EAMForthenewkidontheblock|SCN
GettingStarted Newsletters
Hi,Guest
LogOn
JoinUs
Products
Services&Support
AboutSCN
Downloads
Industries
Training&Education
Partnership
DeveloperCenter
Activity
LinesofBusiness
UniversityAlliances
Events&Webinars
Innovation
Browse
EAMForthenewkidontheblock
Store
SearchtheCommunity
Communications
Actions
Version4
createdbySAonSep6,20141:50PM,lastmodifiedbySAonJan31,20159:18AM
Share
Tweet
Like
GDayAll,
Picking up from my previous topic about ARA For the new kid on the block, this document is just an overview of my
understandingofwhatEAMisandhowitworks.
Theobjectiveofthisdocumentistogivepeoplewhoarejuststartingoutorevenbeginningtofindtheirfeet,abriefoverviewof
EAMbeforetheycangetstuckintoitandgoallin(linksprovided).Thisisnotintendedforpeoplewhoarewellversedonthistopic,
soifthatisyou,pleasefeelfreetoskipitasthismightnotinterestyou.Howeverifyoudowanttostickaroundandpoint/correct
anymistakesorofferadvice/suggestions,pleasebyallmeansdoso.Iamopentoconstructivecriticism.
IunderstandthereisalotofcontentrelatedtoEAMinthissiteandsomeoftheinformationcoveredhereinmightexistelsewhere
insomeshapeorformhoweverthisisjustmeanttoserveasaconduitforfreshers,whomightgetatadoverwhelmedbyallthe
informationlyingaround.SoIhopethisdocumentcangivethemaglimpseofwhatitisallaboutandthenhelpthemtoventure
outintothewild.
Whatisitallabout?
EAMenablesenduserstoperformemergencyactivitiesoutsidetheparametersoftheirstandardrole,butwithinacontrolled
andfullyauditableenvironment.TheapplicationassignsatemporaryFirefighterIDthatgrantsanenduser(firefighter)broadyet
regulatedaccess,andlogseveryactivityhe/sheperformsusingthetemporaryID.
This is usually done in emergency situations, where it is imperative for a user to execute certain tasks irrespective of SOD
violationsandtransactioncodeclasheshoweverallofhis/heractionsaremonitoredandrecordedmakingthesessioncompletely
visibleandtransparent.
KeychallengesofEAM
1. IdentificationofBusinessProcessesandcreatingdedicatedFirefighterIDs/Rolespertinenttothem.
2. IdentificationoftheneedforusageofFirefighterID/Role
3. IdentificationofFirefighters,FirefighterOwners,Controllers,andAdministrators.
4. Identification/StandardizationofReasonCodes
5. ConsistencyofnamingconventionsforFirefighterID/RolesandReasonCodes.
6. ArchivalpolicyfortheFirefighterLogs
7. EAMusagepolicyshouldbecreatedtoidentifytaskswhichcanbepositivelysupportedbyEAM.
8. Lastbutnotleast,performanceoptimization.
PotentialfunctionalscenariosforEAMAccess
Additionalresourceswithadditionalroles
Approaching month/financial year end and need additional resources to speed up certain activities. Additional resources are
requiredbuttheydonthaveenoughauthorizations.ThistaskcanbeeasilyautomatedbyEAMandindividualactivitylogwould
begeneratedforlaterreview.
Developeraccessonproductionsystem
Developer access on production systems is one of the most critical scenarios, but at times it becomes necessary to allow
developeraccesstofixcertainbugsurgently.Thisisanidealemergencyscenarioforassigningfirefighteridtotrackeachand
everyactivityadeveloperoragroupofdevelopersperform.Howeverdeveloperaccessonproductionisneverrecommended
but when you cant wait for a bugfix to travel from a lengthy procedure (DevQualProd) then EAM works as a mighty
mitigationcontrol.
Contractuseraccess
Tomaintaintrackofcontractusersactivitiesforacertainperiodoftime.ThiscanbeachievedbyassigningFirefighterIDsto
contractusersforaccessontheassignedsystem.Thisallowsalltheiractivitiestoberecordedforanextendedreviewandhence
managementoversightisachieved.
AuditorAccess
http://scn.sap.com/docs/DOC57851
1/5
11/14/2015
EAMForthenewkidontheblock|SCN
Mostcompanieshavestrictauditproceduresinplace,whichentailsbothinternalandexternalauditorstoconductauditsona
regularbasis.AuditorscanbegrantedtemporaryaccessthroughEAM.
*BynomeansisthislistexhaustivehoweveritshouldgiveyouanindicationofthepotentialreasonsforEAMAccess.
*GiventhefactthatEAMisaformofMitigation(PleasechecktheARAdocument),Itisusedinscenarioswhereyouhave
exhaustedallotheroptions!!
