Technical Articles
SAP GRC Access Control 10.0/10.1/12.0 – De-Centralized EAM
Purpose of the Document
In GRC 10.0 SAP has introduced the Centralized Emergency Access Management process unlike its older version GRC 5.3 which got mixed reviews from GRC users.
Initially a user has submitted his idea in SAP IDEA PLACE asking SAP to provide De-centralized EAM functionality in GRC 10.0 in the same way they have been using in GRC 5.3 and this has been supported by lot of GRC consultants.
Finally SAP has provided De-centralized firefighting feature in GRC 10.0 from support pack 10. Depending on the client’s needs, the option “log on centrally” (current version 10 behavior) or “log on locally” (5.3 behavior) can be configured in GRC 10 and GRC 10.1
Also system has the ability where both centralized and De-centralized approach can be configured but user can either login centrally or locally as there can be only one firefighter session at a time.
De-centralized EAM configuration – SP13 – ID based Firefighting
Step 1: Creating Connector and Assigning Integration Scenarios
Creating Connector
Create new connector using SM59 Tcode or going through below mentioned path.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Create Connectors
Under Logon & Security maintain the details as shown below. User “GRCSYSADM” is a system user which is available in S4HANA system with required authorizations.
Once you have finished the above steps, Save the connector perform Connection Test and Authorization Test. When the connection is successful, you will see the following message:
Maintain Connectors and Connection Types
Now click on Maintain connectors and Connection Types going to below path as this is required for assigning the connection type to our connector which is created in the above step.
You will get the below screen where you can see different types of connection types available in the GRC system.
Maintain the entries for your connector as mentioned below:
Connector needs to be further assigned connector group. This is similar to logical system in GRC 5.3 where we group similar systems under one logical system. You can create your own connector group or use the connector groups created in the system as part of BC sets activation. Then you can assign your connector to the connector group as shown below.
Once you have these connector groups, then assign the connector group to group type as shown below.
Next step is to assign connectors to connector group as shown below.
Maintain Connection Settings
Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV) available as it is a good practice according to SAP (under Common Component Settings -> Integration Framework -> Maintain Connector Settings). In the same way mentioned below repeat for ROLMG, SUPMG and PROV scenarios.
Maintain Connector Settings
Now go to below mentioned path for maintaining connectors with application types .
Maintain Mapping for actions and Connector Groups
For POC purpose we are connecting GRC 10 system to S4HANA system and hence only one Connector group is there in active status. From the same screen we can define default connector to be used for different actions as shown below.
For example if you are creating LDAP connector then the mapping between AC and LDAP fields are maintained in assign group field mapping. Once all the above mentioned steps are performed, then the next step would be to schedule the synchronization jobs in the order advised by SAP.
Step 2: Creating FF Users, FF Owners, FF Controllers in GRC 10
FF Users executes Tcode /n/GRCPI/GRIA_EAM from Plug-in system and login with firefighter Id’s assigned to them. So users no need to exist in GRC system any more.
Following role must be assigned to the Firefighter user.
SAP_GRAC_SUPER_USER_MGMT_USER for the centralization as well as Decentralization.
FF Id’s will be created in plug-in system and assign the role SAP_GRAC_SPM_FFID or its “Y” or “Z” equivalent to make it recognizable as FF Id.
- FF Owner, FF Controller, Reason Codes are created and maintained in GRC system.
NWBC -> Setup -> SuperUser Assignment and NWBC -> Setup -> SuperUser Maintenance
- FF Controller should also exist in the plug-in system with valid Email ID as FF login notifications will be sent to controller’s Mail Id maintained in plug-in system.
- FF log notifications are sent to FF controller’s mailed maintained in GRC system. Hence FF controller should exist in both GRC and Plug-in systems.
