SAP GRC 10.0/10.1/12.0 – Emergency Access Management – Make It Audit-Ready!
Emergency Access Management (aka) Firefighter is a favorite application for many. It addresses the major issues of your audit by separating the most critical authorizations from regular user access. Users can request access to these transaction codes by raising a request. Once the user logins into the Firefighter session, it logs user activities, keeps track of the changes, and notifies the Controller to review the logs upon completing the session. Here is a quick flow that explains the Firefighter ID process:
However, without the right strategy, this can cause serious harm and create chaos during the audit. SAP provided lots of enhancements to make your Emergency Access Management – audit ready!
Check if your user can use the Firefighter IDs to log in directly from SAP GUI?
The first and foremost thing is that you need to check if the FF IDs can be used to log in directly from SAP GUI. This is one of the major audit issues and should be fixed. Refer SAP Note 1545511 – Firefighter User Exit to know more about implementing this note.
Stop sending Controller logs when there is no activity
There are instances where your users (Firefighters) might log in to the Firefighter session but might not perform any activity. By default, Controllers will get logs for review for every Firefighter session. When there is no activity, the log doesn’t show any transaction codes and thus the controller can’t do the review.
This also causes issues during auditing your SAP GRC system. Remember, from an audit point of view, when there is no log and a controller leaves his comments, it creates more doubts to your auditor and he/she might spend more time to understand the reasons.
To avoid these issues, simply add the parameter 4020 (Generate EAM log for Firefighter sessions with no activity) and set the value to No.
This will add an additional check as shown in the below flow diagram:
This will stop generating the logs for the FF usage when there is no activity.
Ensure your users are entering the right transaction codes (actions) while initiating the Firefighter session
How many times your users entered incorrect transaction codes while initiating a Firefighter session? I’m sure you might have heard this quite a few times from your auditors.
If this is an issue with your users too, you can apply a little enhancement. This enhancement will ensure that the users are entering the right transaction codes in the actions field (text box).
Implement the Firefighter Login Custom Validation for Reason code and Activity as referred in the SAP notes – 2404934. Below is the manual process:
Please follow the below steps to Activate the BADI Implementation.
1) Logon to GRC Box and run the Tcode SE18
2) Give the Enhancement Spot ‘GRAC_FF_LOGON_CUST_VALIDATE’ and click on the change button.
3) Under BADI Definitions double click on the ‘BADI_FF_ACTIONS_VALIDATE’ BADI implementation
4) Double click on the ‘GRAC_ENH_FF_VALID_ACTS_IMPL’ Enhancement Implementation
5) Select the Checkbox ‘Implementation is active ‘ under ‘Runtime Behavior’.
6) Save and Activate the Enhancement Implementation.
Follow the below Steps to Create Message Short text:
1) Logon to GRC Box and execute the Tcode SE91
2) Give the message class Name ‘GRAC_SPM_MESSAGES’ and click on Change
3) Create the Messages as shown below
Msg No Message Short Text
205 Enter the Valid actions that you anticipate to perform.
206 Enter the Valid Reason Code Description that you anticipate to perform.
4) Save and Active
This will add an additional check as mentioned in the below flow diagram:
NOTE: This enhancement is not relevant to GRC 12.
Validate the Transaction codes (actions) entered with the executed ones
With the above enhancement, you can validate if your users are keying-in the right transaction codes, but how do you validate if the entered and executed t-codes are the same? This is possible with a little enhancement.
Step # 1 – Create a table with the following fields in the SAP GRC system:
Step # 2 – Enhance the BADI to capture the transaction codes that are entered in the above table.
Step # 3 – Once the session is closed (while generating the log), you may compare the t-codes and add a comment to the request with the extra transaction codes that are executed by the user.
Use SAP IRPA to automate the log review process
Many other enhancements can be implemented using SAP IRPA and other automation solutions. This includes automation such as automatic review of logs and closes them when the usage is acceptable and doesn’t require any further reviews, capturing additional information that is required for auditing the logs, etc.
Remember with IRPA, auditing can be continuous and is just not sampling any more.
Apart from using IRPA, there are various other ways to make your GRC Emergency Access Management audit-ready by adding few additional capabilities such as Opening the SAP client for direct changes automatically, assigning Firefighter ID for hours rather than days, etc., These are a few of the enhancements that I’ve implemented with few of the clients and closed the major audit gaps.
As mentioned, there is a huge gap in the way the Emergency Access Application is managed. Today SAP has come-up with various enhancements, and the SAP IRPA capabilities make it smoother. These are the few quick enhancements that can be implemented to make your SAP GRC Emergency Access Management audit-ready!