Emergency Access Management Reporting
In this article, I will provide an overview of the Emergency Access Management reports and which information can be seen. GRC provides six reports specifically for EAM, e.g. the consolidate log report shows firefighting activities which have been executed while using firefighter. The consolidate log report is far the best and used for management review from the firefighter controller (if workflow is in place). The consolidated log report has all the captured information from the backend system in a consolidated view. Following a short overview of the captured information and where it comes from.
Captures transaction executions from transaction STAD. System, Firefighter, Firefighter ID, Reason Code, Transaction, Date and Owner are read.
Captures debug and replace information from transaction SM21.
Captures change log from change document objects which are stored in table CDPOS and CDHDR.
Security Audit Log
Captures security audit log from transaction SM20.
OS Command Log
Captures changes to OS commands from transaction SM49. For further investigation or to get more information about the activities performed in the backend system these transactions might be helpful.
Other reports are:
Invalid Superuser Report – shows expired, locked and deleted firefighter IDs.
Firefighter Log Summary – shows firefighter ID session details (only available for ID-Based firefighter, see also my blog post about Types of Firefighter).
Reason Code and Activity Report – shows reason and activity details.
SOD Conflict Report for Firefighter IDs – shows SoD conflicts (risk analysis) for firefighting sessions.
Please contribute in this blog post and share your experience and know-how about firefighter reporting.