11/14/2015

EAMForthenewkidontheblock|SCN

GettingStarted Newsletters

Hi,Guest

LogOn

JoinUs

Products

Services&Support

AboutSCN

Downloads

Industries

Training&Education

Partnership

DeveloperCenter

Activity

LinesofBusiness

UniversityAlliances

Events&Webinars

Innovation

Browse

EAMForthenewkidontheblock

Store

SearchtheCommunity

Communications

Actions

Version4

createdbySAonSep6,20141:50PM,lastmodifiedbySAonJan31,20159:18AM

Share

Tweet

Like

GDayAll,

Picking up from my previous topic about ARA For the new kid on the block, this document is just an overview of my
understandingofwhatEAMisandhowitworks.

Theobjectiveofthisdocumentistogivepeoplewhoarejuststartingoutorevenbeginningtofindtheirfeet,abriefoverviewof
EAMbeforetheycangetstuckintoitandgoallin(linksprovided).Thisisnotintendedforpeoplewhoarewellversedonthistopic,
soifthatisyou,pleasefeelfreetoskipitasthismightnotinterestyou.Howeverifyoudowanttostickaroundandpoint/correct
anymistakesorofferadvice/suggestions,pleasebyallmeansdoso.Iamopentoconstructivecriticism.
IunderstandthereisalotofcontentrelatedtoEAMinthissiteandsomeoftheinformationcoveredhereinmightexistelsewhere
insomeshapeorformhoweverthisisjustmeanttoserveasaconduitforfreshers,whomightgetatadoverwhelmedbyallthe
informationlyingaround.SoIhopethisdocumentcangivethemaglimpseofwhatitisallaboutandthenhelpthemtoventure
outintothewild.

Whatisitallabout?

EAMenablesenduserstoperformemergencyactivitiesoutsidetheparametersoftheirstandardrole,butwithinacontrolled
andfullyauditableenvironment.TheapplicationassignsatemporaryFirefighterIDthatgrantsanenduser(firefighter)broadyet
regulatedaccess,andlogseveryactivityhe/sheperformsusingthetemporaryID.

This is usually done in emergency situations, where it is imperative for a user to execute certain tasks irrespective of SOD
violationsandtransactioncodeclasheshoweverallofhis/heractionsaremonitoredandrecordedmakingthesessioncompletely
visibleandtransparent.

KeychallengesofEAM
1. IdentificationofBusinessProcessesandcreatingdedicatedFirefighterIDs/Rolespertinenttothem.
2. IdentificationoftheneedforusageofFirefighterID/Role
3. IdentificationofFirefighters,FirefighterOwners,Controllers,andAdministrators.
4. Identification/StandardizationofReasonCodes
5. ConsistencyofnamingconventionsforFirefighterID/RolesandReasonCodes.
6. ArchivalpolicyfortheFirefighterLogs
7. EAMusagepolicyshouldbecreatedtoidentifytaskswhichcanbepositivelysupportedbyEAM.
8. Lastbutnotleast,performanceoptimization.

PotentialfunctionalscenariosforEAMAccess
Additionalresourceswithadditionalroles
Approaching month/financial year end and need additional resources to speed up certain activities. Additional resources are
requiredbuttheydonthaveenoughauthorizations.ThistaskcanbeeasilyautomatedbyEAMandindividualactivitylogwould
begeneratedforlaterreview.

Developeraccessonproductionsystem
Developer access on production systems is one of the most critical scenarios, but at times it becomes necessary to allow
developeraccesstofixcertainbugsurgently.Thisisanidealemergencyscenarioforassigningfirefighteridtotrackeachand
everyactivityadeveloperoragroupofdevelopersperform.Howeverdeveloperaccessonproductionisneverrecommended
but when you cant wait for a bugfix to travel from a lengthy procedure (DevQualProd) then EAM works as a mighty
mitigationcontrol.

Contractuseraccess
Tomaintaintrackofcontractusersactivitiesforacertainperiodoftime.ThiscanbeachievedbyassigningFirefighterIDsto
contractusersforaccessontheassignedsystem.Thisallowsalltheiractivitiestoberecordedforanextendedreviewandhence
managementoversightisachieved.

AuditorAccess

http://scn.sap.com/docs/DOC57851

1/5

11/14/2015

EAMForthenewkidontheblock|SCN

Mostcompanieshavestrictauditproceduresinplace,whichentailsbothinternalandexternalauditorstoconductauditsona
regularbasis.AuditorscanbegrantedtemporaryaccessthroughEAM.

*BynomeansisthislistexhaustivehoweveritshouldgiveyouanindicationofthepotentialreasonsforEAMAccess.
*GiventhefactthatEAMisaformofMitigation(PleasechecktheARAdocument),Itisusedinscenarioswhereyouhave
exhaustedallotheroptions!!

