EAM – Approve through Workflow
Business Concept : Emergency Access Management allows personnel to take responsibility for tasks outside their normal job activities. A temporary privilege is assigned that grants the user exception-based, yet regulated, access. This act of using the privilege is called firefighting.
The firefighter role describes the ability to perform tasks in emergency situations.
Following terms are important for the Emergency Access Management.
- Firefighter: a regular user (in GRC AC10 system) requiring emergency access
- Firefighter ID: User ID (in target SAP systems) with elevated privileges. It can only be accessed in the GRC server using transaction GRAC_SPM.
- Firefighting: the act of using a firefighter ID
- Owner: User responsible for a firefighter ID and the assignment of controllers and firefighters.
- Controller: Reviews and approves (if necessary) the log files generated by firefighter.
Business requirements
Organization has decided to use Firefighter ID based firefighting. Firefighters, their corresponding Firefighter IDs, Owners and Controllers will be identified by organization based on the understanding of the firefighting concept and business requirement.
A sample of the relation between these positions is shown below in the table below.
|
EAM / Firefighter ID |
Owner/Controller |
FireFighter |
|
FF_FI_CLOSN |
FI_FF_OWNER |
FFUSER |
The roles for the identified IDs will be assigned as required after they are created by organization BASIS team.
Important customizing settings
Following BC Sets will be activated:
|
BC Set |
Description |
|
GRAC_SPM_CRITICALITY_LEVEL |
SPM Criticality Levels |
The backend configuration requires the following settings to utilize the Firefighter ID concept:
|
ID |
Value |
Description |
|
4000 |
1 |
Application type = ID |
|
4001 |
30 |
Default Firefighter Validity Period (Days) |
|
4002 |
YES |
Send Email Immediately |
|
4003 |
YES |
Retrieve Change Log |
|
4004 |
YES |
Retrieve System log |
|
4005 |
YES |
Retrieve Audit log |
|
4006 |
YES |
Retrieve OS Command log |
|
4007 |
YES |
Send Log Report Execution Notification Immediately |
|
4008 |
YES |
Send Firefighter ID Login Notification |
|
4009 |
YES |
Log Report Execution Notification |
|
4010 |
<Name of the role> |
Firefighter ID role name |
Workflow for requesting of access to Emergency Access ID
Workflow for assignment of Emergency Access IDs to fire fighter on the basis of their request will be created as given below.
Workflow Description: User requiring access to an Emergency Access ID will raise a request and the request will flow to the EAM owner of the respective Emergency Access ID. Upon approval from EAM owner the request will flow to Security and on approval from Security the access to the requested ID will be given to the requesting user for the number of days approved by the EAM owner.
Creating users and assigning roles
Please create users and roles as needed. Remember to synchronize again the users with program GRAC_ROLEREP_USER_SYNC via SE38. These roles are provided as examples and customer roles need to be created based on their authorizations.
In the AC systemRole
Firefighter userSAP_GRAC_SUPER_USER_MGMT_USER
FirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLR
FirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNER
Configuration
BRF+ Configuration: you have to configure in BRF+ Access request process as below_
RWQTYPE : 006 FOR EMERGENCY ACCESS MANAGEMENT
RULE_RESULT : EAM_PATH Which we will configure in workflow.
WorkFlow Configuration
6. Maintain Route Mapping
5. Maintain Path
Agent ID: GRAC_SPM_OWNER
for Security Stage, configure asbelow_
Now generate new version and submit request for firefighter.
G'Day Ale,
Thank you for the document. One query if I may. Is there a way we can auto provision the 'Z_GRAC_SUPER_USER_MGMT_USER' role, when someone raises a request for FFID?
I mean we have the option of Default Roles but this is system wide. So I was wondering can we do something like that with the default firefighter role, only user specific rather than system wide?
Cheers
Leo..