Purpose and functionality
- EAM allow users to take responsibility for task outside of their normal job function.
- Allow temporary access for users when assigned with solving problem, giving them provisionally broad, but regulated access.
- This temporary access will monitored and reviewed by the application.
- EAM provides the ability to manage and utilize firefighting activities centrally from the access control application
- The log files can be distributed to controller and owner via workflow for additional approval
- The owner of the ID
- The controller
- The users who will log on through EAM.
Important Roles and Terms
- Firefighter: a business users requiring emergency access.
- Firefighter ID:
- A user id with elevated priviledges.
- Access T-code GRAC_SPM
- Firefighting: the act of using a firefighter id.
- Controller: review and approves (if necessary) the log file generated by the firefighter.
- Owner: a user responsible for the firefighter id and assignment the controller of the firefighter.
Firefighter Application type:
There are two deferent applications that can be used that can be used:
- ID based firefighter Application
- Role Based firefighter Application.
- Configure in the IMG using parameter 4000 (Application type)
- Only once application can be configured at a given time.
GRC Server package
- The main application runs in the GRC server.
- It is possible to assignment user for all system using NWBC or portal.
- Provisioning of the emergency access can also be done via access request(Workflow)
- Firefighter access is done centrally using the GRC system.
- Firefighter logon to the GUI back and execute t-code GRAC_SPM
- Click on the login.
Emergency Access Architecture
- Once component called plug-in that is installed in remote system.
- Emergency Access Management access the plug-in using RFC.
- Create users and roles as needed
- Execute program GRAC_ROLEREP_USER_SYNC
Centralized firefighter overview and prerequisites
Centralized firefighter overview
- EAM provides a centralized console through which firefighter can logon to deferent system for firefighting.
- In id based scenarios, firefighter do not have to logon to individual client system to do firefighting.
Centralized firefighter prerequisites
- Application type is 1 for id based firefighting
- Set parameter group 6 super users management
- Set parameter id 4000
- Firefighter user must exists in the central access control system and the role SAP_GRAC_SPM_FIREFIGHTER
Centralized Logon Pad
● Access Control provides centralized logon pad for accessing the firefighter IDs in all connected back end systems
The centralized logon pad allows:
- Displaying all firefighter IDs assigned to the user
- Logging on to all connected back end systems
- Sending messages to other firefighters who are using a specific firefighter ID
- Unlocking a firefighter session not closed properly
While a Firefighter Session is running
- The status of the firefighter ID will display in red
- The firefighter can take the following actions:
● Click Additional Activity to enter more information
● If the firefighter ID is in use by another firefighter, choose Message to send notification to the other firefighter
● Choose Unlock to unlock the firefighter ID if it is locked
4001-Default Firefighter Validity Period (Days)
4002-Send Email Immediately
4003-Retrieve Change Log
4004-Retrieve System log
4005-Retrieve Audit log
4006-Retrieve OS Command log
4007-Send Log Report Execution Notification Immediately
4008-Send FirefightId Login Notification
4009-Log Report Execution Notification
4010-Firefighter ID role name
Monitoring Emergency Access
Firefighter Report types and purpose
Using firefighter reports
- Resulting change log is stored in CDHDR and CDPOS tables
- Log data is retrieved from the client system and stored in GRC for report generation