Step 3: Synchronization Jobs in GRC 10
In GRC 10 synchronization jobs can be run from SPRO->IMG, navigating to Governance, Risk & Compliance>Access Control>Synchronization Jobs
Authorization Synch
Synchronizes PFCG Authorization data
Repository Object Synch
Synchronizes Profiles, Roles, and Users master data
Action Usage Synch
Synchronizes action usage data
Role Usage Synch
Synchronize role usage data
Firefighter Log Synch
Synchronizes the firefighter logs from plug-in system to GRC system
Firefighter Workflow Synch
Initiates FF log report review workflow based up on your workflow settings which sends the FF log report to FF controller for review.
EAM Master Data Synch
This is the new job introduced as part of De-centralized firefighting. Synchronizes the EAM data from GRC box to Plug-in system. Once you have created all required users execute this job to synchronize the data from GRC to plug-in system.
These reports can also be maintained as scheduled background jobs.
Step 4: Configuration Parameters
SAP has introduced a new configuration parameter 4015 which has to be maintained as “YES” in order to enable De-Centralized firefighting as shown below.
Configuration Parameters – GRC system
Configuration Parameters – Plug-in system
In GRC System:
Step 5: Assigning FF Ids to Users
Unable to find FF Id’s in NWBC.
Please check whether configuration parameters are maintained as mentioned in step 3.
Please check whether all synchronization jobs are executed as mentioned in step 2.
Please check whether the user who is searching for FF ID’s in NWBC has required access.
Please check the below mentioned configuration also.
Assign Owner, and Controller:
Without assigning an owner and a controller, you might not be able to assign the FF ID to a Firefighter. From NWBC –> Setup –> Super User Assignment, assign Owner, and NWBC –> Setup –> Super user Maintenance, assign Controller.
Now you can assign the Firefighter Id to Firefighters either directly or through GRC access request.
In plug-in system you will find all the FF roles required for user, controller etc. You need to create Y or Z copy of them and should assign them to the users.
Step 6: FF ID is assigned to the FF User
FF user has been assigned with the FF Id.
Now FF Users executes the Tcode /n/GRCPI/GRIA_EAM in plug-in system and can see the FF Id assigned to his User ID. When FF users tries to login with the FF Id assigned user will get the below error.
We already have RFC connector S4HANA created in GRC system to connect from GRC to S4HANA and vice-versa. This error was resolved after creating RFC connection locally by the same name S4HANA as system is expecting a local RFC connection with the same name.
Once this issue is fixed, users are able to login as Firefighters from plug-in systems and complete their tasks.
Step 7: Fire fighter Login and Log notifications
Configurations required for the Login Notification:
- In the GRC Box, maintain configuration parameters as mentioned above in Step 4.
- Make sure that ‘EAM master sync job’ is complete.
- Into the Plug-in system, maintain configuration parameters as mentioned above in Step 4.
- In the Plug-in system, FFID controller must exist with a valid email Id, as email notification is sent from the Plug-in system.
- Login notification mail will be sent from Firefighter User SU01 Mail Id itself in de-centralized model. Make sure that email Id of the firefighter User is also maintained properly.
- FF User time zone and system time zone should be the same in plug-in system.
Login Notification sent from Plug-in system:
Configurations required for the Log report Notification
Unlike Login notification, Log Report notification is sent from the GRC Box. Almost, all of the steps are same as in case of centralization.
- Make sure that the configuration parameter 4002 is maintained into the GRC BOX.
- If the 4007 is set to ‘Yes’ then schedule only job ‘GRAC_SPM_LOG_SYNC_UPDATE’. This job will send the Log Report notification as well.
- If the 4007 is set to ‘NO’ then schedule job GRAC_SPM_LOG_SYNC_UPDATE for synchronization. It will not send the Log Report Notification. For the Log Report, another job is required to be scheduled which is ‘GRAC_SPM_WORKFLOW_SYNC’.
- Controller of the FFID is configured with the valid Email Id.
