Log Types
SAP Access Control receives logs about firefighting activities from a target system through synchronization GRAC_SPM_LOG_SYNC_UPDATE. The following table shows the log types that SAP Access Control can take from the target system. SAP Access Control can only take logs that are captured in the target system. Therefore, the target system must be configured accordingly.
Log Types
| Log | Description |
|---|---|
| Transaction Log | Captures transaction execution from transaction STAD. |
| Change Log | Captures change log from change document Objects, tables CDPOS and CDHDR. |
| System Log | Captures Debug & Replace information from transactions SM21. |
| Security Audit Log | Captures Security Audit Log from transactions SM20. |
| OS Command Log | Captures changes to OS commands from transactions SM49. |
SAP Access Control administrators and firefighter controllers can view logs of firefighting activities in the Consolidated Log Report. The report includes functionality to update logs by choosing Update Firefighter Log.
The system synchronizes to update logs from firefight sessions. The report gives the following general information about firefight sessions:
- Firefighter ID
- Target system
- Firefighter date/time of the session
- Reason code
- Firefighter owner
- Terminal
Also, the following information about performed actions, and other relevant information for a particular log type, is available in the Consolidated Log Report:
- Table name
- Field name
- Field text
- Change type
- Old value
- New value
In the following example, you can see that a house number and phone number for the vendor were changed during the firefight session.
SAP Access Control provides a functionality to review logs of a firefight session through a request. Approving the firefighter log's review request ensures that the particular session is monitored. A firefighter controller reviews actions performed in the firefight session. In the Work Inbox app, the firefighter controller receives a request with firefight session logs and all details about the session. The controller checks logs in the request and then approves the request by choosing Submit and Close.
If necessary, the controller can request additional information from the firefighter by choosing Other action → Additional Information. The firefighter receives the request in the Work Inbox app where the firefighter adds comments and returns the request to the controller.
Also, the controller can forward the request to another approver by choosing Other action → Forward.
Emergency Access Management Additional Reporting
SAP Access Control has the following extra reports on Emergency Access Management processes:
- Invalid Superuser Report
The Invalid Super User Report gives the details of the firefighter, controller, owner, firefighter ID users who are expired, locked, or deleted. For a role-based firefighter, this report gives the details of whether the role has been generated or not.
- Firefighter Log Summary
This report provides details of the firefight sessions where a firefighter logged into a target system using a firefighter ID for the ID-based firefighting. The Consolidated Log Report gives you all logs from all sessions, with a link for each session so that you can view logs of a particular session. However, the Firefighter Log Summary Report gives you a list of sessions with general information and a link to view logs of a particular session. The report is shown on the screenshot above.
- Reason Code and Activity Report
This report provides the details of reason code and firefighting activities that a firefighter specified before the start of a firefight session.
- SOD Conflict Report for Firefighter ID
This report provides information about access risk violations that occur when the firefighter logs into the remote system using the firefighter ID and performs firefighting activities.