FirefighterUsers,RolesandResponsibilities
Users/FFID/FFROLE
FirefighterID
Roles&Responsibilities
Thisisauniqueuserid,createdwithspecificrolesthatallowthefirefightertoperformthe
requiredtasks.SowecancreatemultipleFirefighteridswithspecificrolesandassignthemtothe
designatedusers(Firefighters)forasetperiodoftime.
SU01:CreateFFID
Roles:SAP_GRAC_SPM_FFID(Thisshouldbeexactlythesameinconfigsettingsaswell.
Shownfurtherinthedocument)
FirefighterRole
Thisisauniquerole,whichgetsassignedtothefirefightertoperformtherequitedtasks.
PFCG/BRM:CreateFFROLE.EnsurethisroleisenabledforfirefightinginBRM.
Firefighter
ThesearetheuserswhogetassignedwiththerequiredFirefighterID/Role.Firefighterusersuse
FirefighterID/Roletoperformfirefightingtasks.
SU01:CreateFFighterorassigntheroletoanexistinguser
Role: SAP_GRAC_SUPER_USER_MGMT_USER (This role might need other additional
authorizations.Pleasecheckthelinksprovided)
FirefighterAdministrator
This is the person who has got the ultimate authority over the firefighter program. He/she is
responsibleforassigningFFID/rolestofirefighters(iftheychooseto),Owners.Theycangenerate
reports,ensurereasoncodesareuptodateetc.
SU01:CreateFFADMINISTRTORorassigntheroletoanexistinguser
Roles:SAP_GRAC_SUPER_USER_MGMT_ADMIN,SAP_GRAC_BASE,SAP_GRAC_NWBC
FirefighterOwner
ThesearetheID/RoleownersandareresponsibleforassigningFFID/rolesassignedtothemby
the administrator, to firefighters and controllers. They can also act as controllers however they
should not be able to assign FF ID/roles to themselves. They can only be one FF Owner per FF
ID/rolehoweveroneFFOwnercanhavemultipleFFID/roles.
SU01:CreateFFOwnerorassigntheroletoanexistinguser
Roles:SAP_GRAC_SUPER_USER_MGMT_OWNER,SAP_GRAC_BASE,SAP_GRAC_NWBC
FirefighterController
Thesearethepeoplewhomonitortheactionsofthefirefighters.Theycandothisbyviewingthe
logreportandcanevenreceiveemailnotificationswhenaFirefighterlogsin.
SU01:CreateFFControllerorassigntheroletoanexistinguser
Roles:SAP_GRAC_SUPER_USER_MGMT_CNTLR,SAP_GRAC_BASE,SAP_GRAC_NWBC
* All of the aforementioned roles can/needs to be customized. One can use a naming convention that suits their company
requirements
AC10hastheoptionofhavingeitherCentralizedorDecentralizedfirefighting(moreonthisinthelinksprovidedattheendofthe
document).
Centralized
Userhastogofromplugin/backendsystem(R3PRD001)andlogintoaGRCSystem(GRCPRD001),executeGRAC_SPM(OREAM)
>whichwilllaunchtheEAMlaunchpad>thenaccessthesystem[R3PRD001orsomethingelse(HCMPRD001),(CRMPRD001)etc]
assignedtohim/herbyclickingthelogonbutton>performFFtasks.
Thisisabetteroptionwheninsomecompanies,theuserhastoaccessmultiplesystems.Sohe/shecanlogintoGRCsystem
(GRCBox)andcanstartfirefightersessionsbyclickingon'logon',whichwilltakehim/hertotheassignedsystem.
Firefighterscanlogoncentrallyasopposedtologgingintomultiplesystemsseparately
FFAdministrator,FFOwner,FFController,FirefighterandtheirrespectiveroleshavetobemaintainedintheGRCsystem
FFIDanditsrespectiverolehastobemaintainedonlyinthepluginsystem
Decentralized
User has to stay on the BackEnd system (R3PRD001) execute /n/GRCPI/GRIA_EAM > which will launch the EAM launchpad >
thenclickthelogonbuttontostartasessionintheverysamesystem(R3PRD001)andperformFFtasks.YoucanenableDCFFby
parameter1000:GRD(RFCConnectorpointingtoitself),4015.
ThemostimportantadvantageofDCfirefightingisthatyoucancontinueusingfirefighterevenwhentheGRCBoxisdown.
ItsalsomoreuserfriendlysincethefirefighterdoesnthavetologontoGRCBoxinordertostartthefirefightingsession,
he/sheonlyneedstoexecuteatransactionintheplugin/backendsystem.