- In the NWBC -> Access Management -> Controller -> make sure that ‘Notification By’ column is selected to ‘Email’.
- Make sure that ‘EAM master sync job’ is complete.
- There is no setting which is required to be maintained into Plug-in system in this case.
Log Notification sent from GRC system
.
Firefighter Login Issues – Plug-in system
Login as firefighter using Tcode – /n/GRCPI/GRIA_EAM
User will enter the reason code and activity details and click OK.
User will be presented with a login screen.
Fix
User should be assigned to the below roles and make sure user also has access to S_USER_GRP object with Activity 03,05
SAP_GRAC_SUPER_USER_MGMT_USER
EAM for Webdynpro and Web based applications
Firefighter functionality is primarily designed for use with ABAP systems. Lot of us had a requirement to implement EAM for webdynpro or web based applications, but there are lot of limitations for using EAM for webdynpro and web based applications.
To understand about EAM functionality with Webdynpro applications, please check out the below blog post.
Emergency Access Management (EAM) for Webdynpro applications or Web-based applications – GRC 10.0
Wrong Firefighter ID Status – De-centralized EAM:
When firefighter tries to logon to the system via transaction /n/GRAC_SPM, error comes:
“<Firefighter ID> is logged on using <some other firefighter id> firefighter id.”
Please check below SAP notes to resolve the issue.
1895204 – Error message: <Firefighter ID> is logged on using <some other firefighter id> firefighter ID
1702370 – Wrong Firefighter Id Status
Thanks for reading.
Looking forward for your inputs in improving this blog with additional details or scenarios ?
Best Regards,
Madhu Babu Sai
Thank you madhu,It is a useful document
Thanks
Subbu Gogineni
Thanks Subbu. You can give your inputs if you want me to add any other content in this blog w.r.t EAM.
Regards,
Madhu.
I have one question:
Company code 200 and i have 100 roles how to add company code at a time in 100 roles in sap security
Hi Madhu,
Thanks a lot. I was configuring De-centralized EAM in our test client and this blog was quiet helpful as I completed all the steps without any hassles.
Looking forward for more blogs from you.
Regards,
Sai.
Hi Sai,
Glad you found it useful. Will surely share more blog posts.
Regards,
Madhu.
Madhu,
Good document!
Regards,
Faisal
Faisal,
Thanks buddy 🙂
Regards,
Madhu.
Hi Madhu,
A very helpful document to understand the concept and troubleshoot.
Thanks,
Omkar
Madhu,
Very well Explained 🙂
Nice blog
Hi Madhu,
I’m trying to understand something. According to several SAP Notes the
connector to be use for EAM must be "trusted" I see in your demo that
you didn’t created it like that so is it really mandatory to make it trusted? I’m
having some issues because when I make the connection as "trusted" I
need to create all user on target system and GRC and that kind of defeats the purpose
of having a centralize solution.
Hi Jonathan,
Yes, you are true without trusted connection my setup is working prefectly up to now and I didn't face any issues. But I cannot guarantee that it is not mandatory, may be check with SAP once.
Regards,
Madhu.
Hi Madhu,
Your Document is really helpful as I am a beginner in sap grc. I have done the same but when I am trying to logon using GRAC_SPM/GRAC_EAM the logon tab is missing.
Can you tell me where I might have gone wrong?
Shabbir:
Are you trying to logon to EAM in the GRC system or in the Target system?
In GRC, you would use transaction GRAC_EAM, however in the target system you need to use transaction /n/GRCPI/GRIA_EAM. If you get to the FF Launch pad, and you are assigned a Firefight ID, then you will see the entry in the screen, with a LOGON button for that specific ID.
Hope that helps.
Kevin Tucholke
Hi Shabbir,
As Kevin mentioned, first please confirm from which system you are trying to login as Firefighter. From GRC system using GRAC_EAM or in Target system using /n/GRCPI/GRIA_EAM
Have you run EAM Master data synch job?
