ac10 eam config.pdf

Login RegisterWelcome, Guest

Activity Communications Actions

Browse

created by Diego I. Yaryura on 03 Nov 2012 5:18 AM, last modified by Diego I. Yaryura on 21 Feb 2013 12:23 AM

Tweet

Configure Emergency Access (EAM) in GRC 10

Version 11

Getting Started Newsletters Store

Solutions Services & Support About SCN Downloads

Industries Training & Education Partnership Developer Center

Lines of Business University Alliances Events & Webinars Innovation

of 10Configure Emergency Access (EAM) in GRC 10 | SCN

2013/02/26http://scn.sap.com/docs/DOC-33099

Hello!

Configuring EAM in GRC 10 isn’t a difficult task, but there’re some details you have to take into account. The document “

” is useful, but it doesn’t not consider

all the details. Here I’ll try to give you a complete explanation about how to configure EAM successfully.

Configure Parameters:

In GRC Box, execute transaction SPRO and navigate to here:

The following parameters should be set according to the table:

For a complete description of the above parameters, please refer to the guide:

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) ->

Acess Control -> Release 10.0 -> Maintaining Configuration Settings Guide - SAP AC 10.0

Current direct link:

http://service.sap.com/~sapdownload/011000358700000997872011E/AC10_ConfigSettings_SP10.pdf

You might want to change some of them; the recommended values only serve as a guide for the initial

configuration.

Changes in the parameters table will be included in a transport request, you should release the transport

to your QA/PROD systems when you finish the EAM tests and adapt the parameters according to your

requirements.

Parameter 4010: What’s for?

If you’ve been working with GRC 5.3, this parameter should sound weird to you.

The purpose is to identify to the application that the user who is logging on to the target system is a

Firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the

user has this role assigned to them.

That means that you have to create the role that you’ve set in parameter 4010 in all the target systems

with the exact name provided there. Usually, you copy it from the standard SAP_GRC_SPM_FFID (it

contains RFC authorizations).

Only the users who have that role assigned in the target system will be available for selection in the GRC

Box as Firefighters IDs.

Kindly check note: 1668255 - Firefighter ID role name for Param ID 4010

For more information regarding default roles provided by SAP, please refer to Security Guide available

here:

AC 10.0 Pre-Implementation From Post-Installation to First Emergency Access

Parameter Recommended value (for initial

configuration)

4000‐Application type 1

4001‐Default Firefighter Validity

Period (Days)

30

4002‐Send Email Immediately YES

4003‐Retrieve Change Log YES

4004‐Retrieve System log YES

4005‐Retrieve Audit log YES

4006‐Retrieve OS Command log YES

4007‐Send Log Report Execution

Notification Immediately

YES

4008‐Send FirefightId Login

Notification

YES

4009‐Log Report Execution

Notification

YES

4010‐Firefighter ID role name Chose a role name, for example

Z_SAP_GRC_SPM_FFID



Average User Rating

(0 ratings)

Tweet

Topics: Governance, Risk, and Compliance

3158 Views Tags: access, grc, configuration, emergency, firefighter, spro, spm, 10, eam

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) -> Acess Control -> Release 10.0 -> Security Guide - SAP Access Control 10.0

Current direct link:

http:/service.sap.com/~sapdownload/011000358700001377352010E/ACPCRM10_SG_SP10_en.pdf

Adding connector to the SUPMG Scenario:

Please check: Note 1562760 - AC10.0 - Intergration Scenarios to Connector link

At this point you have already created the connectors.

Now you have to link the corresponding connectors to the SUPMG scenario:

Click here:

And:

Required roles in the GRC Box:

SAP provides standard roles that must be copied to the customer namespace. For this sample configuration

you should need at least to create a copy for the following roles and generate the corresponding profiles:

You can just name them as Z_<full standard role name> or use a naming convention according to your

company requirements.

