Configure Emergency Access (EAM) in GRC 10 created by Diego I. Yaryura on Nov 3, 2012 5:18 AM, last modified by Diego I. Yaryura on Dec 11, 2012 2:14 AM Version 5 inShare Hello! Configuring EAM in GRC 10 isn’t a difficult task, but there’re some details you have to take into account. The document “AC 10.0 Pre-Implementation From Post-Installation to First Emergency Access” is useful, but it doesn’t not consider all the details. Here I’ll try to give you a complete explanation about how to configure EAM successfully. Configure Parameters: In GRC Box, execute transaction SPRO and navigate to here: The following parameters should be set according to the table: Recommended value (for Parameter initial configuration) 4000‐Application type 1 4001‐Default Firefighter Validity Period (Days) 30 4002‐Send Email Immediately YES 4003‐Retrieve Change Log YES 4004‐Retrieve System log YES 4005‐Retrieve Audit log YES 4006‐Retrieve OS Command log YES 4007‐Send Log Report Execution Notification Immediately YES 4008‐Send FirefightId Login Notification YES 4009‐Log Report Execution YES Kindly check note: 1668255 .0 Current direct link: http://service. That means that you have to create the role that you’ve set in parameter 4010 in all the target systems with the exact name provided there.sap.> SAP BusinessObjects Governance.> SAP BusinessObjects Governance. you copy it from the standard SAP_GRC_SPM_FFID (it contains RFC authorizations).AC10.Notification Chose a role name. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.3. please refer to the guide: https://service.SAP Access Control 10.sap.com/~sapdownload/011000358700001377352010E/ACPCRM10_SG_SP10_en. The purpose is to identify to the application that the user who is logging on to the target system is a Firefighter ID.pdf Adding connector to the SUPMG Scenario: Please check: Note 1562760 . Risk and Compliance (GRC) -> Acess Control -> Release 10. please refer to Security Guide available here: https://service.p df You might want to change some of them. Now you have to link the corresponding connectors to the SUPMG scenario: .Firefighter ID role name for Param ID 4010 For more information regarding default roles provided by SAP.0 Current direct link: http:/service.com/instguides . you should release the transport to your QA/PROD systems when you finish the EAM tests and adapt the parameters according to your requirements. Usually.Intergration Scenarios to Connector link At this point you have already created the connectors.sap. Parameter 4010: What’s for? If you’ve been working with GRC 5. Changes in the parameters table will be included in a transport request. for example 4010‐Firefighter ID role name Z_SAP_GRC_SPM_FFID For a complete description of the above parameters.0 .com/~sapdownload/011000358700000997872011E/AC10_ConfigSettings_SP10.0 -> Maintaining Configuration Settings Guide .com/instguides . this parameter should sound weird to you.sap.0 -> Security Guide . Only the users who have that role assigned in the target system will be available for selection in the GRC Box as Firefighters IDs. Risk and Compliance (GRC) - > Acess Control -> Release 10.SAP AC 10. the recommended values only serve as a guide for the initial configuration. Click here: And: Required roles in the GRC Box: SAP provides standard roles that must be copied to the customer namespace. For this sample configuration you should need at least to create a copy for the following roles and generate the corresponding profiles: SAP_GRAC_SUPER_USER_MGMT_OWNER Emergency Access management owner . It should be assigned to the role Z_SAP_GRAC_SUPER_USER_MGMT_OWNER FF_CONTROL: This is the firefighter controller. . You must assign this role to all SAP_GRAC_NWBC AC users. You must assign this role to all SAP_GRAC_BASE AC users. It’s necessary to create (or use existing ones) three users: FF_OWNER: This user will serve as owner for the firefighter ID. For more information. For a theoretical explanation of the users and its responsibilities.SAP_GRAC_SUPER_USER_MGMT_CNTLR Emergency Access management controller SAP_GRAC_SUPER_USER_MGMT_USER Emergency Access management firefighter Emergency Access management SAP_GRAC_SUPER_USER_MGMT_ADMIN administrator Gives basic authorizations required for all AC users. You can just name them as Z_<full standard role name> or use a naming convention according to your company requirements. If you don't assign the base roles you won't see the user (FIREFIGHTER in this case) available for selection in the Firefighters IDs. all users must have the roles Z_SAP_GRAC_NWBC and Z_SAP_GRAC_BASE assigned. In addition to all the mentioned roles above. follow he instructions provided in tha attachment of note: Note 1663949 .com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset . CAUTION: Please. You assign Z_SAP_GRAC_SUPER_USER_MGMT_CNTLR. Gives the authorizations to launch NWBC.htm Required roles in the target system: In the target system you have to make a copy of the role SAP_GRAC_SPM_FFID and generate the profile. You assign Z_SAP_GRAC_SUPER_USER_MGMT_USER in addition to the base roles. who will be able to access in the target system with the Firefighter ID.EAM Authorization Fixes for Central Owners and Reason Codes There are some changes you have to made to the standard roles and also there's a complete explanation of the authorization objects. kindly refer to the Security Guide (link provided above). In this example: Z_SAP_GRC_SPM_FFID. <your user>: The user who is going to perform the configurations.sap. FIREFIGHTER: