Professional Documents
Culture Documents
in GRC 10
Tweet
Hello!
Configuring EAM in GRC 10 isn’t a difficult task, but there are some details you have to take into account. The document “AC
10.0 Pre-Implementation From Post-Installation to First Emergency Access” is useful, but it doesn’t consider all the details. Here
I’ll try to give you a complete explanation about how to configure EAM successfully.
Configure Parameters:
In GRC Box, execute transaction SPRO and navigate to here:
For a complete description of the above parameters, please refer to the guide:
https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) ->
Acess Control -> Release 10.0 -> Maintaining Configuration Settings Guide - SAP AC 10.0
You might want to change some of them; the recommended values only serve as a guide for the initial
configuration.
Changes in the parameters table will be included in a transport request, you should release the
transport to your QA/PROD systems when you finish the EAM tests and adapt the parameters according
to your requirements.
If you’ve been working with GRC 5.3, this parameter should sound weird to you.
The purpose is to identify to the application that the user who is logging on to the target system is a
Firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the
user has this role assigned to them.
That means that you have to create the role that you’ve set in parameter 4010 in all the target systems
with the exact name provided there. Usually, you copy it from the standard SAP_GRC_SPM_FFID (it
contains RFC authorizations).
Only the users who have that role assigned in the target system will be available for selection in the GRC
Box as Firefighters IDs.
Kindly check note: 1668255 - Firefighter ID role name for Param ID 4010
For more information regarding default roles provided by SAP, please refer to Security Guide available
here:
And:
SAP provides standard roles that must be copied to the customer namespace. For this sample
configuration you should need at least to create a copy for the following roles and generate the
corresponding profiles:
You can just name them as Z_<full standard role name> or use a naming convention according to your
company requirements.
CAUTION: Please, follow he instructions provided in tha attachment of note:
Note 1663949 - EAM Authorization Fixes for Central Owners and Reason Codes
There are some changes you have to made to the standard roles and also there's a complete explanation of the authorization
objects.
For more information, kindly refer to the Security Guide (link provided above).
and take into account the authorization concept for the roles:
"As per the functionality in AC10, we have concept of role based authorization. If a user is having
SAP_GRAC_SUPER_USER_MGMT_OWNER role at the backend, then he should be able to assign any FFID to any
Firefighter user.
The user Assigned with the Role of EAM Admin “SAP_GRAC_SUPER_USER_MGMT_ADMIN”
and EAM Owner “SAP_GRAC_SUPER_USER_MGMT_OWNER ” can do all available owner action for all connector.
The Auth. Object used for firefighter Maintenance is GRAC_FFOWN & GRAC_OWNER"
In order to show a sample for testing, It’s necessary to create (or use existing ones) three users:
FF_OWNER: This user will serve as owner for the firefighter ID. It should be assigned to the role
Z_SAP_GRAC_SUPER_USER_MGMT_OWNER
FIREFIGHTER: This is the firefighter user, who will be able to access in the target system with the
Firefighter ID. You assign Z_SAP_GRAC_SUPER_USER_MGMT_USER in addition to the base roles. If you
don't assign the base roles you won't see the user (FIREFIGHTER in this case) available for selection in
the Firefighters IDs.
<your user>: The user who is going to perform the configurations, must have at least the role
Z_SAP_GRAC_SUPER_USER_MGMT_ADMIN assigned.
In addition to all the mentioned roles above, all users must have the roles Z_SAP_GRAC_NWBC and
Z_SAP_GRAC_BASE assigned.
In the target system you have to make a copy of the role SAP_GRAC_SPM_FFID and generate the profile.
CAUTION: The name of this role MUST be the same configured in the parameter 4010 in the GRC Box.
In this example: Z_SAP_GRC_SPM_FFID.
You have to create a user (FIREFIGHTER_ID) in the target system with the corresponding roles required
roles/profiles according to your requirements. In addition you must assign to the FIREFIGHTER_ID the
role Z_SAP_GRC_SPM_FFID.
This user should be of type: “Service” as per note 1702439
The following note describes an issue you'll face with this kind of users: Note 1586989 - Object Services icon not available in
Firefighter ID session
I'll update this document when a specific note for GRC 10 is released regarding this issue.