Firefighterandhis/herrespectiverolehastobemaintainedjustinthepluginsystem
FFIDanditsrespectiverolehastobemaintainedonlyinthepluginsystem
FFControllerandhis/herrespectiverolehastobemaintainedbothintheplugin/GRCsystem(toreceiveemailsoflogs)
FFAdministratorandFFOwnerandtheirrespectiveroleshavetobemaintainedintheGRCsystem
http://scn.sap.com/docs/DOC57851
2/5
11/14/2015
EAMForthenewkidontheblock|SCN
IDBasedvsRoleBased
OneofthekeydifferencebetweenassigningaFirefighteranFFIDvsFFRoleisaddedsecurity.
AnFFIDisbuiltwithacertainroleinmind,whichhaspredeterminedtcodesassignedtoitandthisgetsassignedtoanenduser
(firefighter). So if this user wishes to commit fraud, he/she can execute certain tcodes from his/her user id and then the
remainingfromtheFFID.Thiswaythechancesofhim/hergettingcaught,isdependentonathoroughmonitoring/analysisby
thecontroller/auditors.
Whereasifyoubuildaspecificfirefighterrolewiththesametcodes,thisrolegetsassignedtotheendusernotanFFID,soevery
transactionexecutedshowsupagainsttheiruserid,whichmakeshis/hertaskofcommittingfraudalotharderifnotnegligible.
keydifferencesareasfollows:
IDBased
RoleBased
Logs in using own user ID, accesses FFID from the GRC
LogsintothepluginsystemusingownuserID,soeverything
Systemandlogsintothesystemassignedtothem(ECC,SRM,
CRMetc).
gets logged against that one ID. Multiple users can use the
FFROLEatonce.
OnlyoneuseratatimecanuseaFFID.
MultipleuserscanusemultipleFFRolesatonce.
Firefighterhastoexistineverysystemassignedtothemso
multiplelogons.(Thisisonlyapplicableiftheuserneedsto
system(ThisisonlyapplicableforCentralisedfirefighting).
performtasksinothersystems).
KnowsexactlywhenFFIDisbeingusedashe/shehastologin
sohasapsychologicaleffect(goodthing).
BettertrackingofFFtasksSpecificlogreportswithReason
Codes.BonuspointfromAuditors!
TimeconsumingtotrackFFtasksNoSpecificlogreports.
NoReasonCodes.
Twologinssopotentialtocommitfraud.(1actionusingown
Onlyonelogin,soeverythinggetsloggedagainstoneid(own
UserIDand1actionusingFFID).
userid).Hardertocommitfraud.
Could be hard to track and find out when a fraud has been
committed so can be a problem with auditors. When two
loginsused
tasks.
GRAC_SPM:TCodeforCentralisedFFighting>Youwill
GRAC_SPM:TCodeforCentralisedFFighting>You
seeFFIDsassignedtoyou
willseeFFROLEsassignedtoyou
/n/GRCPI/GRIA_EAM:TCodeforDeCentralised
FFighting>YoucanseetheFFIDsassignedtoyou
/n/GRCPI/GRIA_EAM:TCodeforDCentralised
FFighting>Notapplicablesowontwork
Configurationinanutshell
1. CreateallEAMusersordecideamongsttheexistinguserswhogetswhatEAMroleusingSU01
2. Create/customizeallEAMrolesusingPFCG
3. AssignthoserolestotheirrespectiveusersusingSU01
4. CreateanFFID/FFRolewiththepredeterminedroles/tcodesusingSU01/PFCG/BRM
5. MaintainGRCPlugInSystemConfigurationParameters:
SPRO>IMG>GRC(PlugIn)>MaintainPlugInConfigurationSettings
ParameterID
ParameterValue
Description
1000
PluginConnectorID
ThisinformationisusedtoconnecttothePlugInsystem.
