediately

YES

4008Send FirefightId
Login Notification

YES

4009Log Report
Execution Notification

YES

4010Firefighter ID role
name

Chose a role name, for example

Z_SAP_GRC_SPM_FFID

For a complete description of the above parameters, please refer to the guide:
https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and
Compliance (GRC) -> Acess Control -> Release 10.0 -> Maintaining Configuration
Settings Guide - SAP AC 10.0
Current direct link:

http://service.sap.com/~sapdownload/011000358700000997872011E/AC10_ConfigS
ettings_SP10.pdf
You might want to change some of them; the recommended values only serve as a
guide for the initial configuration.
Changes in the parameters table will be included in a transport request, you should
release the transport to your QA/PROD systems when you finish the EAM tests and
adapt the parameters according to your requirements.
Parameter 4010: Whats for?
If youve been working with GRC 5.3, this parameter should sound weird to you.
The purpose is to identify to the application that the user who is logging on to the
target system is a Firefighter ID. The target system makes a call to the GRC Box and
reads this configuration to check if the user has this role assigned to them.
That means that you have to create the role that youve set in parameter 4010 in all
the target systems with the exact name provided there. Usually, you copy it from
the standard SAP_GRC_SPM_FFID (it contains RFC authorizations).
Only the users who have that role assigned in the target system will be available for
selection in the GRC Box as Firefighters IDs.
Kindly check note: 1668255 - Firefighter ID role name for Param ID 4010
For more information regarding default roles provided by SAP, please refer to
Security Guide available here:
https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and
Compliance (GRC) -> Acess Control -> Release 10.0 -> Security Guide - SAP Access
Control 10.0
Current direct link:
http:/service.sap.com/~sapdownload/011000358700001377352010E/ACPCRM10_S
G_SP10_en.pdf
Adding connector to the SUPMG Scenario:
Please check: Note 1562760 - AC10.0 - Intergration Scenarios to Connector link
At this point you have already created the connectors.
Now you have to link the corresponding connectors to the SUPMG scenario:

Click here:

And:

Required roles in the GRC Box:

SAP provides standard roles that must be copied to the customer namespace. For
this sample configuration you should need at least to create a copy for the following
roles and generate the corresponding profiles:

SAP_GRAC_SUPER_USER_MGMT_OWNER

Emergency Access management owner

SAP_GRAC_SUPER_USER_MGMT_CNTLR

Emergency Access management controller

SAP_GRAC_SUPER_USER_MGMT_USER

Emergency Access management firefighter

SAP_GRAC_SUPER_USER_MGMT_ADMIN

Emergency Access management

administrator

SAP_GRAC_BASE

Gives basic authorizations required for all AC

users. You must assign this role to all AC
users.

SAP_GRAC_NWBC

Gives the authorizations to launch

NWBC. You must assign this role to
all AC users.

You can just name them as Z_<full standard role name> or use a naming
convention according to your company requirements.
CAUTION: Please, follow he instructions provided in tha attachment of note:
Note 1663949 - EAM Authorization Fixes for Central Owners and Reason Codes
There are some changes you have to made to the standard roles and also there's a complete explanation of the
authorization objects.

For more information, kindly refer to the Security Guide (link provided above).
Required users in the GRC Box:
In order to show a sample for testing, Its necessary to create (or use existing ones)
three users:
FF_OWNER: This user will serve as owner for the firefighter ID. It should be assigned
to the role Z_SAP_GRAC_SUPER_USER_MGMT_OWNER
FF_CONTROL: This is the firefighter controller. You assign
Z_SAP_GRAC_SUPER_USER_MGMT_CNTLR.

CAUTION: This user MUST have a valid e-mail address maintained in SU01 if you
want the controller to receive notifications via e-mail.
FIREFIGHTER: This is the firefighter user, who will be able to access in the target
system with the Firefighter ID. You assign Z_SAP_GRAC_SUPER_USER_MGMT_USER in
addition to the base roles. If you don't assign the base roles you won't see the user
(FIREFIGHTER in this case) available for selection in the Firefighters IDs.
<your user>: The user who is going to perform the configurations, must have at
least the role Z_SAP_GRAC_SUPER_USER_MGMT_ADMIN assigned.
In addition to all the mentioned roles above, all users must have the roles
Z_SAP_GRAC_NWBC and Z_SAP_GRAC_BASE assigned.
For a theoretical explanation of the users and its responsibilities, refer to
https://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8
cfb067/frameset.htm
Required roles in the target system:
In the target system you have to make a copy of the role SAP_GRAC_SPM_FFID and
generate the profile.
CAUTION: The name of this role MUST be the same configured in the parameter
4010 in the GRC Box. In this example: Z_SAP_GRC_SPM_FFID.
Required users in the target system:
You have to create a user (FIREFIGHTER_ID) in the target system with the
corresponding roles required roles/profiles according to your requirements. In
addition you must assign to the FIREFIGHTER_ID the role Z_SAP_GRC_SPM_FFID.
This user should be of type: Service as per note 1702439
The following note describes an issue you'll face with this kind of users: Note 1586989 - Object Services icon not
available in Firefighter ID session
I'll update this document when a specific note for GRC 10 is released regarding this issue.

