GRC Access Control 12.0 Emergency Access Management (EAM) setup for HANA DB
GRC AC 12.0 has been released in March 2018 with general availability from September 2018. This new version offers several enhancements to previous versions 10.0 or 10.1 including Integration with SAP Cloud products such as SAP Ariba, SAP Concur, SuccessFactor, and S/4 HANA Cloud. Additionally, AC 12.0 offers an improved user experience with mobile devices through Fiori Launchpad.
GRC AC 12.0 also extends Emergency Access Management (EAM) aka Firefighting capabilities to HANA DB. In this blog, I am going to cover EAM configuration steps for HANA DB and provide an example of its use and reporting. Only ID-based and centralized Firefighting are available for HANA DB at this time.
The procedure to configure EAM for HANA DB target systems follows the same core steps as for configuring ID-based EAM. This includes configuration parameters, ID owner, controller setup, & scheduling sync jobs. There are additional steps that are HANA DB specific.
My goal in this blog is to explain HANA DB specific steps. These configuration steps need to be performed in addition to general EAM core steps.
Following are pre-requisites for EAM setup to HANA DB:
a. SAP Access Control 12.0 post-installation steps.
b. Setup GRC connectors for all target systems.
c. Assignments of integration scenario SUPMG to all EAM relevant connectors.
d. Activate following BC sets:
1. We must create audit policies in HANA DB plug-in system. This is required to track and log firefighter actions on the plug-in HANA system when someone performs firefighter activities.
Steps to create audit policy:
First, login to HANA Studio of target plug-in system and make sure auditing is enabled and audit trail target set to Database Table level. This is done by opening Security folder and double-clicking to open Security (as shown in following 2 screenshots):
Then, create audit policies by clicking on plus sign under ‘Audit Policies’. Enter a name for audit policy and then select actions to log for tracking. SAP recommends at least 4 separate audit policies and logged actions from User & Role management, Structured Privilege Management, Session Management & System Configuration, & Granting and Revoking Authorizations. Note that these logged activities can be expanded or reduced depending upon your needs. Screenshots are shown below.
User and Role Management
Structured Privilege Management
Session Management and System Configuration
Granting and Revoking of Authorization
2. In GRC, access control configuration parameter 4010 is used to identify firefighter ID role. Users in plug-in system with this role is recognized as Firefighter ID. The role needs to be created in HANA DB and assigned to Firefighter ID. This role does not have to have any specific authorization. It is just an identifier.
See below an example of role configured in parameter 4010 and its existence in HANA DB.
3. Maintain connector in GRC System:
In SPRO transaction code, go to node Governance Risk and Compliance –> Access Control –> Maintain connector settings. You need to maintain HANA DB connector as application type 17. Then, select the HANA DB connector and click on Assign attributes to the connector. You will need to assign attributes for audit log files that we created in step 1 above and also path to HANA IDE URL. This URL is launched while Firefighting from GRAC_EAM/GRAC_SPM transaction code.
4. Maintain sub-scenario Definitions for HANA connectors:
A sub scenario for SUPMG Integration scenario has to be created. Follow path in SPRO Governance, Risk and Compliance –> Common Component settings –> Maintain Connection settings and selection SUPMG Integration scenario. This will take you to following screen:
Now click on SUPMG sub scenario and click on ‘Scenario-Connection type Link’. Then click on New entries and add Connection type HDB and Class/Interface CL_GRAC_AD_SUPER_USER_HDB and connection type SAP and Class/Interface CL_GRAC_AD_SUPER_USER_RFC. Please see below for a screenshot:
This completes the configuration part of EAM for HANA DB. Let’s check out how this is used.
Using Firefighter ID for HANA DB:
Only centralized Firefighting is possible for HANA DB. First login to GRC Access control system and launch transaction code GRAC_EAM or GRAC_SPM. This launches EAM launch pad. Fill in the details for Reason codes and activity details as in normal Firefighting. After clicking on green check mark, it will take you to login screen of HANA IDE as shown below. Here you will enter FF ID and paste password from clipboard in password field. Remember random one-time password was generated and copied into clipboard as soon as you click green check mark. This can only be used for one specific session and also does not work if you try to login directly with FF ID and this password.
It will log you into HANA Web-based Development Workbench as shown below. Here you perform emergency activities.
While you are in IDE with FF ID, the ID is unavailable for others to use (see below screenshot). This behavior is consistent with FF IDs to other SAP systems.
And as soon as you log off from HANA IDE, the ID becomes available for others to use.
FF ID’s activities are logged for the actions/permissions that have been activated/logged. These logs are available to view through Firefighter consolidated logs as shown below:
As mentioned above, this blog was intended to cover only steps that are required for EAM setup for HANA DB. General/core steps for EAM setup are same as for other ABAP systems and were out of scope for this blog.
I am looking forward to your feedback, comments, and experience.
2654895 – FAQ: GRC Access Control 12.0 Installation Questions and Recommendations
2735438 – FAQ – Emergency Access Management (EAM) for HANA