Skip to Content
Technical Articles
Author's profile photo Madhu Babu #MJ

SAP GRC 12.0 – Emergency Access Management (EAM) for HANA Target Systems (using Web IDE)

Purpose of the Document

It’s HANA everywhere 🙂

In the latest version of GRC which is 12.0,  SAP has extended the emergency access management (EAM) functionality to HANA target systems via Web IDE.

At present, there is no option in GRC 12.0 to use EAM functionality for HANA DB without WEBIDE

This blog is to provide the details on how this new functionality can be configured and utilized to manage the firefighting access to HANA target systems.

Let’s see how you can setup this functionality and can test in GRC 12.0 system (End to End).

Required Configuration to enable EAM for HANA DB

HANA Connection Configuration

Create HANA database connection in GRC system using transaction code DBCO (Database Connection Maintenance)

DB Connection: Fill in the DB Connection name. This name will be used in the connector setup so name it accordingly.
DBMS: Select the type of Database Management System as “HDB” (HANA Database)
User Name and Password: Valid user authentication details to connect to HANA DB
Connection Info: HANA database system details (Hostname details along with Port Number)

Save the database connection after entering all required details as mentioned above.

Testing HANA DB Connection created in GRC

HANA database connection can be tested using ABAP report “ADBC_TEST_CONNECTION”

Execute transaction SE38 and run report “ADBC_TEST_CONNECTION”

HANA DB connection can also be verified using the transaction “DBACOCKPIT” .

HANA Database Connector in SM59

Create a connector in SM59 with connection type as “L” (Logical Destination) and connector name same as the connection created in DBCO.

Audit Policy Configuration in HANA DB

Activities on SAP HANA database (User Changes, Role Changes, Creation or deletion of database objects, Changes to system configuration, Access to or changing of sensitive information) can be track and recorded via in-built Audit configuration feature.

SAP HANA database auditing feature allows monitoring of the activities performed in HANA DB.To make use of this feature, SAP HANA audit policy must be activated on HANA DB.

SAP recommendation is to create separate audit policies for following activities performed in HANA DB separately:

  • Granting and Revoking of Authorization
  • Session Management and System Configuration
  • Structured Privilege Management
  • User and Role Management

User and Role Management

Structured Privilege Management

Session Management and System Configuration

Granting and Revoking of Authorization

HANA Connector Config Setup in GRC

Define connectors in the following IMG path

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors

Define connector groups in the following IMG path and assign HANA DB connectors to this connector group

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups

Maintain Connection Settings

Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings

Maintain Connector Settings

Maintain connector settings in the following path and assign HANA Audit Policy and HANA IDE URL to the HANA DB connectors as shown in the following screenshots.

SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings


Web IDE for SAP HANA is a browser-based IDE for the development of SAP HANA-based applications.

This web-based IDE is called SAP HANA Web-based Development Workbench, which contains four modules.

Editor:Manage HANA repository artifacts
Catalog:Manage HANA DB SQL catalog artifacts
Security:User and Role Management
Trace:Set or download trace files for HANA applications

EAM firefighting for HANA target systems is supported only through HANA Web IDE and this is the main reason for including the IDE URL as one of the attributes in the connector settings as firefighting session will launch HANA IDE URL using which the firefighting actvities will be performed.

Delivery Unit deployment in HANA DB

Delivery Unit deployment into HANA DB and activating the SQL procedures under AC folder in HANA DB is a prerequisite and must be followed according to the steps mentioned in following SAP Note:


GRC Procedures Activation

For details on how the corresponding SQL procedures under ARA and ARQ folders are required to be activated are available in SAP Note 1869912.

SQL Procedures under ARA folder – Just execute in any sequence

SQL Procedures under ARQ folder – Execute procedures starting with ‘IS’ or ‘INS’ first followed by procedures starting with GRANT and REVOKE and finally remaining procedures.

“GET_USERS_SYNC” procedure has an updated version released through the following SAP Note. Hence, download this from the note and activate it as it is not updated in the latest version by default.

2451688 – Repository sync job not syncing back user validity dates from HANA

However, there are few errors which you will come across during SQL procedures activation like mentioned below but still you can proceed with your next steps.

Firefighter ID Setup in HANA DB

Step 1: I have created a role in HANA DB with the same name as the one used in config parameter 4010 (Firefighter ID role name).

Step 2: Created a User ID in HANA DB and assigned the role created in previous step to the User ID and to make GRC system recognize the newly created User ID as Firefighter ID.

GRC Repository Object Sync

Execute “Repository Object Sync” program once all the above configuration is completed which should successfully sync the USERS and ROLES from HANA DB to GRC system

Assignment of FF ID Owner and Controller to HANA Firefighter ID

Another improvement in GRC 12.0 is simplified Firefighter Owner/Controller maintenance:

– In 10.1 User ID must be first defined as FF ID Owner or Controller before assigning to a Firefighter ID.

– In GRC 12.0 Owners and Controllers can be assigned to Firefighter ID even when the User ID is not maintained in Access Control Owners. This is applicable for “Mass Maintenance” feature as well.