Creating central Owners and controllers:

Access to the NWBC: http://<server>:<port>/nwbc/ or execute tx. NWBC in the GRC Box.
Go to the Setup tab and:

Create entries for the Firefighter controller and owner:

Creating reason codes:

You have to create at least one reason code to be able to use the firefighter ID later.

Associate the entry to the corresponding target system.

Synchronization Jobs:
In accordance with note: 1585079
You have to execute the synchronization Jobs in order to make the FF IDs available in GRC Box for selection:
Please make sure that you have performed following configuration steps:
1.
2.

1. Integration Scenarios are configured as explained in note 1562760

2. Please make sure the Firefighter role is assigned to Firefighter IDs in the corresponding client system and
that the same role has been given as parameter value for configuration parameter 4010. Configuration parameters

3.

can be configured in the transaction code SPRO => Governance, Risk & Compliance => Access Control => Maintain
Configuration Settings
3. Run User/Role/Profile/Auth synchronization jobs. The Link to run these jobs can be found Under
transaction code SPRO => Governance, Risk & Compliance => Access Control => Synchronization Jobs.

Once you have executed the auth & repository sync job with the corresponding target connector, the FF ID will be
available for selection in the GRC Box.
See also Note 1668255
Once you are done with the above steps, re-run an Incremental/Full User Sync for the
Firefighter IDs with the Firefighter Role to be SYNCed into the GRC box.
Now re-launch the application via NWBC or Portal and then search for the Firefighter ID
and this should be available in Firefighter ID list.

Assign Owners:

Assign Firefighter IDs to Firefighters

Here you assign the Firefighter ID to the corresponding Firefighters users (one or more)

And in the controller tab set the controller user:

Firefighter colector Job:

Execute tx. GRAC_SPM_LOG_SYNC and schedule the log collection periodically as
per note: 1617529
Known problems with time zones:
Note 1595462 - Logs not visible in the SPM Reports
Note 1775432 - Transaction logs are not getting captured by GRC 10.0
Known problem when connector is set to *:
Note 1726157 - GRAC10 EAM GRAC_SPM_LOG_SYNC_UPDATE doesn t collect data
E-mail configuration:
If you want the controller to receive e-mails (firefighter logon notification and
firefighter session details) you have to check the following:

Make sure your Basis team has properly configured outgoing e-emails from GRC Box (Tx. SCOT)

Controller notification method was set to: Email (see above)

SPRO parameters:
4002 Send E-mail Immediately YES
4007 Send Log Report Execution
Notification Immediately YES
4008 Send FirefightID Logon Notification YES
4009 Log Report Execution Notification YES

Controller user (FF_CONTROL) has "Comm.Method set to E-Mail in SU01 and has a valid e-mail
address.

WF-BATCH User must also have an e-mail address in SU01; otherwise youll get the following error in tx.
SLG1:

According to the configuration settings guide:

You can change the parameter and use another user to send the e-mails.
After executing the GRAC_SPM_LOG_SYNC_UPDATE, please execute tx. SOST
and check if the e-mails were generated (you have to access the firefighter to
get the e-mails).
Implement Firefighter user Exit:
Despite the Firefighter ID password is changed by the application each time you start the firefighter (you can check it
via change documents in the target system), Firefighter Ids need to be restricted from Logging in into SAP System
directly via SAP GUI. For this purpose either we need to create and modify the SAP User Login Exit.

Check
1545511 - Firefighter User Exit
1735971 - User exit to prevent direct firefighter login

Required RFC connections for EAM:

Please check: Note 1701047 - Is it mandatory to use trusted connection in the RFC destination for Firefighter
Connector?
"Yes it is mandatory to make a trusted relationship so that communication can be established between the GRC
system and the plug-in."