4000
IDBased:1RoleBased:2
Applicationtype
4001
Days
DefaultFirefighterValidityPeriod(Days)
4008
Yes/No
SendFirefighterIdLoginNotification
4010
Z_SAP_GRAC_SPM_FFID
FirefighterIDrolename
6. MaintainGRCSystemConfigurationParameters:
SPRO>IMG>GRC>AC>MaintainConfigurationSettings
ParameterID
ParameterValue
Description
4000
IDBased:1RoleBased:2
Applicationtype
4001
Days
DefaultFirefighterValidityPeriod(Days)
4002
Yes/No
SendEmailImmediately
4003
Yes/No
RetrieveChangeLog
4004
Yes/No
RetrieveSystemlog
http://scn.sap.com/docs/DOC57851
3/5
11/14/2015
EAMForthenewkidontheblock|SCN
4005
Yes/No
RetrieveAuditlog
4006
Yes/No
RetrieveOSCommandlog
4007
Yes/No
SendLogReportExecutionNotificationImmediately
4008
Yes/No
SendFirefighterIdLoginNotification
4009
Yes/No
LogReportExecutionNotification
4010
Z_SAP_GRAC_SPM_FFID
FirefighterIDrolename
4012
AllUsers:1Controllers:2
DefaultusersforforwardingtheAuditLogworkflow
4013
Yes/No
FirefighterIDownercansubmitrequestforFFIDowned
4014
Yes/No
FirefighterIDcontrollercansubmitrequestforFFIDcontrolled
4015
Yes/No
EnableDecentralizedFirefighting
7. MaintainUserExits
SPRO>IMG>GRC(PlugIn)>MaintainUserExits
8. MaintainConnectionSettings:SUPMGIntegrationscenario
SPRO>IMG>GRC>CommonComponentSettings>IntegrationFramework>MaintainIntegrationScenario
9. Activate/CheckCriticalityLevelBCSet
SPRO>IMG>SCPR20>GRAC_SPM_CRITICALITY_LEVEL
10. MaintainCriticalitylevel
SPRO>IMG>GRC>AC>EAM>MaintainCriticalityLevelsforEAM
11. RunSynchronizationjobs
SPRO>IMG>GRC>AC>SynchronizationJobs
Checkforthehelpoptiontoseewhatdoeswhat.
12. ScheduleBackgroundJobsforEAMlogcollectiononperiodicbasis
SM36>GRAC_SPM_LOG_SYNC_UPDATE
13. Maintainlogin/lognotificationsonlyifyouwanttocustomizethedefaultones.
SPRO>IMG>GRC(PlugIn)>MaintainCustomNotification/TextMessagesforEAM(PlugIn)
14. VerifyTimeZonesoftheOperatingSystemandtheACservermatchtoensureEAMlogsarecaptured
SPRO>IMG>GRC>GeneralSettings>TimeZones>MaintainSystemSettings
15. Create/MaintainACOwners
NWBC>Setup>AccessOwners>AccessControlOwners
16. AssignFFID/FFRolestoFFOwners
NWBC>Setup>SuperuserAssignment>Owners
17. AssignFFID/FFRolestoendusers(firefighter)andcontrollers
NWBC>Setup>SuperuserAssignment>FirefighterIDs
18. CreateReasonCodes
NWBC>Setup>SuperuserMaintenance>ReasonCodes
Oncealloftheaforementionedtasksareperformedandsuccessful,firefightercanperformfirefightingtasks.His/heractivities
willbelogged,whichcanbemonitoredbytheControllerandviewedbyrelevantpersonnel.
*YoumightencounterproblemsinregardstoFFIDnotshowingup,Logsnotgettingcollectedproperlyetc.Pleasecheckthe
linksprovidedforadditionalinformation.
This pretty much is the gist of EAM. For a more comprehensive understanding/configuration and other bits and pieces on this
topic, please check out the links in the following document put together by
Alessandro, which covers everything in detail.
PleasecheckunderEmergencyAccessManagement(EAM).
http://scn.sap.com/docs/DOC57438
AbigThankYoutothepeoplewhocreatedandmadethesepostsavailableforthebenefitofpeoplelikemyself.Yourtime/effort
isverymuchappreciatedguys.
Regards,
Leo..
7933Views
Topics:governance_risk_and_complianceTags:grc,ac,firefighter,spm,access_control,eam,grc_10,grc_ac
AverageUserRating
(4ratings)
Share
Tweet
http://scn.sap.com/docs/DOC57851
0 Like
4/5
11/14/2015
EAMForthenewkidontheblock|SCN
7Comments
AmeetkumarSep15,20145:31PM
ExcellentpostLeo!!
YouhavecapturedinandoutofEAM.
Like(1)
SASep16,20147:52AM(inresponsetoAmeetkumar)
ThanksAmeet.Appreciateyourfeedback.
Like(0)
JogeswaraRaoKavalaSep18,201410:10AM
Veryinformativepostforme.
Like(0)
SASep18,201410:19AM(inresponsetoJogeswaraRaoKavala)
ThanksJogeswara!!
Like(0)
ARoyOct2,20142:35PM
ThanksforaverygoodarticleLeo.Itreallyhelpedmeunderstanditbetter.
Regards
Roy.
Like(0)
SAOct2,20142:51PM(inresponsetoARoy)
ThanksRoy!I'mgladithelpedyou.
Regards
Leo..
Like(0)
GirishAlmiyaJul22,20157:53AM
FantasticpostLeo!!!
Specially"configurationinNutshell"Part
Ienjoyedreadingit
WarmRegards
GirishAlmiya
Like(0)
SiteIndex
Privacy
ContactUs
TermsofUse
http://scn.sap.com/docs/DOC57851
SAPHelpPortal
LegalDisclosure
Copyright
FollowSCN
5/5