Preparing Emergency Access Management (2024)

Preparing Emergency Access Management (1)

Sometimes, to solve critical issues in emergency situations, companies must give users broad authorizations out of regular job functions. For example, an accountant must urgently correct financial documents for previous periods, or technical experts must urgently fix a system error that influences critical business processes. But how do you regulate such processes to control the provisioning of broad authorizations and monitor activities so that you ensure compliance?

By using Emergency Access Management (EAM) functionality of SAP Access Control you can define, manage, grant, and monitor emergency access.

EAM allows users to take responsibility for tasks outside of their normal job function. Through EAM, you can grant users extra access by giving them temporary access to a super user, or firefighter ID. A firefighter owner controls these special super users, and they are monitored by a firefighter controller. The firefighter owner is charged with approving access to specific firefighter IDs. A standard access request workflow drives thisprocess. A user creates an access request of type Superuser Access. The firefighter owner approves the access request. Once access to the firefighter ID is provided, the user (firefighter) can use the firefighter ID. A firefight session opens in the target environment where the firefighter can perform the required actions with the extra access. A detailed log of actions performed using the firefighter ID during an emergency access session is recorded in the target system. SAP Access Control sends these logs to the firefighter controller who monitors and reviews the logs and activities performed by the firefighter.

SAP Access Control system provides emergency access to SAP ABAP target systems' back-end applications and SAP HANA Database through SAP GUI interface. Also, it provides emergency access to SAP ABAP target systems' web based applications through Web GUI interface.

Preparing Emergency Access Management (2)

There are two different application types that you can use for EAM, which are ID-based and Role-based. You can only configure one type for use at any given time.

  1. ID-based EAM Application

    Firefighter ID is user of service type with elevated privileges in a target system. Administrators create firefighter ID in the target system and assign a specific role to firefighter ID to distinguish the firefighter ID among other service users in the target system. SAP Access Control recognizes a particular service user as Firefighter ID by assignment of this specific role.

    You can assign the firefighter ID to a user either manually or through an access request. Firefighters access their assigned firefighter IDs to conduct a firefight session within validity dates in two ways:

    • In the SAP Access Control system using the ABAP GUI and transaction GRAC_EAM (Centralized Firefighting).
    • In the target back-end system using the ABAP GUI and transaction /GRCPI/GRIA_EAM (Decentralized Firefighting).

    In the previously mentioned transactions (SAP Access Control or target system) a system opens a new ABAP GUI session under Firefighter ID user - a firefight session. The user works there from the firefighter ID user and performs emergency activities. One firefighter can be assigned to several firefighter IDs, and several firefighter IDs can be assigned to one firefighter. Note that only one firefighter can work in a firefight session under a firefighter ID at one point in time. A system shows red indicator if firefighter ID is in use by another firefighter. Changes made during a firefight session are captured in the change history under the firefighter ID user. In firefighting logs everything is documented with the firefighter ID, not the firefighter's user ID.

  2. Role-based EAM Application

    Firefighter roles are roles in a target system with elevated privileges. Firefighter roles are assigned to the user in the SAP Access Control system. The user can access the firefighter roles within the validity dates. A firefighter logs on to the target system as usual, using their own user ID and performs activities provided in the user's role and firefighter role assigned to the user. If the user uses a transaction that is contained in the firefighter role, the system treats this as a firefight session. Transactions and change histories are logged with the firefighter's own user ID.

    In both ID-based and role-based EAM scenarios, administrators maintain firefighter owners and controllers for firefighter IDs/roles in SAP Access Control system. Firefighters usually request access to firefighter IDs/roles for certain validity dates through access requests, with a subsequent approval process. Also, administrators can assign firefighter IDs/roles to firefighters without approval process.

Preparing Emergency Access Management (3)

Let's go back to one of the preceding examples. Imagine that a technical expert must urgently fix a system error that affects critical business processes. Which systems can the firefighters use to do firefighting activities? Here we distinguish between a centralized and a decentralized access for firefighter ID-based EAM scenario.

