Skip to Content

This document describes the provisioning strategies of Emergency Access Management. Basically SAP GRC Access Control offers two different strategies how EAM can be utilized.

 

Pre-Approval

Some users are pre-approved for specific Firefighter IDs and have pre-assigned access in GRC. When a Firefighter ID is checked out, the application sends notification to the controller whenever the firefighter logs onto a system (Parameter 4008). Additionally the controller gets informed when the log report is available (Parameter 4007) and it is his responsibility to confirm that the actions taken were appropriate. The application sends the notification either as email or workflow item to the controller (Notification settings in the Firefighter ID Assignment).

 

Approval Required

On the contrary, a user must request access to EAM before the Firefighter ID can be used. Access can be requested in Access Request Management. Super User Access Request Type is available to automate provisioning access to Firefighter IDs via workflow in ARM.

 

Both strategies have as well advantages as also disadvantages. Having pre-approved firefighters have the advantage that the IDs are available at any time and emergency activities can be provided immediately (e.g. during weekends), whereas it might be critical that fraudulent activities can be executed and are reviewed afterwards. If a user must request access to EAM, emergency access is delayed due to the fact that the approval from the controller is required before usage. In case of an emergency e.g. during weekends the controller might not be available and the work can’t be done.

 

I would like to know which strategy you prefer and do you have other concerns than mine?

 

Looking forward to your feedback and contribution.

 

Best regards,

Alessandro

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Raymond Marshall

    Thank you! This was easy to follow, and answered all my questions. Would you be able to follow on or add screens on how to set up the Approval Required setup as you have to go through the MSMP? Thanks again

    -Buck

    (0) 
    1. Alessandro Banzer Post author

      HI Rama,

      from my point of view it depends on the concept that defines how to use the firefighter. FF could be restricted to technical personnel only where for example the basis consultant does not have access to configure the system with his own user id. To change system settings he must use the firefighter that a second person can review the performed activities. In such a case it might be helpful it the basis consultant has the ability to use the FF whenever he needs.

      But as mentioned it depends on the concept how you use the FF and what should be covered by the firefighter.

      Regards,

      Alessandro

      (0) 
  2. L. B.

    Hi,

    I’m not familiar with GRC, and I have several questions about access, security, and other concerns. I do not know the difference between firefighter ID and support ID but I need  some advice from some of you. My auditor request me to track and review the activities performed by the business analyst anytime he used the support ID to ensure nothing illegal is doing. The actual report that I have shows me the support ID, when was open and what t-code was used, but no additional details about activity.  Someone told me that using GRC may helps me because GRC can provide reports with detailed logs and I want to know if that is true?

    Thanks for taking the time to solve my questions.

    (0) 
    1. Gretchen Lindquist

      Hi “L. B.”,

      Welcome to SCN. My advice for you is to familiarize yourself with the SCN rules of engagement document:

      http://scn.sap.com/docs/DOC-18590

      To be specific, the rule about Search before you post  is a very good idea especially when investigating an SAP solution that is new to you. After you search and review all the many discussions about EAM here, as well as the GRC product information on SAP’s other web sites such as help.SAP.com , you will be in a better position to post a specific question in a new discussion thread if your questions are not already answered, so that all members of this forum can review it and consider responding. SCN members all have day jobs, and no one has the time to regurgitate all the GRC content already available to you.

      Good luck in your quest to learn about EAM.

      Gretchen

      (0) 

Leave a Reply