CAUTION: Please, follow he instructions provided in tha attachment of note:

Note 1663949 - EAM Authorization Fixes for Central Owners and Reason Codes

SAP_GRAC_SUPER_USER_MGMT_OWNER Emergency Access management

owner

SAP_GRAC_SUPER_USER_MGMT_CNTLR Emergency Access management

controller

SAP_GRAC_SUPER_USER_MGMT_USER Emergency Access management

firefighter

SAP_GRAC_SUPER_USER_MGMT_ADMIN Emergency Access management

administrator

SAP_GRAC_BASE Gives basic authorizations required for

all AC users. You must assign this role

to all AC users.

SAP_GRAC_NWBC

Gives the authorizations to launch

NWBC. You must assign this role to all

AC users.

18 Comments

Sabita Das 20 Dec 2012 10:57 AM

The configuration steps are very well explained Diego....excellent job! One query - I am not able to get Firefighter Login notifications or Log report as a controller. Although I can view logs in NWBC. What could be the reason?

I have scheduled job - GRAC_SPM_LOG_SYNC_UPDATE in GRC box and owners and controllers exist only in GRC.

Regards, Sabita

Like ( ) 0

Diego I. Yaryura 21 Dec 2012 2:18 AM (in response to Sabita Das)

Hi Sabita!

Thanks for your input. Regarding your issue, you mean that you're not getting the e-mails as a controller? The e-mails are send by default with the user WF-BATCH and look like the following:

Dear <controller_name>, The login notification details for the Firefighter ID <FF_ID> in system <SID> using Reason code '<reason code>' is as follows : Firefighter: <firefighter name> Owner: <owner name> Date & Time: <DD.MM.YYYY> <HH:MM:SS> Reason code: <reason code> Activity: <activity> Kind Regards, Access Control Administrator

Have you checked if the mails are generated in transaction SOST? I haven't described the post-installation steps that have to be performed before configure EAM. This is described in AC 10.0 Post-Installation. You have to perform that before configuring the specific modules, for example EAM. In particular, the "Activate Common Workflow" (tx. SWU3) described in page 26 is very important, because among other things, user WF-BACTH is created. Just for your information, the steps described in my document were tested in SP09. If you need more information, please let me know.

Cheers! Diego.

Like ( ) 0

Sabita Das 21 Dec 2012 5:44 AM (in response to Diego I. Yaryura)

Hi Diego,

All configurations are in place. We are at Patch10. There is no job created in SOST for notiifcation. Just want to know if there is only one background job to collect firefighter logs, sync it in GRC and send the mails or there are more than one job? SCOT configuration is in place and mails are being sent from SAP office.

Regards, Sabita



Like ( )0

Sabita Das 21 Dec 2012 5:57 AM (in response to Sabita Das)

Hi Diego,

There was small problem, WF-BATCH was not having a mail ID in user record. Now login notification is being sent, but log summary report is still not sent.

Is there any other job for that? Regards, Sabita

Like ( )0

Diego I. Yaryura 21 Dec 2012 1:43 PM (in response to Sabita Das)

Hi Sabita,

There's only one job. Have you checked parameters 4000 to 4010 as described in the document? is the log available in the NWBC?. I faced some problems because of the time in the plugin system was different than the time in the GRC BOX (for example 15 min. difference).

Cheers, Diego.

Like ( )0

Sabita Das 02 Jan 2013 9:18 AM (in response to Diego I.

Yaryura)

Hi Diego,

Yes, all parameters are configured and log is avilable in NWBC.

Like ( )0

Diego I. Yaryura 09 Jan 2013 12:44 AM (in

response to Sabita Das)

Hi Sabita,

I'm currently working in a new system and I'm facing some issues with SPM log SYNC performance. While searching for some notes I've found this: SAP Note 1773855 - EAM10.0 Sometimes Workflows and transaction logs are missed Have you checked? Have you solved the issue already?

Cheers! Diego.

Like ( )0

Note 1663949 - EAM Authorization Fixes for Central Owners and Reason Codes

There are some changes you have to made to the standard roles and also there's a complete explanation of the

authorization objects.

For more information, kindly refer to the Security Guide (link provided above).