Regards,
Madhu.
Hi Madhu,
This is a very useful document. Well described!!
Thanks!
Sammukh
Hi Madhu,
Thank you it was really good. I have couple of issues after EAM was configured, If you can help that would be great.
1) How can I see mass users decision pending EAM log report with the owner names next to it?
I tried search request in ARA and it only provides decision pending report or other status for the owner I select but I wanted to see all the owners and their logs status with dates. Is there any report/table that can provide this information because I have invalid log generated for last 6 months and I want to generate a report where I can find all the logs status with decision pending and owners name next to it. so I can determine if still invalid log is generating once in a while or is it fix?
Thanks
Faisal
Hi Madhu, First of all thanks for posting a very helpful document.
we are currently implementing decentralized EAM as part of which we have completed all the above mentioned steps but when we launch EAM launchpad in our target/satellite system using tcode /n/GRCPI/GRIA_EAM and after clicking logon button and select the reason codes and enter the details & reason for login and click on continue instead of logging in as FF id a remote logon session of the same target system prompting to enter the username and password of FF users SAP id is being prompted..please see for screenshots as below ..any help towards resolution of the issue will be very much appreciated ..
Thanks, Narsing !!
Hi Narsing,
Please let me know your GRC version and SP level.
Also make sure your FF ID is of SERVICE user type.
Check if this note helps based on your SP level 1886332 - GRC 10.0 EAM prompts for user/password while logging
Moreover i think this is because of RFC user authorization issue. Please check RFC user authorizations as well.
Regards,
Madhu.
Hi Madhu, thanks for the response..
1) We are on GRC 10.1 (GRCFND_A - V1100 patch level 0008).
2) Yes, FF ID is user type "SERVICE" .
3) SAP Note 1886332 is not valid for GRCFND_A - V1100 patch level 0008.
4) I did make sure RFC users on both sides GRC to Plugin and Plugin to GRC had SAP_ALL and RFC authorizations.
Thanks, Narsing !!
I have opened up a message with SAP, waiting to from them to answer.
I will update once I hear from them.
Thanks, Narsing !!
Issue Resolved, wanted to share the solution..
RFC user which is being maintained under loop back RFC destination of the plugin system, needs to have authorization S_USER_GRP with ACTVT 03,05 and class = user group of FF id.
Thanks, Narsing !!
Hi Madhu,
I am trying to achieve the De-centralized FF configuration.I have created owners/Controllers in GRC systems with required roles. Also I have created a service type user(FF ID) and disable the password in target system(ECC).After running differnet sync job The Fire Fighter ID,Owner and controller is showing up in NWBC and I have asisgend the FF to a end user in ECC but its not showing in FF cockpit using tcode " /n/GRCPI/GRIA_EAM".
Maybe its because the role SAP_GRAC_SUPER_USER_MGMT_USER needs to be assigned to end user in target systems but I am not able to find teh role eithe rin target or GRC systems.
I am using GRC 10.1 comp SAP_GWFND SP SAPK-74007INSAPGWFND.
Please help to resolve.
Thansk,
Trinetra
Awesome Effort ! This Document helped us a lot.
Hi Madhu,
My ECC has component GRCPIERP V1000_700, with Patch level 8, and i do not find /GRCPI/GRIA_EAM t-code.
Could you say, in which patch level, the t-code is available
Regards
Plaban
Hi Madhu,
Good Document.
Regards,
Venugopal
Hi Folks,
Thank you very much for giving your valuble documents and suggestions. I am learner of GRC-AC . Previsouly i know how to do certrlised fire-fighter concept , but now i could able do de-centralised fire fighter with some extension. As per the above document i maintained the system .
Error:- I got stuck up with the below error .as you suggested in the top
1 ) In the plug-in system RFC connection had already been created automatically default with same name. this got happend while i was creating the RFC in GRC.automatically this RFC is been populated in plug-in as well.
ex:-RFC in grc --SAP-FF-RFC , automatically system has populated with the same in plg-in.