Centralized Firefighting Overview:

Emergency Access Management provides a centralized console in the SAP Access Control system. Through the console, you, as a firefighter can log on to different systems for firefighting. Therefore, you don't have to log on to individual client systems to do a firefighting.

The centralized logon pad allows you to:

  • Display all firefighter IDs assigned to the user.
  • Log on to all target systems using assigned firefighter IDs.

Decentralized Firefighting Overview:

Decentralized firefighting allows you to use the Emergency Access Management launchpad directly on target systems to perform firefighting activities. It is useful if the SAP Access Control System is not available for centralized firefighting.

Decentralized firefighting allows you to use and administration the following specific functions on the target back-end system:

  • EAM launchpad that shows firefighter IDs for the current target system.
  • Extension of validity periods for expired firefighter assignments.
Preparing Emergency Access Management (4)

SAP Access Control supports Emergency Access Management for web-based applications of ABAP solutions. Web-based firefighting is ID-based and accessible only through a centralized scenario. For the decentralized firefighter scenario, the web-based firefighting is not supported. To access web-based firefighting, a firefighter opens a Web GUI interface of SAP Access Control. You can see the Web GUI interface of SAP Access Control in the preceding screenshot. Then, the firefighter runs the transaction GRAC_EAM and chooses the required firefighter ID to start a firefight session. The firefight session opens as a new tab in a web browser, where the firefighter can perform actions. Detailed logging of firefighting activities is currently not available for web-based firefighting.

Preparing Emergency Access Management (5)

Before you can use the emergency access sessions, some prerequisites must be completed. These prerequisites include:

  1. A user exit must be implemented on the target systems to prevent users from logging on with firefight IDs directly to a target system (refer to SAP Note 1545511 for details) in case of ID-based firefighting scenario.
  2. Create users as needed in the target systems, refer to the lists below. Synchronize the users with a GRC Repository Sync (transaction GRAC_REP_OBJ_SYNC).
  3. Create Firefighter role in target system, import it to SAP Access Control system and mark it for firefighting in Business Role Management component in case of role-based firefighting scenario.
  4. Assign owners to firefighter IDs/roles in SAP Access Control.
  5. Assign controllers to firefighter IDs/roles in SAP Access Control.
  6. Create reason codes for ID-based scenario in SAP Access Control.

Prerequisite users in the SAP Access Control system:

  • Firefighter user (for centralized firefighting).
  • Firefighter controller.
  • Firefighter owner.

Prerequisite users in the target system:

  • Firefighter ID with elevated privileges (for ID-based scenario).
  • Firefighter user (for decentralized firefighting).
  • Firefighter controller / owner (for validity date extension and receiving login notifications in case of decentralized firefighting).

Let's view the prerequisite steps from Step 4 to Step 6 for an ID-based firefighting scenario: assignment of owners, controllers to firefighter ID, and maintaining reason codes. You can define firefighter owners in the Owners of SAP Access Control Fiori Launchpad app.

Preparing Emergency Access Management (6)
Preparing Emergency Access Management (7)

To make a new firefighter owner - firefighter ID assignment, choose Assign. To view an existing assignment of a firefighter owner or firefighter ID, select a row and choose Open.

Preparing Emergency Access Management (8)

While assigning a firefighter owner to a firefighter ID you specify an owner ID and add the firefighter IDs that will be under this owner responsibility. Several firefighter IDs can be assigned to one firefighter owner and several firefighter owners can be assigned to one firefighter ID.

Firefighter Controller

To assign and view firefighter controllers, open the Controllers app.

Preparing Emergency Access Management (9)
Preparing Emergency Access Management (10)

To make a new firefighter controller - firefighter ID assignment, choose Assign. To view an existing firefighter controller - firefighter ID assignment, select a row and choose Open.