Required users in the GRC Box:

In order to show a sample for testing, It’s necessary to create (or use existing ones) three users:

FF_OWNER: This user will serve as owner for the firefighter ID. It should be assigned to the role

Z_SAP_GRAC_SUPER_USER_MGMT_OWNER

FF_CONTROL: This is the firefighter controller. You assign Z_SAP_GRAC_SUPER_USER_MGMT_CNTLR.

CAUTION: This user MUST have a valid e-mail address maintained in SU01 if you want the controller to

receive notifications via e-mail.

FIREFIGHTER: This is the firefighter user, who will be able to access in the target system with the Firefighter

ID. You assign Z_SAP_GRAC_SUPER_USER_MGMT_USER in addition to the base roles. If you don't assign

the base roles you won't see the user (FIREFIGHTER in this case) available for selection in the Firefighters

IDs.

<your user>: The user who is going to perform the configurations, must have at least the role

Z_SAP_GRAC_SUPER_USER_MGMT_ADMIN assigned.

In addition to all the mentioned roles above, all users must have the roles Z_SAP_GRAC_NWBC and

Z_SAP_GRAC_BASE assigned.

For a theoretical explanation of the users and its responsibilities, refer to

https://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htm

Required roles in the target system:

In the target system you have to make a copy of the role SAP_GRAC_SPM_FFID and generate the profile.

CAUTION: The name of this role MUST be the same configured in the parameter 4010 in the GRC Box. In

this example: Z_SAP_GRC_SPM_FFID.

Required users in the target system:

You have to create a user (FIREFIGHTER_ID) in the target system with the corresponding roles required

roles/profiles according to your requirements. In addition you must assign to the FIREFIGHTER_ID the role

Z_SAP_GRC_SPM_FFID.

This user should be of type: “Service” as per note 1702439

The following note describes an issue you'll face with this kind of users: Note 1586989 - Object Services icon not

available in Firefighter ID session

I'll update this document when a specific note for GRC 10 is released regarding this issue.

Creating central Owners and controllers:

Access to the NWBC: http://<server>:<port>/nwbc/ or execute tx. NWBC in the GRC Box.

Go to the “Setup” tab and:

Create entries for the Firefighter controller and owner:



Sabita Das 09 Jan 2013 7:58 AM (in

response to Diego I. Yaryura)

Hi Diego,

I am getting login notification, but not the log summary report. Additionally, I have scheduled GRAC_SPM_LOG_UPDATE job and activated FIREFIGHTER_LOG_REPORT workflow, but no luck. If above SAP note solves the problem, let us know. Regards, Sabita

Like ( )0

Emmanuel BOURGEOIS 27 Dec 2012 10:49 AM

Hi Diego, excellent job, very usefull !

I have a question regarding the configuration : is there any specific configuration to be done to be able to assign FFID to firefighters throught a request rather than assigning them directly throught NWBC / Setup / Superuser maintenance / Firefighters ?

When I assign them manually I see the list of available FFIDs, but when I try to assign them throught a request I see only few of them and even more the list is empty if I perform a search in the selection screen.

Any idea ?

Regards, Emmanuel.

Like ( ) 0

Diego I. Yaryura 27 Dec 2012 1:34 PM (in response to Emmanuel BOURGEOIS)

Hi Emmanuel,

Thanks for your input. I haven't tried configuring assignment via workflow so far. You might

want to check the configuration steps described here: or otherwise please create a new thread describing the configuration you've performed and the issue you're facing and I'm sure someone will be able to help you.

Cheers, Diego.

http://scn.sap.com/thread/3246796

Like ( ) 0

Pradeep Agarwal 11 Feb 2013 2:25 PM (in response to Emmanuel BOURGEOIS)

Hi Emmanuel

Thanks for the detailed configuration document for EAM. I have followed all your steps but still when I am trying to assign FF user to FF id I don't find the entry in nwbc when I search it.Also I created test ids for Owner & Controller with FF user in GRC box but I was able to assign owner and controller but FF user not able to find. Please help me on this.

Regards Pradeep

Like ( ) 0

Diego I. Yaryura 12 Feb 2013 12:30 AM (in response to Pradeep Agarwal)

Hi Pradeep,

Remember that It's mandatory to execute role/profile/user sync against the back-end system for FF and the FF ids must have the corresponding role assigned according to parameter 4010.

