Administration
by Raghu Boddu
Emergency access management (EAM) stands out as one of the hero applications within the SAP Access Control suite, widely used for proficiently addressing emergency authorization needs. This blog delves into the latest enhancements added to EAM with SAP and explores their practical applications. Before diving into these novel functionalities, it's important to note that many of these features are available in the latest SP levels. Ensure your system is up to date by upgrading to a service pack level exceeding SP14. Notably, certain features are exclusively accessible in the most recent versions like SP23. Before we start, let’s quickly look at each of the newly added parameters for EAM.New EAM Parameters
These parameters can be enabled/disabled as per the business requirement. I recommend you go through the latest SAP documentation before implementing or using these parameters. Now let’s move on to looking at the new features in depth!
Dedicated/Single Usage of Firefighter ID
This interesting feature lets companies control which systems and users can have FFIDs assigned to them in dedicated mode. To find out more about how it works, check out my blog post titled "Parameter 4026: Changing How You Use the EAM Application in SAP GRC Access Control" at this link.
Set Ticket Selection to Mandatory in EAM Logon Pad
Parameter 4027, also known as "Set Ticket selection to mandatory in EAM Logon Pad," introduces a valuable enhancement by enabling the ticket selection drop-down and facilitating integration with an external ticket management solution. For detailed implementation instructions, refer to SAP Note 3061274, which outlines the necessary steps for leveraging this enhancement and enhancing the BADI.
Once implemented, parameter 4027 offers the flexibility to enable or disable this feature according to organizational requirements.
When the parameter is configured to "YES," firefighter users will notice a new dropdown menu within the Reason Code section of the Emergency Access Management Launchpad screen. This dropdown allows users to select the relevant ticket number from the integrated ticket management system. The selected data is then stored in a newly created table – GRACFFTICKET – ensuring traceability and auditability for future reference.
Adding Terms & Conditions in EAM Logon Pad
Two new SPRO parameters 4028 & 4029 have been introduced for Terms and Conditions. When maintained/enabled, The EAM Launchpad will have the Terms and Conditions button with a check box “I Accept the Terms and Conditions” that becomes a mandatory field for the user to accept the terms & conditions of the organization.
With parameter 4028 (Absolute URL for Terms and Conditions in EAM Logon Pad), you can configure a URL linking to your organization's Terms and Conditions such as data privacy, non-disclosure, etc. Users logging into the FFID within the EAM Launchpad can review and acknowledge these terms. The URL can point to a webpage or a PDF file, opening in a new browser window upon clicking the terms and conditions button. If the parameter is left empty, the button won't appear. While the default value is empty, it's crucial to provide an absolute URL, especially when enabling parameter 4029.
Parameter 4029 (Set acceptance of Terms and Conditions mandatory in EAM Logon Pad) allows you to make acceptance of the terms and conditions mandatory for end users.
Firefighter Log Report Review External Key to Display Value
Until now the Firefighter log report review used to display a preconfigured value in the external key field. This field can now be configured with this enhancement.
To configure the external key to display value per your requirements, set or change SPRO parameter 4030. The SPRO parameter can be any character type value and you can use certain preconfigured variables as below:
Here are a couple of examples for a better understanding of the values that can be maintained in parameter 4030:
When the parameter is set to "{$REQNO} -{$FFOBJECT} was used in{$CONNECTOR}” as shown…
…then the request number/key will be displayed as shown:
Another example for easy and better understanding is if the parameter is set to “{$FFUSER_NAME} logged on as{$FFOBJECT} at{$LOGONTIME}”…
…the output will be as follows:
This parameter simplifies the way the external key is managed and helps a lot during the audit reviews. SAP Note 3331629 details more about this parameter and usage information.
FFID Assignment history
Table GRACFFUSERARC (Archive SPM Firefighter Assignment to FF ID/Roles) stores all FFID and FF Role assignments to users along with the assignment logs. Refer to SAP Notes 3105586, and 3105587.
Additionally, you'll find the "Updated By" field, providing insight into whether the assignment was made through a workflow process or directly, which addresses one of the key audit requirements.