Synchronization Jobs:
In accordance with note: 1585079
You have to execute the synchronization Jobs in order to make the FF IDs available in GRC Box for selection:
Please make sure that you have performed following configuration steps:
1. 1. Integration Scenarios are configured as explained in note 1562760
2. 2. Please make sure the Firefighter role is assigned to Firefighter IDs in the corresponding client system and that the same role
has been given as parameter value for configuration parameter 4010. Configuration parameters can be configured in the
transaction code SPRO => Governance, Risk & Compliance => Access Control => Maintain Configuration Settings
3. 3. Run User/Role/Profile/Auth synchronization jobs. The Link to run these jobs can be found Under transaction code SPRO =>
Governance, Risk & Compliance => Access Control => Synchronization Jobs.
Once you have executed the auth & repository sync job with the corresponding target connector, the FF ID will be available for
selection in the GRC Box.
See also Note 1668255
…Once you are done with the above steps, re-run an Incremental/Full User Sync for the
Firefighter IDs with the Firefighter Role to be SYNCed into the GRC box.
Now re-launch the application via NWBC or Portal and then search for the Firefighter ID
and this should be available in Firefighter ID list.
…
Assign Owners:
Here you assign the Firefighter ID to the corresponding Firefighters users (one or more)
And in the controller tab set the controller user:
Firefighter colector Job:
Execute tx. GRAC_SPM_LOG_SYNC and schedule the log collection periodically as per note: 1617529
Performance problems:
Note 1750024 - GRAC - Performance of the SPM Log Sync
Other errors:
Note 1773855 - EAM10.0 Sometimes Workflows and transaction logs are missed
Note 1776070 - GRC EAM program is giving a short dump and no logs generated
Note 1731923 - EAM:Transaction Logs are not being captured while sync
E-mail configuration:
If you want the controller to receive e-mails (firefighter logon notification and firefighter session details)
you have to check the following:
Make sure your Basis team has properly configured outgoing e-emails from GRC Box (Tx. SCOT)
Controller notification method was set to: Email (see above)
SPRO parameters:
4002 Send E-mail Immediately YES
4007 Send Log Report Execution
Notification Immediately YES
4008 Send FirefightID Logon Notification YES
4009 Log Report Execution Notification YES
Controller user (FF_CONTROL) has "Comm.Method” set to “E-Mail” in SU01 and has a valid e-mail address.
WF-BATCH User must also have an e-mail address in SU01; otherwise you’ll get the following error in tx. SLG1:
You can change the parameter and use another user to send the e-mails.
After executing the GRAC_SPM_LOG_SYNC_UPDATE, please execute tx. SOST and check if the e-
mails were generated (you have to access the firefighter to get the e-mails).
Check
1545511 - Firefighter User Exit
1735971 - User exit to prevent direct firefighter login
Security Issue???: http://scn.sap.com/thread/3273562
Please check: Note 1701047 - Is it mandatory to use trusted connection in the RFC destination for Firefighter Connector?
"Yes it is mandatory to make a trusted relationship so that communication can be established between the GRC system and the
plug-in."
The most important advantage of decentralized firefighting is that you can continue using firefighter even when the GRC Box is
down. In my opinion, it’s also more “user-friendly” since the firefighter doesn’t have to log on to GRC Box in order to start the
firefighting session, he/she only needs to execute a transaction in the plugin system. For some companies, the centralized
approach is better since the user access to a system (GRC Box) and can start firefighter sessions in multiple systems.
Bottom line, the most important thing is that with SP10 you have to option to choose and below you’ll find information that’ll
help you to configure decentralized Firefighting.
The idea of a decentralized firefighting was submitted by Daniela Bork on SAP Idea Place: Access Firefighter application locally
in AC10
So, if you have a good Idea, please share it with SAP customers and employees in the Idea Place and maybe it becomes a new
functionality!
Main documentation can be found in the guide attached to the note: Note 1690964 - Emergency Access Management Overview
Documentation
In the GRC Box a new parameter is available and must be set accordingly:
Additionally a new synchronization job is available and must be executed in order to synchronize the EAM data from GRC Box
to the plug-in system. Remember that configurations (firefighter assignments, controllers, owners, reason codes, etc.) are still
maintained in a centralized way, i.e in the GRC Box.
In order to sync this data with the plug-in, a new job is available and can be found here:
In the connector field you have to set the corresponding plug-in connector. In order to keep you plugin system updated with the
changes you made in the GRC Box, this report should be scheduled periodically, I think hourly would be fine. In addition, if you
have multiple plug-in systems, you should follow the same approach as with the log synch: create individual jobs for each
connector instead of a unique job with connector value “*”.
