This document describes the provisioning strategies of Emergency Access Management. Basically SAP GRC Access Control offers two different strategies how EAM can be utilized.
Some users are pre-approved for specific Firefighter IDs and have pre-assigned access in GRC. When a Firefighter ID is checked out, the application sends notification to the controller whenever the firefighter logs onto a system (Parameter 4008). Additionally the controller gets informed when the log report is available (Parameter 4007) and it is his responsibility to confirm that the actions taken were appropriate. The application sends the notification either as email or workflow item to the controller (Notification settings in the Firefighter ID Assignment).
On the contrary, a user must request access to EAM before the Firefighter ID can be used. Access can be requested in Access Request Management. Super User Access Request Type is available to automate provisioning access to Firefighter IDs via workflow in ARM.
Both strategies have as well advantages as also disadvantages. Having pre-approved firefighters have the advantage that the IDs are available at any time and emergency activities can be provided immediately (e.g. during weekends), whereas it might be critical that fraudulent activities can be executed and are reviewed afterwards. If a user must request access to EAM, emergency access is delayed due to the fact that the approval from the controller is required before usage. In case of an emergency e.g. during weekends the controller might not be available and the work can’t be done.
I would like to know which strategy you prefer and do you have other concerns than mine?
Looking forward to your feedback and contribution.