EAM Centralized Vs. Decentralized Firefighting for HANA DB

Decentralized scenario is currently not supported for HANA target systems.Only Centralized Firefighting is supported and Firefighter logon must be done via transaction GRAC_EAM/GRAC_SPM in the GRC Foundation system as the logic to generate the password for the Firefighter ID is implemented in GRC system only.You can verify the details in the following SAP Note

Common Errors

When a User ID is created in HANA DB which you want use as a Firefighter ID please ensure that the length of the User ID is not more than 12 characters. If the Firefighter ID length is more than 12 characters, following error message will be shown when you try to start the FF session as EAM functionality is not supported.

EAM Centralized Firefighting process for HANA systems

If you have completed all the above steps successfully then you can perform EAM testing for HANA target systems.

Step 1: Execute transaction “GRAC_EAM” in your GRC system as you can use only Centralized Scenario

Step 2: Click on “Logon” button and enter the required details and click “Continue” to launch the Firefighting session

Step 3: HANA IDE URL which has been configured during Connector Setup will be launched and will redirect to the logon screen.

Firefighter ID status will be showing as “GREEN” until you login to HANA IDE.

You have to enter the Firefighter ID and the password (you have to just paste the password which is already copied into clipboard. Just do CTRL+V in password field) after which your Firefighting session will begin and the status of Firefighter ID in the EAM launchpad screen will turn to red

Step 4: Perform required activities in HANA system and once completed log off the Firefighting session.

Step 5: All the logs recorded during Firefighting session can be accessed from HANA table AUDIT_LOG. The same logs will be retrieved and showed in the EAM log review workflow request.

Step 6: After the completion of firefighting session, execute EAM log sync job which will retrieve the logs from HANA system and creates the log review workflow request.

Key Points or FAQs:

You can check following SAP Note for FAQs about this functionality.

Issue 1: Password getting copied to clipboard: If the password is copied to clipboard then this can be shared with anyone and there is potential chance FF ID misuse by an unauthorized user.

Currently working with SAP support to check if time limit can be set for password expiry.

e.g. To make password in clipboard unusable after 10 to 15 seconds. This could be a compensating control from security perspective.

Issue 2: When logging to HANA IDE through EAM ensure that no other HANA IDE session with normal User ID is ACTIVE.  If any session is ACTIVE then system redirects to the same session instead of starting new session

Issue 3: During the FF session always ensure to properly logout the session after completion. If the HANA IDE is closed directly without logging out properly then the FF session will remain active until the time out period set for HANA IDE is reached.

Thanks for reading.

Looking forward for your inputs in improving this blog with additional details or scenarios 🙂

Best Regards,

Madhu Babu Sai

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sam GRC
      Sam GRC

      Very useful and excellent blog!

      Author's profile photo ram naidu
      ram naidu

      Thank you, Madhu.


      Extremely good information provided by you. Outstanding blog

      Author's profile photo Chirag Mehta
      Chirag Mehta

      Hi Madhu,

      Thanks for sharing this info.

      Do we have any specific set of roles/privileges which a Hana DB user should have for integrating ARM and EAM from GRC to HANA.

      Author's profile photo Andreas Schetle
      Andreas Schetle

      Excellent Article Madhu!

      More than a year has passed and i still wonder if there is a fix for the Issue #1 you described in the end. Are there any news?

      If not, Firefighter functionality for HANA ist poorly implemented and faces huge security issues / does not meet same security standard as firefighting for abap systems.

      Regards, Andreas



      Author's profile photo Sanjeev Sharma
      Sanjeev Sharma

      Hello Andreas

      SAP has introduced the Time-Out Feature with which you can set a certain validity/limit on the password usage. Post that, the password becomes obsolete 🙂

      Check SAP Note- 2840561 for more information.

      & Indeed- more than a year and still this blog is helpful 🙂

      With Regards

      Sanjeev Sharma.

      Author's profile photo shubham s burande
      shubham s burande

      Thank You Madhu... The document was very helpful.


      I have one issue.. I configured EAM in my landscape, but when i hit logon it directs me the HANA IDE link and asks for FF credentials. I give my credentials there and technically after logging in my EAM status must show RED sign but the status of my EAM is still GREEN.


      Kindly help!



      Shubham Burande

      Author's profile photo Deepak Ghuge
      Deepak Ghuge

      Hello Madhu Babu Sai,

      Why can't we use the password in clipboard other than WebIDE platform?


      Kindly respond!




      Author's profile photo Himanshu Agrawal
      Himanshu Agrawal

      Hi Madhu,


      Can we enable FF for HANA XSA Cockpit ?


      I tried this -

      In connector attributes in WEBIDE URL , I have added HANA XSA Cockpit's link. With FF, the link is getting launched, but password which gets copied on clipboard doesn't allows login.

      Author's profile photo Srikanth Devavarapu
      Srikanth Devavarapu

      In most of the cases XSA Cockpit is deployed in System DB, validate on that front.

      Author's profile photo Sandhya S S
      Sandhya S S

      Hi Madhu/ Any person done the integration,

      While connecting to HANA system through FF, I cannot see the clipboard to copy the password, Please guide where can we see the clipboard?

      To see clipboard do we need to enable any setting?



      Please reply

      Author's profile photo Srikanth Devavarapu
      Srikanth Devavarapu

      After clicking on Log on, just use "Ctrl+V" that would automatically bring the password which was already copied to the clipboard

      Author's profile photo Stefan Mirkowski
      Stefan Mirkowski

      I have the same problem. No copy password is displayed.
      And one more question, doesn't the firefighter have to be created in the XS Advanced Cockpit to access the WebIDE?
      (surely some features have changed or been added over time)