Professional Documents
Culture Documents
SAP GRC 12 EAM On HDB Using Web IDE PDF
SAP GRC 12 EAM On HDB Using Web IDE PDF
In the latest version of GRC which is 12.0, SAP has extended the emergency access management
(EAM) functionality to HANA target systems via Web IDE.
At present, there is no option in GRC 12.0 to use EAM functionality for HANA DB without WEBIDE
This blog is to provide the details on how this new functionality can be configured and utilized to
manage the firefighting access to HANA target systems.
Let’s see how you can setup this functionality and can test in GRC 12.0 system (End to End)
Create HANA database connection in GRC system using transaction code DBCO (Database
Connection Maintenance)
DB Connection: Fill in the DB Connection name. This name will be used in the connector setup so
name it accordingly.
DBMS: Select the type of Database Management System as “HDB” (HANA Database)
User Name and Password: Valid user authentication details to connect to HANA DB
Connection Info: HANA database system details (Hostname details along with Port Number)
Save the database connection after entering all required details as mentioned above.
Create a connector in SM59 with connection type as “L” (Logical Destination) and connector name
same as the connection created in DBCO.
Audit Policy Configuration in HANA DB
Activities on SAP HANA database (User Changes, Role Changes, Creation or deletion of database
objects, Changes to system configuration, Access to or changing of sensitive information) can be
track and recorded via in-built Audit configuration feature.
SAP HANA database auditing feature allows monitoring of the activities performed in HANA DB.To
make use of this feature, SAP HANA audit policy must be activated on HANA DB.
SAP recommendation is to create separate audit policies for following activities performed in HANA
DB separately:
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain
Connectors and Connection Types -> Define Connectors
Define connector groups in the following IMG path and assign HANA DB connectors to this
connector group
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain
Connectors and Connection Types ->Define Connector Groups
Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV)
available as it is a good practice.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain
Connection Settings
Maintain Connector Settings
Maintain connector settings in the following path and assign HANA Audit Policy and HANA IDE URL
to the HANA DB connectors as shown in the following screenshots.
SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings
This web-based IDE is called SAP HANA Web-based Development Workbench, which contains four
modules.
EAM firefighting for HANA target systems is supported only through HANA Web IDE and this is the
main reason for including the IDE URL as one of the attributes in the connector settings as
firefighting session will launch HANA IDE URL using which the firefighting actvities will be
performed.
Delivery Unit deployment into HANA DB and activating the SQL procedures under AC folder in
HANA DB is a prerequisite and must be followed according to the steps mentioned in following SAP
Note:
https://launchpad.support.sap.com/#/notes/1869912
GRC Procedures Activation
For details on how the corresponding SQL procedures under ARA and ARQ folders are required to
be activated are available in SAP Note 1869912.
SQL Procedures under ARQ folder – Execute procedures starting with ‘IS’ or ‘INS’ first followed by
procedures starting with GRANT and REVOKE and finally remaining procedures.
“GET_USERS_SYNC” procedure has an updated version released through the following SAP Note.
Hence, download this from the note and activate it as it is not updated in the latest version by
default.
2451688 – Repository sync job not syncing back user validity dates from HANA
However, there are few errors which you will come across during SQL procedures activation like
mentioned below but still you can proceed with your next steps.
Step 1: I have created a role in HANA DB with the same name as the one used in config parameter
4010 (Firefighter ID role name).
Step 2: Created a User ID in HANA DB and assigned the role created in previous step to the User
ID and to make GRC system recognize the newly created User ID as Firefighter ID.
GRC Repository Object Sync
Execute “Repository Object Sync” program once all the above configuration is completed which
should successfully sync the USERS and ROLES from HANA DB to GRC system
Assignment of FF ID Owner and Controller to HANA Firefighter ID
– In 10.1 User ID must be first defined as FF ID Owner or Controller before assigning to a Firefighter
ID.
– In GRC 12.0 Owners and Controllers can be assigned to Firefighter ID even when the User ID is
not maintained in Access Control Owners. This is applicable for “Mass Maintenance” feature as well.
Decentralized scenario is currently not supported for HANA target systems.Only Centralized
Firefighting is supported and Firefighter logon must be done via transaction
GRAC_EAM/GRAC_SPM in the GRC Foundation system as the logic to generate the password for
the Firefighter ID is implemented in GRC system only.You can verify the details in the following SAP
Note
Common Errors
When a User ID is created in HANA DB which you want use as a Firefighter ID please ensure that
the length of the User ID is not more than 12 characters. If the Firefighter ID length is more than 12
characters, following error message will be shown when you try to start the FF session as EAM
functionality is not supported.
If you have completed all the above steps successfully then you can perform EAM testing for HANA
target systems.
Step 1: Execute transaction “GRAC_EAM” in your GRC system as you can use only Centralized
Scenario
Step 2: Click on “Logon” button and enter the required details and click “Continue” to launch the
Firefighting session
Step 3: HANA IDE URL which has been configured during Connector Setup will be
launched and will redirect to the logon screen.
Firefighter ID status will be showing as “GREEN” until you login to HANA IDE.
You have to enter the Firefighter ID and the password ( you have to just paste the
password which is already copied into clipboard. Just do CTRL+V in password field) after
which your Firefighting session will begin and the status of Firefighter ID in the EAM
launchpad screen will turn to red
Step 4: Perform required activities in HANA system and once completed log off the
Firefighting session.
Step 5: All the logs recorded during Firefighting session can be accessed from HANA
table AUDIT_LOG. The same logs will be retrieved and showed in the EAM log review
workflow request.
Step 6: After the completion of firefighting session, execute EAM log sync job which will
retrieve the logs from HANA system and creates the log review workflow request.
You can check following SAP Note for FAQs about this functionality.
2735438 – FAQ – Emergency Access Management (EAM) for HANA
Currently working with SAP support to check if time limit can be set for password expiry.
Issue 2: When logging to HANA IDE through EAM ensure that no other HANA IDE
session with normal User ID is ACTIVE. If any session is ACTIVE then system redirects
to the same session instead of starting new session
Issue 3: During the FF session always ensure to properly logout the session after
completion. If the HANA IDE is closed directly without logging out properly then the FF
session will remain active until the time out period set for HANA IDE is reached.