FirefighterUsers,RolesandResponsibilities
Users/FFID/FFROLE
FirefighterID

Roles&Responsibilities
Thisisauniqueuserid,createdwithspecificrolesthatallowthefirefightertoperformthe
requiredtasks.SowecancreatemultipleFirefighteridswithspecificrolesandassignthemtothe
designatedusers(Firefighters)forasetperiodoftime.
SU01:CreateFFID
Roles:SAP_GRAC_SPM_FFID(Thisshouldbeexactlythesameinconfigsettingsaswell.
Shownfurtherinthedocument)

FirefighterRole

Thisisauniquerole,whichgetsassignedtothefirefightertoperformtherequitedtasks.
PFCG/BRM:CreateFFROLE.EnsurethisroleisenabledforfirefightinginBRM.

Firefighter

ThesearetheuserswhogetassignedwiththerequiredFirefighterID/Role.Firefighterusersuse
FirefighterID/Roletoperformfirefightingtasks.
SU01:CreateFFighterorassigntheroletoanexistinguser
Role: SAP_GRAC_SUPER_USER_MGMT_USER (This role might need other additional
authorizations.Pleasecheckthelinksprovided)

FirefighterAdministrator

This is the person who has got the ultimate authority over the firefighter program. He/she is
responsibleforassigningFFID/rolestofirefighters(iftheychooseto),Owners.Theycangenerate
reports,ensurereasoncodesareuptodateetc.
SU01:CreateFFADMINISTRTORorassigntheroletoanexistinguser
Roles:SAP_GRAC_SUPER_USER_MGMT_ADMIN,SAP_GRAC_BASE,SAP_GRAC_NWBC

FirefighterOwner

ThesearetheID/RoleownersandareresponsibleforassigningFFID/rolesassignedtothemby
the administrator, to firefighters and controllers. They can also act as controllers however they
should not be able to assign FF ID/roles to themselves. They can only be one FF Owner per FF
ID/rolehoweveroneFFOwnercanhavemultipleFFID/roles.
SU01:CreateFFOwnerorassigntheroletoanexistinguser
Roles:SAP_GRAC_SUPER_USER_MGMT_OWNER,SAP_GRAC_BASE,SAP_GRAC_NWBC

FirefighterController

Thesearethepeoplewhomonitortheactionsofthefirefighters.Theycandothisbyviewingthe
logreportandcanevenreceiveemailnotificationswhenaFirefighterlogsin.
SU01:CreateFFControllerorassigntheroletoanexistinguser
Roles:SAP_GRAC_SUPER_USER_MGMT_CNTLR,SAP_GRAC_BASE,SAP_GRAC_NWBC

* All of the aforementioned roles can/needs to be customized. One can use a naming convention that suits their company
requirements
AC10hastheoptionofhavingeitherCentralizedorDecentralizedfirefighting(moreonthisinthelinksprovidedattheendofthe
document).

Centralized
Userhastogofromplugin/backendsystem(R3PRD001)andlogintoaGRCSystem(GRCPRD001),executeGRAC_SPM(OREAM)
>whichwilllaunchtheEAMlaunchpad>thenaccessthesystem[R3PRD001orsomethingelse(HCMPRD001),(CRMPRD001)etc]
assignedtohim/herbyclickingthelogonbutton>performFFtasks.
Thisisabetteroptionwheninsomecompanies,theuserhastoaccessmultiplesystems.Sohe/shecanlogintoGRCsystem
(GRCBox)andcanstartfirefightersessionsbyclickingon'logon',whichwilltakehim/hertotheassignedsystem.
Firefighterscanlogoncentrallyasopposedtologgingintomultiplesystemsseparately
FFAdministrator,FFOwner,FFController,FirefighterandtheirrespectiveroleshavetobemaintainedintheGRCsystem
FFIDanditsrespectiverolehastobemaintainedonlyinthepluginsystem

Decentralized
User has to stay on the BackEnd system (R3PRD001) execute /n/GRCPI/GRIA_EAM > which will launch the EAM launchpad >
thenclickthelogonbuttontostartasessionintheverysamesystem(R3PRD001)andperformFFtasks.YoucanenableDCFFby
parameter1000:GRD(RFCConnectorpointingtoitself),4015.
ThemostimportantadvantageofDCfirefightingisthatyoucancontinueusingfirefighterevenwhentheGRCBoxisdown.
ItsalsomoreuserfriendlysincethefirefighterdoesnthavetologontoGRCBoxinordertostartthefirefightingsession,
he/sheonlyneedstoexecuteatransactionintheplugin/backendsystem.
Firefighterandhis/herrespectiverolehastobemaintainedjustinthepluginsystem
FFIDanditsrespectiverolehastobemaintainedonlyinthepluginsystem
FFControllerandhis/herrespectiverolehastobemaintainedbothintheplugin/GRCsystem(toreceiveemailsoflogs)
FFAdministratorandFFOwnerandtheirrespectiveroleshavetobemaintainedintheGRCsystem

http://scn.sap.com/docs/DOC57851

2/5

11/14/2015

EAMForthenewkidontheblock|SCN

IDBasedvsRoleBased
OneofthekeydifferencebetweenassigningaFirefighteranFFIDvsFFRoleisaddedsecurity.

