Business Concept :     Emergency Access Management allows personnel to take responsibility for tasks outside their normal job activities. A temporary privilege is assigned that grants the user exception-based, yet regulated, access. This act of using the privilege is called firefighting.


The firefighter role describes the ability to perform tasks in emergency situations.


Following terms are important for the Emergency Access Management.

  • Firefighter: a regular user (in GRC AC10 system) requiring emergency access
  • Firefighter ID: User ID (in target SAP systems) with elevated privileges. It can only be accessed in the GRC server using transaction GRAC_SPM.
  • Firefighting: the act of using a firefighter ID
  • Owner: User responsible for a firefighter ID and the assignment of controllers and firefighters.
  • Controller: Reviews and approves (if necessary) the log files generated by firefighter.

Business requirements

Organization has decided to use Firefighter ID based firefighting. Firefighters, their corresponding Firefighter IDs, Owners and Controllers will be identified by organization based on the understanding of the firefighting concept and business requirement.

A sample of the relation between these positions is shown below in the table below.

EAM / Firefighter ID

Owner/Controller

FireFighter

FF_FI_CLOSN

FI_FF_OWNER

FFUSER

The roles for the identified IDs will be assigned as required after they are created by organization BASIS team.


Important customizing settings


Following BC Sets will be activated:

BC Set

Description

GRAC_SPM_CRITICALITY_LEVEL

SPM Criticality Levels

The backend configuration requires the following settings to utilize the Firefighter ID concept:

ID

Value

Description

4000

1

Application type = ID

4001

30

Default Firefighter Validity Period (Days)

4002

YES

Send Email Immediately

4003

YES

Retrieve Change Log

4004

YES

Retrieve System log

4005

YES

Retrieve Audit log

4006

YES

Retrieve OS Command log

4007

YES

Send Log Report Execution Notification Immediately

4008

YES

Send Firefighter ID Login Notification

4009

YES

Log Report Execution Notification

4010

<Name of the role>

Firefighter ID role name


Workflow for requesting of access to Emergency Access ID

Workflow for assignment of Emergency Access IDs to fire fighter on the basis of their request will be created as given below.

/wp-content/uploads/2014/07/1_495569.png

Workflow Description: User requiring access to an Emergency Access ID will raise a request and the request will flow to the EAM owner of the respective Emergency Access ID. Upon approval from EAM owner the request will flow to Security and on approval from Security the access to the requested ID will be given to the requesting user for the number of days approved by the EAM owner.

Creating users and assigning roles

Please create users and roles as needed. Remember to synchronize again the users with program GRAC_ROLEREP_USER_SYNC via SE38. These roles are provided as examples and customer roles need to be created based on their authorizations.

In the AC systemRole

Firefighter userSAP_GRAC_SUPER_USER_MGMT_USER

FirefightercontrollerSAP_GRAC_SUPER_USER_MGMT_CNTLR

FirefighterownerSAP_GRAC_SUPER_USER_MGMT_OWNER

Configuration

BRF+ Configuration: you have to configure in BRF+ Access request process as below_

RWQTYPE : 006 FOR EMERGENCY ACCESS MANAGEMENT

RULE_RESULT : EAM_PATH Which we will configure in workflow.

2.GIF

WorkFlow Configuration

6. Maintain Route Mapping

3.GIF

5. Maintain Path

Agent ID:  GRAC_SPM_OWNER

4.GIF

for Security Stage,  configure asbelow_

5.GIF

Now generate new version and submit request for firefighter.


To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. S A

    G’Day Ale,

    Thank you for the document. One query if I may. Is there a way we can auto provision the ‘Z_GRAC_SUPER_USER_MGMT_USER’ role, when someone raises a request for FFID?

    I mean we have the option of Default Roles but this is system wide. So I was wondering can we do something like that with the default firefighter role, only user specific rather than system wide?

    Cheers

    Leo..

    (0) 

Leave a Reply