In the above step-6 :- it was mentioned with same id we need to create one RFC in plug-in system. please suggest me how can i create with same id in plug-in manually .in this system is not allowing create with same name.
in my is it required to create one more ?
2) as few memebers suggested i have updated the role for fire fighter with follwing value S_USER_GRP with ACTVT 03,05 and class = user group of FF id. in the role {SAP_GRAC_SUPER_USER_MGMT_USER} .
still the same error occuring for me .
[ No destination specified]
Please suggest me with valueable time.
Hi Madhu,
I am unsing GRC 10.1 and I am in the process of configuring the Decentralized FF.
Query 1: FF controller receiving the logon notification like :
However, I need the FF controller has to receive the notification on below format:
Could you please tell me what settings I have to change at the plug in system?
Query 2: My requirement is FF controller has to receive the notification in two ways, 1. to his/her email ID and 2. to his/her work inbox in NWBC. Please help me in this.
This is good blog indeed, really helpful
I have followed the document to setup the De-centralized firefighting and my struggle is still to figure out if the trusted RFC needs to be setup in the plugin systems or not. For instance the in HCM we have setup the RFC destination as trusted and it works perfectly and in FI we did not and it is also working. In HCM if we do not set it as trusted we get a logon screen when logging in with the FFID after inserting the reason codes.
We are on GRC12
GRCFND_A V1200 SAPK-V1202INGRCFNDA
GRCPINW V1200_750 SAPK-V1202INGRCPINW
Thanks in advance
Hi Madhu,
We have a centralized GRC system.
I wanted to know the expected system behavior for the below scenario.
We have 2 FFIDs : FFID_1 & FFID_2. The two FFIDs have different authorizations and different owners. Lets say owner for FFID_1 is OWNER_1 and owner for FFID_2 is OWNER_2. Both FFIDs connect to the same client of the ECC system.
OWNER_1 assigns FFID_1 to USER_1.
Next when OWNER_2 tries to assign FFID_2 also to USER_1, he gets the message 'Firefighter already exists; Change the firefighter' (Message GRAC_SPM_MESSAGES 068).
Why are we getting this message? I expect that the system should allow OWNER_2 to assign FFID_2 also to USER_1.
regards
Nitesh
Nitesh,
Are you getting error while approving FFID request or while user1 tries to login with FFID_2?
Can you share the error snap shot?
Regards,
Mahendran R
Hi Mahedran,
We are getting this error when doing a direct assignment of FFID to Firefighter user in GRC system.
Error when choosing Firefighter user to assign FFID
regards
Nitesh
Nitesh,
As per the SAP Note 2486906, you will need to remove the existing assignment of FFID1 to USER1 and try to assign FFID2 will work as its standard behaviour.
Regards,
Mahendran R
Mahendran,
The scenario in the note is different from the scenario i have mentioned.
In the note the scenario is the user cannot be assigned same Firefighter id more than once.
My scenario is that the user is being assigned different Firefighter ids.
regards
Nitesh
Nitesh,
Go to Setup --> Click Firefighters (under Super user maintenance) --> open the existing user1 --> add FFID2 with validity and owner details. it will work for sure.
Only new user can be assigned with FFID in that table. For existing firefighter user, you need to add by opening that firefighter user and add FFID as much you can. Let me know if it works.
Regards,
Mahendran R
Mahendran,
When OWNER_2 opens the application he does not see USER_1 in his list at all, as USER_1 has not been assigned FFID_2. So he cannot open existing user, he has to use 'Assign' function. When he uses the assign function he is getting the error message in the screenshot.
This seems to be a bug in the application. Assignment of different FFIDs to same user of the same connecting system should be independent of each other.
regards
Nitesh
Nitesh,
Can you share the error screen shots step by step?
Regards,
Mahendran R