AnFFIDisbuiltwithacertainroleinmind,whichhaspredeterminedtcodesassignedtoitandthisgetsassignedtoanenduser
(firefighter). So if this user wishes to commit fraud, he/she can execute certain tcodes from his/her user id and then the
remainingfromtheFFID.Thiswaythechancesofhim/hergettingcaught,isdependentonathoroughmonitoring/analysisby
thecontroller/auditors.

Whereasifyoubuildaspecificfirefighterrolewiththesametcodes,thisrolegetsassignedtotheendusernotanFFID,soevery
transactionexecutedshowsupagainsttheiruserid,whichmakeshis/hertaskofcommittingfraudalotharderifnotnegligible.

keydifferencesareasfollows:

IDBased
RoleBased
Logs in using own user ID, accesses FFID from the GRC

LogsintothepluginsystemusingownuserID,soeverything

Systemandlogsintothesystemassignedtothem(ECC,SRM,
CRMetc).

gets logged against that one ID. Multiple users can use the
FFROLEatonce.

OnlyoneuseratatimecanuseaFFID.

MultipleuserscanusemultipleFFRolesatonce.

Firefighter need not exist in every system assigned to them

duetocentrallogonhowevertheyneedtoexistintheGRC

Firefighterhastoexistineverysystemassignedtothemso
multiplelogons.(Thisisonlyapplicableiftheuserneedsto

system(ThisisonlyapplicableforCentralisedfirefighting).

performtasksinothersystems).

KnowsexactlywhenFFIDisbeingusedashe/shehastologin
sohasapsychologicaleffect(goodthing).

Hard to differentiate between FF tasks and normal tasks as

thereisnologinrequired.Soeasytoslipup.

BettertrackingofFFtasksSpecificlogreportswithReason
Codes.BonuspointfromAuditors!

TimeconsumingtotrackFFtasksNoSpecificlogreports.
NoReasonCodes.

Twologinssopotentialtocommitfraud.(1actionusingown

Onlyonelogin,soeverythinggetsloggedagainstoneid(own

UserIDand1actionusingFFID).

userid).Hardertocommitfraud.

Could be hard to track and find out when a fraud has been
committed so can be a problem with auditors. When two

Easy to track as only one login is used however a thorough

analysis is required to differentiate ff tasks from normal

loginsused

tasks.

GRAC_SPM:TCodeforCentralisedFFighting>Youwill

GRAC_SPM:TCodeforCentralisedFFighting>You

seeFFIDsassignedtoyou

willseeFFROLEsassignedtoyou

/n/GRCPI/GRIA_EAM:TCodeforDeCentralised
FFighting>YoucanseetheFFIDsassignedtoyou

/n/GRCPI/GRIA_EAM:TCodeforDCentralised
FFighting>Notapplicablesowontwork

Configurationinanutshell
1. CreateallEAMusersordecideamongsttheexistinguserswhogetswhatEAMroleusingSU01
2. Create/customizeallEAMrolesusingPFCG
3. AssignthoserolestotheirrespectiveusersusingSU01
4. CreateanFFID/FFRolewiththepredeterminedroles/tcodesusingSU01/PFCG/BRM
5. MaintainGRCPlugInSystemConfigurationParameters:
SPRO>IMG>GRC(PlugIn)>MaintainPlugInConfigurationSettings
ParameterID

ParameterValue

Description

1000

PluginConnectorID

ThisinformationisusedtoconnecttothePlugInsystem.

4000

IDBased:1RoleBased:2

Applicationtype

4001

Days

DefaultFirefighterValidityPeriod(Days)

4008

Yes/No

SendFirefighterIdLoginNotification

4010

Z_SAP_GRAC_SPM_FFID

FirefighterIDrolename

6. MaintainGRCSystemConfigurationParameters:
SPRO>IMG>GRC>AC>MaintainConfigurationSettings
ParameterID

ParameterValue

Description

4000

IDBased:1RoleBased:2

Applicationtype

4001

Days

DefaultFirefighterValidityPeriod(Days)

