SAP GRC Access Controls 12.0: Emergency Access Management (EAM)

 SAP GRC Access Controls 12.0
Emergency Access Management (EAM)


SAP GRC Access Control enables organizations to control access, prevent fraud and minimize the time and cost of compliance.
The Emergency Access Management (EAM) is one of the module in GRC Access Control. It is implemented in the organizations for managing emergency access.
With the EAM, user can request for the emergency access to systems and applications. Role owners/Business process owners can review and approve the emergency access.
Security audit can be performed and logs can be monitored with the EAM module.

Below are the IDs required for implementing the EAM

a. Firefighter: User who require the emergency access
b. Firefighter ID: User ID with the emergency/additional access
c. Firefighter Owner: User ID responsible for Firefighter ID and assignment for Firefighters and Controllers.
d. Firefighter Controller: User ID responsible for reviewing and approving the log files created from firefighting activities.

Prerequisites for implementing the Emergency Access Management

a. Completed the post installation steps for SAP GRC AC.
b. Completed the setting up of GRC connectors to the target systems
c. Completed the assignment of integration scenario SUPMG to all EAM relevant connectors.
d. Completed the User Exit implementation which prevents from logging of FF ID to the target systems via SAP GUI.
e. Completed the activation of below Business Configuration (BC)  sets.
GRAC_SPM_CRITICALITY_LEVEL
GRAC_ACCESS_REQUEST_PRIORITY
GRC_MSMP_CONFIGURATION
GRAC_ACCESS_REQUEST_REQ_TYPE

Below are the SAP standard roles related to EAM. These roles are the sample roles and use them create your own roles as per the organization naming convention.

a. SAP_GRAC_SUPER_USER_MGMT_ADMIN: This role is for the administrators. This role provides the complete access EAM functionality.
b. SAP_GRAC_SUPER_USER_MGMT_OWNER: This role is for FF ID owners.
c. SAP_GRAC_SUPER_USER_MGMT_CONTROLLER: This role is for FF ID controllers.
d. SAP_GRAC_SUPER_USER_MGMT_USER: This role is for FF ID users who required emergency access.
e. SAP_GRAC_SPM_FFID: This role turns the user ID to a Firefighter ID. 

Application types in Emergency Access Management

ID-Based Firefighter: Providing Firefighter access by assigning the Firefighter ID to users. One Firefighter ID can be assigned to multiple users, but only one user can use Firefighter ID to login at any time. Change history is recorded with the Firefighter ID.

Role-Based Firefighter: Providing Firefighter access by assigning the Firefighter role to users. Firefighter role can be directly assigned to regular user ID using SU01 or through access request management. Change history is recorded with the regular user ID.

Only one application type can be used at a time. Configuration parameter 4000 is used to setup the application type.

Centralized GRC: In Centralized system, user can access all the authorized plug-in systems remotely from GRC system. Transaction code GRAC_EAM is used to on the GRC system.

Decentralized GRC: In Decentralized system, user has to log on to the respective plug-in system and perform the firefighting activities. Transaction code /GRCPI/GRIA_EAM is used on the plug-in system to complete the activities.

Reason Codes: Reason codes are used when a Firefighter tries to login to the system from EAM launchpad for completing the firefighter activities. Firefighter has to provide the reason code by selecting from the available reason codes.

Synchronous Jobs

Below jobs needs to be scheduled for smooth process
a. Repository Object Sync: This job synchronizes user, role and profile data.
b. Firefighter Log Sync: This job synchronizes firefighter logs from target system to the GRC repository.
c. EAM Master Data Sync: This job synchronizes master data from target system to the GRC repository.

Check my SAP GRC Questions and Answers videos


Comments

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: How to set auto Logoff for Inactive users in SAP

SAP GRC Security Consultant Roles and Responsibilities