This is the firefighter user. must have at least the role Z_SAP_GRAC_SUPER_USER_MGMT_ADMIN assigned. Required users in the GRC Box: In order to show a sample for testing. CAUTION: This user MUST have a valid e-mail address maintained in SU01 if you want the controller to receive notifications via e-mail. refer tohttps://help. CAUTION: The name of this role MUST be the same configured in the parameter 4010 in the GRC Box. . Creating central Owners and controllers: Access to the NWBC: http://<server>:<port>/nwbc/ or execute tx. This user should be of type: “Service” as per note 1702439 The following note describes an issue you'll face with this kind of users: Note 1586989 . In addition you must assign to the FIREFIGHTER_ID the role Z_SAP_GRC_SPM_FFID. NWBC in the GRC Box. Go to the “Setup” tab and: Create entries for the Firefighter controller and owner: Creating reason codes: You have to create at least one reason code to be able to use the firefighter ID later.Object Services icon not available in Firefighter ID session I'll update this document when a specific note for GRC 10 is released regarding this issue.Required users in the target system: You have to create a user (FIREFIGHTER_ID) in the target system with the corresponding roles required roles/profiles according to your requirements. Integration Scenarios are configured as explained in note 1562760 2. . 1. Risk & Compliance => Access Control => Synchronization Jobs. Configuration parameters can be configured in the transaction code SPRO => Governance. Synchronization Jobs: In accordance with note: 1585079 You have to execute the synchronization Jobs in order to make the FF IDs available in GRC Box for selection: Please make sure that you have performed following configuration steps: 1. Run User/Role/Profile/Auth synchronization jobs. 3. Please make sure the Firefighter role is assigned to Firefighter IDs in the corresponding client system and that the same role has been given as parameter value for configuration parameter 4010. The Link to run these jobs can be found Under transaction code SPRO => Governance. Associate the entry to the corresponding target system. Risk & Compliance => Access Control => Maintain Configuration Settings 3. 2. Now re-launch the application via NWBC or Portal and then search for the Firefighter ID and this should be available in Firefighter ID list. See also Note 1668255 …Once you are done with the above steps. re-run an Incremental/Full User Sync for the Firefighter IDs with the Firefighter Role to be SYNCed into the GRC box. the FF ID will be available for selection in the GRC Box.Once you have executed the auth & repository sync job with the corresponding target connector. … Assign Owners: Assign Firefighter IDs to Firefighters . Here you assign the Firefighter ID to the corresponding Firefighters users (one or more) And in the controller tab set the controller user: . Transaction logs are not getting captured by GRC 10. SCOT) Controller notification method was set to: Email (see above) SPRO parameters: 4002 Send E-mail Immediately YES 4007 Send Log Report Execution Notification Immediately YES 4008 Send FirefightID Logon Notification YES 4009 Log Report Execution Notification YES .Logs not visible in the SPM Reports Note 1775432 . GRAC_SPM_LOG_SYNC and schedule the log collection periodically as per note: 1617529 Known problems with time zones: Note 1595462 . Firefighter colector Job: Execute tx.0 Known problem when connector is set to “*”: Note 1726157 .GRAC10 EAM GRAC_SPM_LOG_SYNC_UPDATE doesn t collect data E-mail configuration: If you want the controller to receive e-mails (firefighter logon notification and firefighter session details) you have to check the following: Make sure your Basis team has properly configured outgoing e-emails from GRC Box (Tx. please execute tx.EAM: Entries in EAM logon pad not Visible for a firefighter .Firefighter owner can assign ANY Firefighter ID to Firefighter User Note 1747283 .Superuser Privilege Management Log Report Content Note 1065048 . WF-BATCH User must also have an e-mail address in SU01. SOST and check if the e- mails were generated (you have to access the firefighter to get the e-mails).Is it mandatory to use trusted connection in the RFC destination for Firefighter Connector? "Yes it is mandatory to make a trusted relationship so that communication can be established between the GRC system and the plug-in. After executing the GRAC_SPM_LOG_SYNC_UPDATE.Performance fix for SPM transaction logs for large systems Note 1732938 .Firefighter incorrect language setting on ERP Production Note 1730649 .Firefighter Log Not sent in Email to Controller <<.User exit to prevent direct firefighter login Required RFC connections for EAM: Please check: Note 1701047 . but useful Note 1618040 . Controller user (FF_CONTROL) has "Comm. otherwise you’ll get the following error in tx.for 5.Method” set to “E-Mail” in SU01 and has a valid e-mail address. SLG1: According to the configuration settings guide: You can change the parameter and use another user to send the e-mails.Firefighter User Exit 1735971 . For this purpose either we need to create and modify the SAP User Login Exit.3. Check 1545511 ." Links to more documentation: Note 1394281 . Implement Firefighter user Exit: Despite the Firefighter ID password is changed by the application each time you start the firefighter (you can check it via change documents in the target system). Firefighter Ids need to be restricted from Logging in into SAP System directly via SAP GUI.