Preparing Emergency Access Management (11)

While assigning a firefighter controller to a firefighter ID you specify a controller ID and add firefighter IDs that will be under this controller responsibility. Several firefighter IDs can be assigned to one firefighter controller and several firefighter controllers can be assigned to one firefighter ID. A controller who is assigned to the firefighter ID receives notification of the firefighter activities in the delivery option specified in the assignment. Delivery can be by e-mail, workflow, or log display. The log display option means that the controller personally runs the reports.

Only controllers who are specified for workflow purposes will be approvers of firefight session review requests that are generated after the session.

A user can't be assigned as the controller and firefighter for the same firefighter ID.

Preparing Emergency Access Management (12)
Preparing Emergency Access Management (13)

When a firefighter starts a firefight session, a system asks to specify a reason code. A reason code helps reviewers and administrators to understand the purpose of a session and filter data in reports by reason codes. SAP Access Control administrators define and maintain reason codes for each target system in the Reason Codes app.

Preparing Emergency Access Management (2024)


How to prepare an emergency response plan? ›

Developing an Emergency Plan
  1. Assess what resources are available for incident stabilization. Consider internal resources and external resources, including public emergency services and contractors.
  2. Document available resources. ...
  3. Prepare emergency procedures for foreseeable hazards and threats.
Dec 22, 2023

What is emergency access management? ›

The Emergency Access Management (EAM) process refers to the configuration of SAP access, enabling users to effectively respond to emergency or business critical activities within the SAP system. A critical component involves the separation of sensitive access from a user's everyday permissions.

What are the 5 basic emergency responses? ›

Prevention, mitigation, preparedness, response and recovery are the five steps of Emergency Management.

What are the 4 basic responses to emergencies? ›

Emergency managers think of disasters as recurring events with four phases: Mitigation, Preparedness, Response, and Recovery. The following diagram illustrates the relationship of the four phases of emergency management.

What is access management process? ›

Access management (AM) refers to all the tools, policies, and procedures used to control and manage user access within an enterprise IT ecosystem. It enables organizations to track, manage, and control the permissions of users to access different kinds of enterprise IT assets such as devices, files, services, and data.

What is the emergency access procedure? ›

Emergency access refers to the process used for determining approval, follow-up, and oversight of emergency access to an account or computer system.

What is an access management plan? ›

Access management is the planning, design, and implementation of land use. and transportation strategies that control. the flow of traffic between the road and. surrounding land.

What are the 7 steps in the emergency action plan? ›

Be Prepared: The 7 Components of an Emergency Plan
  • Planning – Work through many emergency scenarios. ...
  • Training – ...
  • Drills – ...
  • Education – ...
  • Technology – ...
  • Coordination – ...
  • Communication –

What must be included in an emergency response plan? ›

Assignments of escape routes and step-by-step procedures for evacuation; Medical and rescue procedures to be used by appointed employees; Confirmation that all personnel are present following an evacuation; and. Steps to be taken by those on your staff who will stay behind to complete critical work prior to evacuation.

What are the 4 emergency response plans? ›

Current thinking defines four phases of emergency management: mitigation, preparedness, response, and recovery.

What are the 5 steps of emergency care response? ›

  • Step 1 – Triage. Triage is the process of determining the severity of a patient's condition. ...
  • Step 2 – Registration. ...
  • Step 3 – Treatment. ...
  • Step 4 – Reevaluation. ...
  • Step 5 – Discharge.


Top Articles
Latest Posts
Article information

Author: Greg O'Connell

Last Updated:

Views: 6080

Rating: 4.1 / 5 (42 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Greg O'Connell

Birthday: 1992-01-10

Address: Suite 517 2436 Jefferey Pass, Shanitaside, UT 27519

Phone: +2614651609714

Job: Education Developer

Hobby: Cooking, Gambling, Pottery, Shooting, Baseball, Singing, Snowboarding

Introduction: My name is Greg O'Connell, I am a delightful, colorful, talented, kind, lively, modern, tender person who loves writing and wants to share my knowledge and understanding with you.