This chapter provides in-depth detail on Emergency Access Management configuration, firefighter JD usage and

review, and reporting to help your organization maximize the full potential of this tool as part of your effort to
maintain clean, risk-free IT environment from segregation of duties violations. Some extra features and future release
options are also discussed.

4 Emergency Access Management Overview

This chapter looks at one of the most powerful tool sets of SAP Access Control, which is also simple to configure and use in
customer environments. Emergency Access Management is used to perform some of the duties that users aren't normally privileged
to do, but with appropriate approvals, users can carry out some business transactions for a specified period. Emergency Access
Management mitigates the additional authorization risk by tracking changes made by users when they use Emergency
Access Management to change or rectify some issues using business transactions in the SAP ERP system rather than at their own,
less privileged logon . This tool is equally valuable in the normal environment to restrict authorizations such as the debugging
authorization for developers in a production environment. Also, period end closings such as month-end or year-end closings
authorizations or transactions may be required for a short period of time to any business users and this authorization may not be as
part of their regular user authorization in the SAP system. In other words providing those transactions are more liberal in an IT
environment might lead to business risks and the opportunity to misuse such critical transactions. However, at the same time these
actions may need to be used as part of business activities and if their usage may need to be tracked as emergency access action and
audited to ensure that no intentional or unintentional risks are posed by using these transactions or activities. This kind of emergency
action or occasional high risk transaction activities are carried out with business approval and self-check-out to enhance a
smoother flow of business with minimized risks are achieved due to audit tracking in Emergency Access Management.
This tool is also useful during role redesign and role remediation processes by enabling users to address some of the missing
authorizations. This tool enables the user to continue with the business transactions while your security team addresses the regular
authorization issues, which might take some time per your company policies and procedures. Basically, Emergency Access
Management helps reduce your business downtime due to any authorizations-related issues while tracking all of the user activity at
the same time. The Emergency Access Management process workflow provides an auditable process for ensuring the log repo.rts
have been reviewed by supervisors (firefighter ID controller) following firefighter activity. The process assigns log reports to the
supervisor's inbox where he can review and approve the firefighter activity. The supervisor also has the opportunity to request
additional justification from the firefighter or forward questionable activity to others for review. This additional process step
provides a complete process for evaluating exception base access.
In this chapter, we'll review how to use Emergency Access Management, including the different types of users and their
responsibilities, the different types of firefighter application management, and how to configure, monitor, and report.
Emergency Access Management can be used in two different ways - as a firefighter role or a firefighter !D. You may choose whether
your application is ID based or role based and which is suitable to your environment. In this chapter, we'll explore how to configure
the firefighter as ID based or role based by means of configuration parameters during implementation. In a role-based environment,
the special role (firefighter role) is created in a remote system, and the assignment of one of the role to the users requested is
approved and provisioned to perform emergency access in the target SAP ERP system from the SAP Access Control system. After
the assignment is provided, the user can be logged on to the target SAP ERP system using his user ID and then use the firefighter
role to perform emergency activities. This role is assigned with a specific time limit; after the time expires, the role privileges can't
be used. We'll discuss how to use the firefighter role in Section 4.3. In contrast to role-based firefighters, JD-based firefighters can
log on from the SAP GRC system. The user needs to invoke Transaction GRAC SPM to perform emergency activities by selecting
the assigned firefighter ID against their user ID. This enables users to check in and check out the firefighter ID from the SAP GRC
system as a single access point to multiple systems and clients as the centralized tool. The audit team can also verify various activity
reports from a single SAP Access Control system. We'll first look at the different types of users, along with their roles and
responsibilities in Emergency Access Management.

4.1 Using Emergency Access Management

The different types of users, their roles, and their responsibilities in using the Emergency Access Management tool are provided in
Table 4.1. The table provides details on the firefighter !D, firefighter owner, reviewer, and firefighter ID user. From Section 3.2.6,
about role activation, we assume that you've populated and generated all GRAC roles, and they are available from Transaction
SU01 for user assignments. All users who need to access the SAP Net Weaver Business Client (NWBC) frontend, irrespective of
their roles and responsibilities, should be assigned the following roles: SAP GRAC_NWBC. SAP GRCFN_BASE, and SAP
_GRCFN_BUSINESS_USER.
Enhancements new to SAP Access Control as of version 10.0 and 10.1 include identifying firefighter IDs by criticality for workflow
routing and the ability for a firefighter user to document additional activity about unplanned activity while firefighting. When
viewing the transaction log report or reason code report, supervisors can bring up the log report directly. thus reducing unnecessary
clicks while researching firefighter activity. This is best handled in the centralized Emergency Access Management tool, as shown in
Figure 4.1. Now that we've reviewed the different roles in Emergency Access Management, let's look at the types of logs that are
captured from your SAP ERP system or any other target system during firefighter ID usage. This information will be shown as
activities that are performed by the user using firefighter privileges, either in report form or sent as an email to the reviewer if
workflow is activated in Emergency Access Management.
Now let us see all the different types of logs that are captured by Emergency Access Management for auditing purpose. Most of the
activities carried out by business team or technical team falls under one of the below mentioned log category.

STAD Transaction logs

All transactions that are tracked in statistics record from the system.

Change Logs
Transactional data from CDHDR and CDPOS tables that are captured
for data changes.

Security Audit Log

Log details from Transaction SM20 that are relevant to security statistics.

System Log
Debug log details from Transaction SM21.

OS Command Log
Log details that are used at the operating system level and are invoked
from Transactions SM49 and SM69.
Emergency Access Management uses a centralized log-on pad for several
reasons:
Display all predefined firefighter IDs assigned to the user.
Firefighter can log on to the remote client system (older version needs
to be logged on to the individual system).
Reporting can be done from a centralized system.
Messages can be sent to another firefighter who is using same firefighter ID.
Unlock remote sessions being locked by a firefighter.
Now that we've looked at the different user roles in Emergency Access Management, as well as. explored the types of logs that are
pulled from your SAP ERP system, let's identify how to configure Emergency Access Management.
.

Emergency Access Management Configuration in SAP GRC

The configuration steps of Emergency Access Management are simple and straightforward. We've given all of the configuration
steps, and, where necessary, we've provided additional details to help you better understand system settings. In this section, we'll
review the following:
Configuration parameters, both in the SAPGUI and the NWBC
Email configuration
The importance of properly setting up a background job
The implementation settings of shared components of SAP Access Control, preliminary checks, and requirements for
implementation have already been explained in Chapter 3. These settings are applied to Emergency Access Management as a
component of SAP GRC.

4.2.1 configuration Parameters

Figure 4.2 shows configuration parameters that need to be set related to Emergency Access Management. These parameters are
available under Super user Privilege Management (SPM) in support packs prior to 8 and later as Emergency Access Management.
The parameter groups contain parameter IDs that start from 4000 to 4010. All of these parameter ID descriptions give the detail on
what each parameter ID is meant for. A few of them are for retrieving and sending log details, and they have options for you to
maintain with YES or NO. Parameter ID 4000 determines whether you want to use the ID based or role-based firefighter application
option. If you select the ID based firefighter application, then you need to maintain parameter ID 4010 with the role name
maintained in SAP ERP or any other target system to identify the firefighter ID. Also you need to add another parameter-1113- with
the WF-BATCH value as ACCESS -CONTROL E-MAIL SENDER, which is part of the WORKFLOW parameter group. This
parameter setting is necessary to send email to the controller and owner about the emergency access activity with user and usage
details.
To set these values, click on TRANSACTION SPRO. From here, navigate to GOVERNANCE, RISK AND COMPLIANCE
ACCESS CONTROL MAINTAIN CONFIGURATION SETIINGS.
Now that we have explored some of the general configuration parameters, let's review the configuration steps for Emergency Access
Management.

