Skip to Content
Technical Articles
Author's profile photo Madhu Babu #MJ

SAP GRC 10.0/10.1/12.0 – Emergency Access Management (EAM) for Web based applications

GRC 10.0/10.1 – EAM for Web based applications

Emergency Access Management (EAM) is basically designed to support ABAP based applications. Hence there are lot of limitations and issues if it is used for Webdynpro and Web based applications.

Please go through below SAP notes when trying to implement EAM for Webdynpro or Web-based applications to understand the GRC EAM limitations.

1796682 – ‘User Type must be Dialog User’ Dump comes when FFID tries to login to NWBC

1905295 – Launching firefighter application from NWBC not working

Object Services icon not available in Firefighter ID session

Important points to be considered

1. Firefighter approach will not work for Webdynpro and Web based applications if Firefighter ID is a service UserID. Please check the below SAP note for the same

1588075 – SSO fails for service type users in FF session.

2. Since SAP is not supporting SSO for service UserIDs, recommended work around is to convert Firefighter IDs from Service to Dialog user type to make them work properly.

3. When Firefighter ID is made as dialog user type, make sure that no password aging policy is implemented in that system.If you have password aging active in your system, then you will be requested to change the password at regular intervals.

4. Maintain password to the Firefighter ID after converting to dialog user type or generate the password and save it. Now this Firefighter ID can be used to login as Firefighter.

5. Once the above changes are made and when Firefighter user executes NWBC or CRM_UI transactions, web links shows a screen with Change password for Firefighter IDs. To avoid this issue implement the below SAP note.

1736116 – Password change window pops up after Firefighter ID launches NWBC

6. The log for the activities performed by Firefighter id are picked first from transaction logs (STAD) and then from Change Log tables (CDHDR,CDPOS). If the log details are not available then activity details will not be retrieved by GRC. I believe that such information is not captured in above 2 if the firefighter id logs onto web applications and that is why it will not be picked.

Before gathering the above information, i have gone through lot of discussion on this forum regarding the same.

Does SPM (firefighter) support transactions CRM_UI, WUI, START_BSP using SSO?

Risk Analysis, SPM for CRM UI ( CRM 2007)

EAM Issue

There is a idea submitted in the Idea place requesting SAP to enhance GRC 10 to support EAM for CRM,SRM, TM etc which uses Web UI. Please check it out.

EAM – Firefighter not works for portal system such SRM – CRM , etc : View Idea

GRC 12.0 – EAM for Web based applications

As mentioned above, GRC EAM functionality is not supported for Web based applications until GRC version 10.1. However as many of the customers are moving towards FIORI and many other web applications, SAP GRC has rolled out the EAM functionality for Web based applications based on the idea raised in the influence SAP forum.

Details can be viewed in the following SAP Note:


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Alessandro Banzer
      Alessandro Banzer

      very helpful Madhu, thanks for sharing. Could use it today 🙂

      Author's profile photo Rakesh Ram
      Rakesh Ram

      6 Stars on 5.

      Thanks a lot madhu babu for the article.


      Deepak M

      Author's profile photo Baithi Srinivas
      Baithi Srinivas

      Excellent information Madhu.



      Author's profile photo Former Member
      Former Member

      Excellent Information Madhu. Looking forward to see more posts of this kind 🙂 .



      Author's profile photo Former Member
      Former Member

      Hello Madhu & Others,

      We have integrated the new SAP CRM 7.0 systems with GRC 10.0 system. When the Firefighter is executing the transaction CRM_UI to open in browser, it is asking for login credentials. Is there any way so that it does not ask for a password when logged in using Firefighter ID?

      Author's profile photo Vineeth Kumar
      Vineeth Kumar

      Hi Madhu,

      Thanks for sharing this article, I have configured the FFIDs for FIORI apps. While performing the testing I ran into an issue and wanted your suggestion.

      When I login as Firefighter and execute /N/UI2/FLP this will lauch the Fiori lauchpad -> next I perform the FF Activity by executing a Tcode and FAPP. After I come out and run all the FF related sync jobs, I receive a log pertaining to this request. Next, as a controller I should see the activity log for tcodes and also FAPPs but I only see tcodes and nothing related to FAPP - why?

      Any suggestion would be of great help. thanks!



      Author's profile photo ANIL KUMAR

      Hello Vineeth,


      Even I have faced the same issue then I raised request to SAP for the same and got below response.


      "The FF web app feature was released in AC 12.0 SP04. However currently all
      logs are not captured from the front-end web application.

      Currently I am not aware of any change in this standard behaviour."

      Author's profile photo Daniela Bork
      Daniela Bork

      Hi Madhu,

      thanks for your informative blog!

      I have some questions on the GRC 12 functionality of web based FF:

      • You say only one (Fiori or NWBC) can be maintained for a system, is that still true? Seems we can maintain this attribute multiple times and it works for both. How else to handle systems with both NWBC and Fiori?
      • Does the attribute also mean all other web applications (not via NWBC or Fiori) are not logged?



      Author's profile photo Priya Jindal
      Priya Jindal

      Hi Madhu,


      I have done the WEBGUI URL configuration for my Fiori connector under IMG in my GRC 12 system.  Could you let me know how to proceed next to use the WEBGUI to logon through FFID?


      Thanks in advance


      Author's profile photo Samir Chougrad
      Samir Chougrad


      Even if we put the above parameter in the connector attributes, FF session is opened on backend ABAP layer and not in Fiori screen.

      Is there any additional setting required?

      Thanks in advance.


      Author's profile photo MARCO ANTONINI


      when trying to implement GRC AC 12.0 EAM for Webdynpro, are the limitations described at the beginning of the blog still valid (now AC 12.0 SP16) ?

      Is it still mandatory to use a dialog user type for FFID?

      If YES, how can I avoid or which workaround I can use to manage the consequent password policy and user license fees of “dialog” FFID vs “service” FFID ?

      Thanks in advance for any help/suggestions