Cheers, Diego.

Like ( )0

Creating reason codes:

You have to create at least one reason code to be able to use the firefighter ID later.

Associate the entry to the corresponding target system.

Synchronization Jobs:

In accordance with note: 1585079

You have to execute the synchronization Jobs in order to make the FF IDs available in GRC Box for selection:

Please make sure that you have performed following configuration steps:

1. 1. Integration Scenarios are configured as explained in note 1562760

2. 2. Please make sure the Firefighter role is assigned to Firefighter IDs in the corresponding client system and that

the same role has been given as parameter value for configuration parameter 4010. Configuration parameters can

be configured in the transaction code SPRO => Governance, Risk & Compliance => Access Control => Maintain

Configuration Settings

3. 3. Run User/Role/Profile/Auth synchronization jobs. The Link to run these jobs can be found Under transaction code

SPRO => Governance, Risk & Compliance => Access Control => Synchronization Jobs.

Once you have executed the auth & repository sync job with the corresponding target connector, the FF ID will be

available for selection in the GRC Box.

See also Note 1668255

…Once you are done with the above steps, re-run an Incremental/Full User Sync for the

Firefighter IDs with the Firefighter Role to be SYNCed into the GRC box.

Now re-launch the application via NWBC or Portal and then search for the Firefighter ID

and this should be available in Firefighter ID list.

…

Assign Owners:



Pradeep Agarwal 12 Feb 2013 11:54 AM (in response to Diego I. Yaryura)

Hi Diego,

I have done all the steps mentioned by you but still FF user does not appear in the search.

Also I can't see my Test Owner and controller created in the GRC box in the search option but when I was assigning owners and controllers I am able to find them.

Also we have CUA in our landscape so I have made CUA connector as my master user source.

also I used SAP_GRAC_SPM_FFID role for parameter 4010 in GRC box and 1090 in ECC box.

Please help me to resolve this error.

Regards Pradeep

Like ( )0

Diego I. Yaryura 14 Feb 2013 4:00 AM (in response to Pradeep

Agarwal)

Hi Pradeep,

I haven't configured EAM with CUA but I'd try to configure first without CUA in order to know if the problem is related to that.

Cheers, Diego.

Like ( )0

Pradeep Agarwal 14 Feb 2013 11:49 AM (in response to

Diego I. Yaryura)

Hi Diego

I have solved the issue.But I have another question this background job for SPM Log sync should be scheduled in GRC box with the connector variant?.I have executed the program and created a variant with ECC system is it ok?

Regards Pradeep

Like ( )0

Diego I. Yaryura 15 Feb 2013 1:47 AM (in response

to Pradeep Agarwal)

Hi Pradeep.

I'm glad to know that your problem has been solved. If you feel the solution you applied to

fix could help others, please share it Regarding the log sync job, you have to create a variant with the corresponding connector (is not recommended to use * as connector) and schedule the the report with the variant hourly. details can be found here: https://service.sap.com/sap/support/notes/1617529

P.D: I hope to test decentralized FF (available with SP 10) soon, and I'll try to add the relevant information to this document.

Cheers! Diego.

Like ( )0

Pradeep Agarwal 15 Feb 2013 12:07 PM

(in response to Diego I. Yaryura)

Assign Firefighter IDs to Firefighters

Here you assign the Firefighter ID to the corresponding Firefighters users (one or more)

And in the controller tab set the controller user:



Follow SCNSite Index Contact Us SAP Help Portal

Privacy Terms of Use Legal Disclosure Copyright

Hi Diego

I have added auth object GRFN_USR with activity 16 to the FF user role and it started working.

Regards Pradeep

Like ( )0

Andreia Ferreira 09 Jan 2013 12:28 PM

Congrats Diego, excelent document!