4.2.2 General Configuration Steps

Most Emergency Access Management configuration parameter usage details are self-descriptive as you've seen in the previous
section. In this section, we'll look at the general configuration steps, both in the SAPGUI and in SAP Net Weaver Business Client.
Configuration in the SAP GUI

To configure Emergency Access Management with the SAPGUI. follow the following steps:
1. Define and assign all required user roles as listed in Table 4.1, in the SAP GRC system and in the target system (e.g., SAP
ERP or any other SAP system).
2. In Transaction SPRO, define the following path: SAP CUSTOMIZING IMPLEMENTATION GUIDE GRC COMMON
COMPONENTS SETIINGS INTEGRATION FRAMEWORK MAINTAIN CONNECTION SETTINGS.
3. Assign a connector to integration scenario of "SUPMG" in the INTEGRATION SCENARIO field shown in the
SCENARIO-CONNECTOR LINK DIALOG STRUCTURE of the CHANGE VIEW "SCENARIO-CONNECTOR LINK":
OVERVIEW screen (see Figure 4.3).

4. Set up email settings using Transaction SCOT, and schedule a job for email sending on a regular interval using parameter
ID 1113 with a user ID value of WF-BATCH) (refer to Section 4.2.1). Section 4.2.3 shows !\ow to perform these activities.
5. Schedule the REPOSITORY OBJECT SYNCH and EAM MASTER DATA SYNCH jobs to run on regular intervals to

populate users, roles, and authorization objects from the target SAP ERP system to the SAP Access Control system. This is a
mandatory activity to get any changes from the target system updated with changes in the SAP Access Control system;
this is shared data among SAP Access Control tools. To perform this activity, execute Transaction SPRO, and follow menu
path, GOVERNANCE, RISK AND COMPLIANCE ACCESS CONTROL SYNCHRONIZATION.
6. Schedule the FIREFIGHTER LOG SYNCH and FIREFIGHTER WORKFLOW SYNCH jobs to collect logs to get audit
details from Transaction SPRO using menu path, GOVERNANCE, RISK AND COMPLIANCE ACCESS CONTROL
SYNCHRONIZATION. If you're not familiar with job scheduling, see Section 4.2.1 to see how to schedule a background
job. Now that we've reviewed the configuration of Emergency Access Management through the SAPGUI, let 's
explore the technical backend and the configuration needed in the NWBC.
Configuration in the SAP NetWeaver Business Client

To configure SAP Emergency Access Management with SAP Net Weaver Business Client, you should follow these steps as
outlined.
The first step in configuring Emergency Access Management is to log in to the NWBC as the administrator. Administrator
access allows you to set up SAP Access Control owners, set up super user assignments, ~d
maintain super users.
From The initial page of the NWBC. you need to follow the menu path in the SETUP workset , and go to ACCESS OWNER
ACCESS CONTROL OWNERS to define owners and controllers of Emergency Access Management as having the generic
owners privilege of SAP Access Control (see Figure 4.4).
Next, you assign firefighter ID owners to firefighter IDs using the OWNERS link under the SUPERUSER ASSIGNMENT heading
as shown in Figure 4.4 those who will approve the firefighter ID or firefighter role activities in Emergency Access Management. You
can assign firefighter ID controllers from the FIREFIGHTER IDs link shown in Figure 4.4. From firefighter IDs link, you can
maintain the controller details, which is already defined as one of the SAP Access Control owners in the earlier step or this can be
assigned from the link CONTROLLERS under SUPERUSER MAINTENANCE heading. And in the same detail screen you can set
the options how the controller needs to be notified on firefighter activities by means of EMAIL, WORI<FLOW, or LOG DISPLAY.
Next, in the same screen under SUPERUSER MAINTENANCE heading, reason codes and controllers are maintained by selecting
the respective Jinks. Also firefighter ID or role assignment to any SAP ERP user is performed manually from FIREFIGHTERS link
shown in Figure 4.4 by entering user ID and validity period to enable end user to access firefighter ID or firefighter role;
alternatively. firefighter user access requests can be automated using User Access Management for access request and approval
process and approval of this request will update the same set of tables that are manually maintained for firefighter ID or firefighter
role privileges.
Multiple firefighter IDs can be assigned to the same controller; assuming that most companies may use an internal auditor, this
works as a pooled resource to review firefighter access log data.