GRAC_FFSESSION – Session Reporting
The newly introduced transaction code GRAC_FFSESSION (Report GRAC_FIREFIGHTER_SESSIONS) allows you to view the session reports. This takes over the functionality of report GRAC_EAM_LOG_SYNC_TIMEBASED. Instead of the time-based report, you can now select and recollect the logs of sessions with this report. Refer to SAP Note 3253221, and 3326827.
With this transaction code, administrators can find the login status of the FFID, as shown in this figure:
The "Login Status" field serves as a useful indicator to track the status of each request. Moreover, additional fields are available for various reporting purposes, enhancing the system's capability for detailed analysis and reporting.
Risk Analysis for the FFID in Access Request
Thanks to the enhancement introduced in SAP Note 3295064, it's now possible to conduct risk analysis for FFIDs within the access request feature. A new checkbox has been added to the access request form, allowing users to include the associated risks of the FFID. Simply activate the checkbox to enable this functionality during the request process by setting the parameter 1038 (Consider FF Assignments in Risk Analysis) to YES as shown:
NOTE: This enhancement is provided by default in GRC 12, Support Package Level 21. In case you are on an older SP level and wish to implement, refer to SAP Note 3295064 to implement manual corrections.
Once the parameter is set to YES, users will see a new check box “Include FFID” in the access request page.
It enables users to perform Risk Analysis for FFID and the FFUSER during the creation and approval of Access Requests, showcase the SoD risks associated with both users.
The "Include FFIDs" checkbox is also enabled within the "Access Risk Analysis" work item in the access management tab. It facilitates risk analysis and simulation at user, role, profile, and HR object levels.
FF Logon Pad Changes
Previously, the firefighter session was aligned with the user's session using the firefighter ID in the backend system. It commenced upon the user's login with the firefighter ID and concluded upon logout, as detected by specific processes.
However, there's been a change: the firefighter session is now independent of the user's session with the firefighter ID. This means that the firefighter user can initiate multiple consecutive sessions with different firefighter IDs within a single firefighter session.
To commence a firefighter session, the user simply clicks the logon button and concludes it by clicking the new logoff button in the Firefighter Logon Pad. Initially, the reason code screen must be completed, but thereafter, any action can be categorized as additional activity.
After the firefighter session is closed, the firefighter IDs will be automatically locked. They will remain in this locked state until a user session is initiated, at which point they will be unlocked and available for use again.
GRAC_SPM_MAINTENANCE
The firefighter session concludes when the user selects the logoff button in the Firefighter Logon Pad. Subsequently, another user can only access the same firefighter ID once the previous user has successfully logged out. To address instances where users may forget to log out, it's advisable to schedule a background job to automatically force a logout of these firefighter sessions. SAP recommends scheduling the report GRAC_SPM_MAINTENANCE to run at regular intervals, with a suggested frequency of every 10 minutes. This proactive approach helps ensure the security and integrity of firefighter sessions within the system.
GRAC_FFID_EXPIRE_REMINDER
The “GRAC_FFID_EXPIRE_REMINDER” program is designed to provide reminders for the firefighter IDs (FFIDs) that are close to expiring. It serves as a proactive measure to alert owners and controllers about FFIDs approaching their expiration date, allowing them to take timely action to renew or extend the validity of these IDs. By running this program, organizations can ensure the continuity of firefighter access while maintaining compliance with security policies and regulations.
The period is set to 15 days by default, with the owner option checked. Administrators can customize notifications to be sent to either owners or controllers.
However, the notification will be triggered only when the firefighter “valid from” and “valid to” difference (days) is greater than the given date in the program.
Upon executing the program, administrator can see the notifications triggered to the owners/controllers in the Logs.
The owner/controller will receive an email on their email ID containing a link that redirects to the maintenance screen of NWBC and the FFIDs can be reviewed and extended as needed.
Conclusion
In conclusion, EAM remains a pivotal application within SAP Access Control, crucial for managing emergency authorization needs effectively. This blog post has explored the latest enhancements introduced in EAM, offering practical insights into their implementation and utilization.
The features detailed in this blog not only streamline operations but also increase security and auditability, empowering organizations to mitigate risks effectively and maintain regulatory compliance.
