Preparing Emergency Access Management

Sometimes, to solve critical issues in emergency situations, companies must give users broad authorizations out of regular job functions. For example, an accountant must urgently correct financial documents for previous periods, or technical experts must urgently fix a system error that influences critical business processes. But how do you regulate such processes to control the provisioning of broad authorizations and monitor activities so that you ensure compliance?

By using Emergency Access Management (EAM) functionality of SAP Access Control you can define, manage, grant, and monitor emergency access.

EAM allows users to take responsibility for tasks outside of their normal job function. Through EAM, you can grant users extra access by giving them temporary access to a super user, or firefighter ID. A firefighter owner controls these special super users, and they are monitored by a firefighter controller. The firefighter owner is charged with approving access to specific firefighter IDs. A standard access request workflow drives this process. A user creates an access request of type Superuser Access. The firefighter owner approves the access request. