SAP GRC Access Controls 12.0: Emergency Access Management (EAM)

 SAP GRC Access Controls 12.0
Emergency Access Management (EAM)


SAP GRC Access Control enables organizations to control access, prevent fraud and minimize the time and cost of compliance.
The Emergency Access Management (EAM) is one of the module in GRC Access Control. It is implemented in the organizations for managing emergency access.
With the EAM, user can request for the emergency access to systems and applications. Role owners/Business process owners can review and approve the emergency access.
Security audit can be performed and logs can be monitored with the EAM module.

Below are the IDs required for implementing the EAM

a. Firefighter: User who require the emergency access
b. Firefighter ID: User ID with the emergency/additional access
c. Firefighter Owner: User ID responsible for Firefighter ID and assignment for Firefighters and Controllers.
d. Firefighter Controller: User ID responsible for reviewing and approving the log files created from firefighting activities.

Prerequisites for implementing the Emergency Access Management

a. Completed the post installation steps for SAP GRC AC.
b. Completed the setting up of GRC connectors to the target systems
c. Completed the assignment of integration scenario SUPMG to all EAM relevant connectors.
d. Completed the User Exit implementation which prevents from logging of FF ID to the target systems via SAP GUI.
e. Completed the activation of below Business Configuration (BC)  sets.
GRAC_SPM_CRITICALITY_LEVEL
GRAC_ACCESS_REQUEST_PRIORITY
GRC_MSMP_CONFIGURATION
GRAC_ACCESS_REQUEST_REQ_TYPE

Below are the SAP standard roles related to EAM. These roles are the sample roles and use them create your own roles as per the organization naming convention.

a. SAP_GRAC_SUPER_USER_MGMT_ADMIN: This role is for the administrators. This role provides the complete access EAM functionality.
b. SAP_GRAC_SUPER_USER_MGMT_OWNER: This role is for FF ID owners.
c. SAP_GRAC_SUPER_USER_MGMT_CONTROLLER: This role is for FF ID controllers.
d. SAP_GRAC_SUPER_USER_MGMT_USER: This role is for FF ID users who required emergency access.
e. SAP_GRAC_SPM_FFID: This role turns the user ID to a Firefighter ID. 

Application types in Emergency Access Management

ID-Based Firefighter: Providing Firefighter access by assigning the Firefighter ID to users. One Firefighter ID can be assigned to multiple users, but only one user can use Firefighter ID to login at any time. Change history is recorded with the Firefighter ID.

Role-Based Firefighter: Providing Firefighter access by assigning the Firefighter role to users. Firefighter role can be directly assigned to regular user ID using SU01 or through access request management. Change history is recorded with the regular user ID.

Only one application type can be used at a time. Configuration parameter 4000 is used to setup the application type.

Centralized GRC: In Centralized system, user can access all the authorized plug-in systems remotely from GRC system. Transaction code GRAC_EAM is used to on the GRC system.

Decentralized GRC: In Decentralized system, user has to log on to the respective plug-in system and perform the firefighting activities. Transaction code /GRCPI/GRIA_EAM is used on the plug-in system to complete the activities.

Reason Codes: Reason codes are used when a Firefighter tries to login to the system from EAM launchpad for completing the firefighter activities. Firefighter has to provide the reason code by selecting from the available reason codes.

Synchronous Jobs

Below jobs needs to be scheduled for smooth process
a. Repository Object Sync: This job synchronizes user, role and profile data.
b. Firefighter Log Sync: This job synchronizes firefighter logs from target system to the GRC repository.
c. EAM Master Data Sync: This job synchronizes master data from target system to the GRC repository.

Check my SAP GRC Questions and Answers videos


Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE
Read more

SAP GRC Security Consultant Roles and Responsibilities

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c
Read more