Like ( ) 0

Firefighter colector Job:

Execute tx. GRAC_SPM_LOG_SYNC and schedule the log collection periodically as per note: 1617529

Known problems with time zones:

Note 1595462 - Logs not visible in the SPM Reports

Note 1775432 - Transaction logs are not getting captured by GRC 10.0

Known problem when connector is set to “*”:

Note 1726157 - GRAC10 EAM GRAC_SPM_LOG_SYNC_UPDATE doesn t collect data

Performance problems:

Note 1750024 - GRAC - Performance of the SPM Log Sync

Other errors:

Note 1773855 - EAM10.0 Sometimes Workflows and transaction logs are missed

Note 1776070 - GRC EAM program is giving a short dump and no logs generated

Note 1731923 - EAM:Transaction Logs are not being captured while sync

E-mail configuration:

If you want the controller to receive e-mails (firefighter logon notification and firefighter session details)

you have to check the following:

� Make sure your Basis team has properly configured outgoing e-emails from GRC Box (Tx. SCOT)

� Controller notification method was set to: Email (see above)

� SPRO parameters:

4002 Send E-mail Immediately YES

4007 Send Log Report Execution

Notification Immediately YES

4008 Send FirefightID Logon Notification YES

4009 Log Report Execution Notification YES

� Controller user (FF_CONTROL) has "Comm.Method” set to “E-Mail” in SU01 and has a valid e-mail address.

� WF-BATCH User must also have an e-mail address in SU01; otherwise you’ll get the following error in tx. SLG1:

According to the configuration settings guide:

You can change the parameter and use another user to send the e-mails.

After executing the GRAC_SPM_LOG_SYNC_UPDATE, please execute tx. SOST and check if the e-

mails were generated (you have to access the firefighter to get the e-mails).

Implement Firefighter user Exit:

Despite the Firefighter ID password is changed by the application each time you start the firefighter (you can check it via

change documents in the target system), Firefighter Ids need to be restricted from Logging in into SAP System directly

via SAP GUI. For this purpose either we need to create and modify the SAP User Login Exit.

Check

1545511 - Firefighter User Exit

1735971 - User exit to prevent direct firefighter login

Required RFC connections for EAM:

Please check: Note 1701047 - Is it mandatory to use trusted connection in the RFC destination for Firefighter

Connector?

"Yes it is mandatory to make a trusted relationship so that communication can be established between the GRC system

and the plug-in."

Links to more documentation:

Note 1394281 - Superuser Privilege Management Log Report Content

Note 1065048 - Firefighter Log Not sent in Email to Controller <<- for 5.3, but useful



Note 1065048 - Firefighter Log Not sent in Email to Controller <<- for 5.3, but useful

Note 1618040 - Performance fix for SPM transaction logs for large systems

Note 1732938 - Firefighter incorrect language setting on ERP Production

Note 1730649 - Firefighter owner can assign ANY Firefighter ID to Firefighter User

Note 1747283 - EAM: Entries in EAM logon pad not Visible for a firefighter

!!NEW: Decentralized firefighting (as in

GRC 5.3) is available as of SP10

As of SP10, Emergency Access decentralized firefighting features are available.Users can install and use the EAM

Launchpad to perform ID-based firefighting directly on plug-in systems. This means that Firefighter session could be

started from the plugin system itself without the need to access the GRC Box. This approach was used in GRC 5.3. With

GRC 10 SP10 you can chose between centralized or decentralized firefighting.

The most important advantage of decentralized firefighting is that you can continue using firefighter even when the GRC

Box is down. In my opinion, it’s also more “user-friendly” since the firefighter doesn’t have to log on to GRC Box in order

to start the firefighting session, he/she only needs to execute a transaction in the plugin system. For some companies,

the centralized approach is better since the user access to a system (GRC Box) and can start firefighter sessions in

multiple systems.

Bottom line, the most important thing is that with SP10 you have to option to choose and below you’ll find information

that’ll help you to configure decentralized Firefighting.

The idea of a decentralized firefighting was submitted by Daniela Bork on SAP Idea Place: Access Firefighter application

locally in AC10

So, if you have a good Idea, please share it with SAP customers and employees in the and maybe it

becomes a new functionality!

WARNING: THE FOLLOWING PROCEDURE ISN’T PROPERLY DOC UMENTED. I’LL ADD INFORMATION OR

CHANGE THE PROCEDURE AS SOON AS NEW GUIDES ARE AVAI LABLE .