These activities are described in here: 1804207 - GRC EAM 10.0: Configuration parameters introduced in SP10
for EAM
If you haven’t set the parameter 1000 in the plug-in system, you’ll have to do it in order to use
decentralized firefighting, otherwise you’ll get an error message as described here:1800772 - Error 'No
Destination specified' when using transaction /GRCPI/GRIA_EAM
Then, check the parameter as described below:
If the parameter 1000 isn’t present you have to create it and set the value to an RFC destination pointing to the system itself:
Since this configuration is transported I recommend to create a new RFC destination in DEV, QAS and PRD system with the
same name, let’s say “GRC_CONNECTOR”. This will allow you to transport the configuration throughout your entire
landscape.
The RFC connection does not require a user. It just has to point to the correct system/instance and a specific client.
Required users
Controllers have to be created in the GRC Box as well as with centralized firefighting. In addition these users must exist in the
plugin system and have a valid e-mail address because login notifications are sent from plug-in system
With the decentralized scheme it’s not necessary to create the firefighter users in the GRC Box, because they’ll start firefighter
transaction from the plug-in system.
E-mail considerations
Log-in notifications are sent from the plug-in system:
But, as with the decentralized approach, Log notifications are sent from GRC Box
These requires a proper mail configuration (tx. SCOT) in both systems: plug-in and GRC Box.
Plug-in roles
For some NW releases ACTVT=02 will be also required. Kindly Check 1753459 - EAM: S_USER_GRP with ACTVT=02
required
This role is assigned to the firefighter users. Bear in mind that these users should not have access to user maintenance
transactions, for example SU01. If the firefighter IDs are properly assigned to a group and you can restrict the CLASS field this is
not a big issue, since despite they could change the password, they won’t be able to access because the user exit is implemented
in order to prevent it.
This extra authorization was documented by SAP in November 2013 in the note:
1944417 - In decentralized firefighting firefighter is not able to perform firefighter logon
Previous versions of this post contain this solution as unofficial, but now has become official.
"..The firefighter is not having the authorization to change the passowrd. In centralized firefighting the password is changed by
RFC user, but in decentralized version as there is not RFC connection, the password is changed by firefighter. The functionality
works as in EAM 5.3...."
In addition to this role you also have to create roles for administrator and owner. Remember that extending the validity period is a
new activity available in the plug-in system and owners and administrators should have access to it.
Specific for CUA systems:Note 1814400 - Decentral call is opening different session in CUA
(Documentation provided by:Guido Stusinsky)
It's possible that we get a logon screen after starting the FF session. This is an incorrect behavior since the user doesn't need to
enter the FF ID password.
Here some tips:
Check the RFC connection. Perform an authorization check in SM59 to check if the RFC user is OK.
Check that the RFC is pointing to the correct client.
Look for dumps in ST22 in the plugin system.
Check if the FF ID password is productive, reset the password or check with changing the user to type "Service" if you are using
"Dialog" user for FF ID.
Have a look at the following notes:
1861981 - Things to check when error message 'Error in opening RFC destination' appears in GRAC_SPM
1777094 - EAM log on is not possible with the error: 'Error found in RFC (plug in system) and respective logon\logons are
disabled'
Note 1886332 - GRC 10.0 EAM prompts for user/password while logging
Note 1872709 - Logon popup shown when launching the EAM session
Both models could be used. The decentralized firefighter configuration doesn’t block the centralized firefighter approach. Since
you can start only one firefighter session at a time, you cannot use both at the same time and this is automatically controlled by
the application.
Administration functions
The administration functions are maintained in the GRC Box. The decentralized firefighting adds a couple of tasks in the plugin
system such as logging notification customizations and the possibility to extend the validity date of firefighters if the GRC Box is
down. You’ll find a nice illustration in the guide attached to note mentioned earlier (1690964).
Access to decentralized FF
Some standard roles do not include the correct SPM transaction. In order to start decentralized FF the Firefighter user have to
type /n/GRCPI/GRIA_EAM in the transaction bar. If you use other tcodes might see an empty table, and if you don't use /n you'll
receive a message stating something like it's impossible to execute this function.
Please share your thoughts, comments or documentation in order to improve this guide.
Well, that’s all. Hope this document has helped you to successfully configure GRC EAM.