Skip to Content
Author's profile photo Arif Mahamud

Emergency Access Management

Purpose and functionality

  1. EAM allow users to take responsibility for task outside of their normal job function.
  2. Allow temporary access for users when assigned with solving problem, giving them provisionally broad, but regulated access.
  3. This temporary access will monitored and reviewed by the application.
  4. EAM provides the ability  to manage and utilize firefighting activities centrally from the access control application
  5. The log files can be distributed to controller and owner via workflow for additional approval

Defining Users

  1. The owner of the ID
  2. The controller
  3. The users who will log on through EAM.

Important Roles and Terms

  1. Firefighter:  a business users requiring emergency access.
  2. Firefighter ID:
  3. A user id with elevated priviledges.
  4. Access T-code  GRAC_SPM
  5. Firefighting: the act of using a firefighter id.
  6. Controller:  review and approves (if necessary) the log file generated by the firefighter.
  7. Owner: a user responsible for the firefighter id and assignment the controller of the firefighter.

Firefighter Application type:

There are two deferent applications that can be used that can be used:

  1. ID based firefighter Application
  2. Role Based firefighter Application.
  • Configure in the IMG using parameter 4000 (Application type)
  • Only once application can be configured at a given time. 

GRC Server package

  1. The main application runs in the GRC server.
  2. It is possible to assignment user for all system using NWBC or portal.
  3. Provisioning of the emergency access can also be done via access request(Workflow)


  1. Firefighter access is done centrally using the GRC system.
  2. Firefighter logon to the GUI back and execute t-code GRAC_SPM
  3. Click on the login.

Emergency Access Architecture


  1. Once component called plug-in that is installed in remote system.
  2. Emergency Access Management access the plug-in  using RFC.


  1. Create users and roles as needed
  2. Execute program GRAC_ROLEREP_USER_SYNC

Centralized firefighter overview and prerequisites

Centralized firefighter overview

  1. EAM provides a centralized console through which firefighter can logon to deferent system for firefighting.
  2. In id based scenarios, firefighter do not have to logon to individual client system to do firefighting.

Centralized firefighter prerequisites

  1. Application type is 1 for id based firefighting
  2. Set parameter group 6 super users management
  3. Set parameter id 4000
  4. Firefighter user must exists in the central access control system and the role SAP_GRAC_SPM_FIREFIGHTER

Centralized Logon Pad

       ● Access Control provides centralized logon pad for accessing the firefighter IDs in all connected back end systems

The centralized logon pad allows:

  1. Displaying all firefighter IDs assigned to the user
  2. Logging on to all connected back end systems
  3. Sending messages to other firefighters who are using a specific firefighter ID
  4. Unlocking a firefighter session not closed properly

While a Firefighter Session is running

  1. The status of the firefighter ID will display in red
  2. The firefighter can take the following actions:

    ● Click Additional Activity to enter more information

    ● If the firefighter ID is in use by another firefighter, choose Message to send notification to the other firefighter

● Choose Unlock to unlock the firefighter ID if it is locked

EAM Configuration

Parameter setting

4000-Application type

4001-Default Firefighter Validity Period (Days)

4002-Send Email Immediately

4003-Retrieve Change Log

4004-Retrieve System log

4005-Retrieve Audit log

4006-Retrieve OS Command log

4007-Send Log Report Execution Notification Immediately

4008-Send FirefightId Login Notification

4009-Log Report Execution Notification

4010-Firefighter ID role name

Monitoring Emergency Access

Firefighter Report types and purpose

Using firefighter reports

  1. Resulting change log is stored in CDHDR and CDPOS tables
  2. Log data is retrieved from the client system and stored in GRC for report generation

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member


      It is very informative, as a improvement please could you add screen shots for each steps that would give more clarity on the topics.