Role-based Emergency Access Management(EAM)/Firefighting
Most Emergency Access Management (EAM) also known as Firefighting or SuperUser Privilege Management (SPM) setups that I have been involved in have been ID-based. One of my clients recently wanted to implement Role based Firefighting. Their pre-GRC firefighting process was to assign Firefighter role to user on temporary basis with approval from owner. They wanted as little of change to their process as possible. That process closely aligned with Role-based Firefighting. One key factor was that no additional training was required for firefighters log-in process.
I would like to share important configuration and master data setup steps specific to Role-based Firefighting. Also, there was an issue that I encountered during the implementation and the solution to that issue. Hopefully this will be helpful to others who are looking into implementing Role-based EAM.
Let’s start with primary configuration and master data setup steps for Role-based Firefighting setup:
- First, configuration parameter 4000 for application type needs to be maintained as 2. This is necessary to identify Firefighting as Role-based.
Also maintain other EAM related parameters as requirements dictate. I have setup mine as following:
2. Firefighter role must exist (or create one) in plug-in system. For example, in ECC.
3. Next step is to import this Firefighter role into GRC through NWBC user interface. The path in NWBC is:
- Access Management –> Role Mass Maintenance –> Role Import. Fill in information on screens that follow. Below are screenshots of import steps:
- Note that Role methodology must be set to ‘Complete’ and Role status to ‘Production’ for role to be available for firefighting (as highlighted in yellow above). Then clicking Submit button will import the role in GRC. You will receive a message saying that the role has been successfully imported.
- After you import the role, repository sync job (program GRAC_REPOSITORY_OBJECT_SYNC) needs to be run with the specific connector.
- After role is imported, you must enable this role for Firefighting (as shown below screenshot) through NWBC Access Management –> Role Maintenance and then opening the role.
Note: After checking ‘Enable for Firefighting’ box, please ensure role is set to ‘Complete’ status.
4. Next step is to setup master data for Owners and Controllers. The owners and controllers are setup same way as ID-based. Owners are setup first as Access control owners and then Emergency Access Management Owners. These are setup through NWBC Setup–> Access Owners and Access Control Owners:
NWBC Setup –> Emergency Access Management and Owners:
Now the role is ready to be provisioned to Firefighter through either Workflow or manually through NWBC.
Firefighter role is assigned to user ID in connected system (where user needs emergency access). User simply logs in to the system as usual. Therefore, there is no central vs. decentralized Firefighting in Role based Firefighting whereas ID based allows us to configure system to either or both mode of firefighting.
Also, reason codes are not needed in Role based Firefighting.
One of the advantages with Role based firefighting process is that there is no limit of how many users can simultaneously use Firefighter role. Whereas in ID based you can only create limited number of Firefighter IDs and 2 Firefighters cannot use same Firefighter ID at the same time.
After EAM was setup and during testing, we encountered an issue that I think is worth sharing.
Firefighter role was assigned to Firefighter and user was able to utilize elevated access. However; after user ended Firefighting session and I ran SPM log sync program; the consolidated log report was empty. No logs were shown. I found SAP note ‘2641071 – GRC EAM: EAM logs are not generated in role-based Firefighting’ that looked related. The note was implemented, and it seemed to have fixed the issue as we got logs showing. However; the consolidated logs report was missing some logs and was not showing logs for all sessions. The reports were not consistent and worked sometimes but not others.
In response to an OSS message, SAP suggested that we implement note 1545511. This is a user exit for restricting login Firefighter IDs through SAP GUI. SAP’s response was that this note includes enhancement in functionality of Role based application due to performance issue. Now the EAM user exit that was earlier used in ID based application, captures the Firefighter details in case of role-based application. Because of this, users can be filtered based on the execution timestamp and application only fetch logs for Firefighters who login into the system in role-based application. After implementing this note, the issue got resolved and we can rely on consistent consolidated logs reports.
I have explained above primary steps to setup Role-based Emergency Access Management (EAM). I am looking forward to feedback from GRC experts and will be happy to answer any questions.