Main documentation can be found in the guide attached to the note: Note 1690964 - Emergency Access Management

Overview Documentation

In the GRC Box a new parameter is available and must be set accordingly:

Under transaction SPRO, navigate to here:

And create a new entry for parameter 4015 which has to be set to the value “YES”

Additionally a new synchronization job is available and must be executed in order to synchronize the EAM data from

GRC Box to the plug-in system. Remember that configurations (firefighter assignments, controllers, owners, reason

codes, etc.) are still maintained in a centralized way, i.e in the GRC Box.

In order to sync this data with the plug-in, a new job is available and can be found here:

Idea Place



In the connector field you have to set the corresponding plug-in connector. In order to keep you plugin system updated

with the changes you made in the GRC Box, this report should be scheduled periodically, I think hourly would be fine. In

addition, if you have multiple plug-in systems, you should follow the same approach as with the log synch: create

individual jobs for each connector instead of a unique job with connector value “*”.

Configuration in the plug -in system

In the plug-in system you’ll find new activities under SPRO:

These activities are described in here: 1804207 - GRC EAM 10.0: Configuration parameters introduced in

SP10 for EAM

If you haven’t set the parameter 1000 in the plug-in system, you’ll have to do it in order to use decentralized

firefighting, otherwise you’ll get an error message as described here:1800772 - Error 'No Destination

specified' when using transaction /GRCPI/GRIA_EAM

Then, check the parameter as described below:

If the parameter 1000 isn’t present you have to create it and set the value to an RFC destination pointing to the system

itself:

Since this configuration is transported I recommend to create a new RFC destination in DEV, QAS and PRD system with

the same name, let’s say “GRC_CONNECTOR”. This will allow you to transport the configuration throughout your entire

landscape.

Required users

Controllers have to be created in the GRC Box as well as with centralized firefighting. In addition these users must exist

in the plugin system and have a valid e-mail address because login notifications are sent from plug-in system

With the decentralized scheme it’s not necessary to create the firefighter users in the GRC Box, because they’ll start

firefighter transaction from the plug-in system.

E-mail considerations

Log-in notifications are sent from the plug-in system:



But, as with the decentralized approach, Log notifications are sent from GRC Box

These requires a proper mail configuration (tx. SCOT) in both systems: plug-in and GRC Box.

Plug -in roles

You’ll have to create a new role as a copy of SAP_GRAC_SUPER_USER_MGMT_USER.

You should add the following authorization to it:

For some NW releases ACTVT=02 will be also required.

This role is assigned to the firefighter users. Bear in mind that these users should not have access to user maintenance

transactions, for example SU01. If the firefighter IDs are properly assigned to a group and you can restrict the CLASS

field this is not a big issue, since despite they could change the password, they won’t be able to access because the

user exit is implemented in order to prevent it.

The authorization added to the role SAP_GRAC_SUPER_USER_MGMT_USER isn’t properly documented by SAP yet.

It might be another way to configure it...but this was the same approach used in GRC 5.3.

In addition to this role you also have to create roles for administrator and owner. Remember that extending the validity

period is a new activity available in the plug-in system and owners and administrators should have access to it.

Co-existence of firefighting models

Both models could be used. The decentralized firefighter configuration doesn’t block the centralized firefighter approach.

Since you can start only one firefighter session at a time, you cannot use both at the same time and this is automatically

controlled by the application.

Administration functions

The administration functions are maintained in the GRC Box. The decentralized firefighting adds a couple of tasks in the

plugin system such as logging notification customizations and the possibility to extend the validity date of firefighters if

the GRC Box is down. You’ll find a nice illustration in the guide attached to note mentioned earlier (1690964).

Please share your thoughts, comments or documentation in order to improve this guide.

Well, that’s all. Hope this document has helped you to successfully configure GRC EAM.

Cheers!

Diego.



ac10 eam config.pdf

Documents

grc box

retrieve system log

firefighter id role

retrieve change log

retrieve audit log

eam tests

parameters table

retrieve os command