4002

Yes/No

SendEmailImmediately

4003

Yes/No

RetrieveChangeLog

4004

Yes/No

RetrieveSystemlog

http://scn.sap.com/docs/DOC57851

3/5

11/14/2015

EAMForthenewkidontheblock|SCN
4005

Yes/No

RetrieveAuditlog

4006

Yes/No

RetrieveOSCommandlog

4007

Yes/No

SendLogReportExecutionNotificationImmediately

4008

Yes/No

SendFirefighterIdLoginNotification

4009

Yes/No

LogReportExecutionNotification

4010

Z_SAP_GRAC_SPM_FFID

FirefighterIDrolename

4012

AllUsers:1Controllers:2

DefaultusersforforwardingtheAuditLogworkflow

4013

Yes/No

FirefighterIDownercansubmitrequestforFFIDowned

4014

Yes/No

FirefighterIDcontrollercansubmitrequestforFFIDcontrolled

4015

Yes/No

EnableDecentralizedFirefighting

7. MaintainUserExits
SPRO>IMG>GRC(PlugIn)>MaintainUserExits
8. MaintainConnectionSettings:SUPMGIntegrationscenario
SPRO>IMG>GRC>CommonComponentSettings>IntegrationFramework>MaintainIntegrationScenario
9. Activate/CheckCriticalityLevelBCSet
SPRO>IMG>SCPR20>GRAC_SPM_CRITICALITY_LEVEL
10. MaintainCriticalitylevel
SPRO>IMG>GRC>AC>EAM>MaintainCriticalityLevelsforEAM
11. RunSynchronizationjobs
SPRO>IMG>GRC>AC>SynchronizationJobs
Checkforthehelpoptiontoseewhatdoeswhat.
12. ScheduleBackgroundJobsforEAMlogcollectiononperiodicbasis
SM36>GRAC_SPM_LOG_SYNC_UPDATE
13. Maintainlogin/lognotificationsonlyifyouwanttocustomizethedefaultones.
SPRO>IMG>GRC(PlugIn)>MaintainCustomNotification/TextMessagesforEAM(PlugIn)
14. VerifyTimeZonesoftheOperatingSystemandtheACservermatchtoensureEAMlogsarecaptured
SPRO>IMG>GRC>GeneralSettings>TimeZones>MaintainSystemSettings
15. Create/MaintainACOwners
NWBC>Setup>AccessOwners>AccessControlOwners
16. AssignFFID/FFRolestoFFOwners
NWBC>Setup>SuperuserAssignment>Owners
17. AssignFFID/FFRolestoendusers(firefighter)andcontrollers
NWBC>Setup>SuperuserAssignment>FirefighterIDs
18. CreateReasonCodes
NWBC>Setup>SuperuserMaintenance>ReasonCodes
Oncealloftheaforementionedtasksareperformedandsuccessful,firefightercanperformfirefightingtasks.His/heractivities
willbelogged,whichcanbemonitoredbytheControllerandviewedbyrelevantpersonnel.
*YoumightencounterproblemsinregardstoFFIDnotshowingup,Logsnotgettingcollectedproperlyetc.Pleasecheckthe
linksprovidedforadditionalinformation.

This pretty much is the gist of EAM. For a more comprehensive understanding/configuration and other bits and pieces on this
topic, please check out the links in the following document put together by
Alessandro, which covers everything in detail.
PleasecheckunderEmergencyAccessManagement(EAM).
http://scn.sap.com/docs/DOC57438

AbigThankYoutothepeoplewhocreatedandmadethesepostsavailableforthebenefitofpeoplelikemyself.Yourtime/effort
isverymuchappreciatedguys.

Regards,
Leo..

7933Views

Topics:governance_risk_and_complianceTags:grc,ac,firefighter,spm,access_control,eam,grc_10,grc_ac

AverageUserRating
(4ratings)

Share

Tweet

http://scn.sap.com/docs/DOC57851

0 Like

4/5

11/14/2015

EAMForthenewkidontheblock|SCN

7Comments
AmeetkumarSep15,20145:31PM

ExcellentpostLeo!!
YouhavecapturedinandoutofEAM.
Like(1)

SASep16,20147:52AM(inresponsetoAmeetkumar)

ThanksAmeet.Appreciateyourfeedback.
Like(0)

JogeswaraRaoKavalaSep18,201410:10AM

Veryinformativepostforme.
Like(0)

SASep18,201410:19AM(inresponsetoJogeswaraRaoKavala)

ThanksJogeswara!!
Like(0)

ARoyOct2,20142:35PM

ThanksforaverygoodarticleLeo.Itreallyhelpedmeunderstanditbetter.

Regards

Roy.
Like(0)

SAOct2,20142:51PM(inresponsetoARoy)

ThanksRoy!I'mgladithelpedyou.

Regards
Leo..
Like(0)

GirishAlmiyaJul22,20157:53AM

FantasticpostLeo!!!

Specially"configurationinNutshell"Part
Ienjoyedreadingit

WarmRegards

GirishAlmiya
Like(0)

SiteIndex
Privacy

ContactUs
TermsofUse

http://scn.sap.com/docs/DOC57851

SAPHelpPortal
LegalDisclosure

Copyright

FollowSCN

5/5