NOTE :
During the actual usage, the ID owner needs to assign the firefighter ID to the firefighter with from/to validity dates manually using
NWBC. If a firefighter request workflow is configured as a part of User Access Management, the period can be set as one of the
parameter values (4001) in SAP Access Control configuration with values in number of days.

Now that we've reviewed the configuration parameters, it's important to review how to set up email configuration.

4.2.3 Email Configuration

In SAP Access Control, you need to set up SAP email communication settings to send any notification emails. Here you're required
to maintain your email host settings in the Simple Mail Transfer Protocol (SMTP) server details to receive automated email
notification that is triggered as a result of background jobs related to emergency activities performed in Emergency Access
Management. Let's see how these settings are made in SAPGUJ.
SAP connect Administration (Transaction SCOT)

You must configure the SMTP node in Transaction SCOT to enable SPM to send emails to firefighter users. Follow these steps:
1. Log on to the application backend.
2. Open Transaction SCOT.
3. Click CREATE.
4. Follow the prompts, and enter the information for your mail server.
User Configuration for Emails

You configure email messages the same way for both ID-based and role based Emergency Access Management administration. To
send notification and log messages as emails to a firefighter ID controller (internal auditor), you need to set parameter lD 1113 with
user ID as workflow batch authorization (the same as WF-BATCH). Alternatively, a different ID with equivalent authorizations can
trigger the workflow to send an email.

Also don't forget another setting mentioned earlier, which is setting the NOTIFICATION TYPE as EMAIL in the NWBC. You then
choose SETUP SUPERUSER MAINTENANCE CONTROLLERS. If you set this value as WORKFLOW, then the controller
can see this as work item in his workflow in box from SAP Net Weaver Business Client. If you set this value as LOG DISPLAY,
then controllers don't receive email notifications or workflow items, but rather they can view the log from firefighter log reports.
To receive log email messages, ensure that you schedule the background job as mentioned in the next section.
Scheduling a Background Job to Receive Log Messages

Periodic background jobs are scheduled to monitor the usage of emergency access activities using either firefighter IDs or firefighter
roles. The background job records logon events and transaction usage. These jobs must be scheduled to generate and capture log data
to view the firefighter log reports . As a best practice, it's recommended to have your background job run hourly, but this can be set
to meet internal business and reporting requirements.
To maintain the background job, use Transaction SM36, or from Transaction SPRO (choose ACCESS CONTROL
SYNCHRONIZATION JOBS), you need to execute FIREFIGHTER LOG SYNCH or FIREFIGHTER WORKFLOW
SYNCH per your parameter settings.
The background job updates the following listed database tables. These tables and their values feed the reports and send out emails with the
firefighter log details.
GRACAUDITLOG: Security Audit Log table
GRACCHANGELOG: Data Change Log table
GRACOSCMDLOG: Operating System Command Log table
GRACSYSTEMLOG: System Security Log table
GRACFFLOG: Details related to Firefighter ID Log On Information
If you've maintained the SEND LOG REPORT EXECUTION NOTIFICATION IMMEDIATELY parameter as YES , then it's updated during
FIREFIGHTER LOG SYNCH; otherwise, it's updated during FIREFIGHTER WORKFLOW SYNCH. You maintain this in the
CUSTOMIZING ACTIVITY MAINTAIN CONFIGURATIQN SETTINGS screen in PARAMETER lD 4007.
GRACROLEFFLOG: This log is updated for role-based applications, when PARAMETER lD 4000 - APPLICATION TYPE equals role
based.
The other background job in Emergency Access Management is the FIREFIGHTER WORKFLOW SYNCH as shown in Figure 4.5. This
background job helps you generate requests for the firefighter ID log and sends the workflow to the controller. The FIREFIGHTER
WORKFLOW SYNCH updates the GRACFFLOG and GRACROLEFFLOG tables, triggers the firefighter workflow, and creates firefighter
work items.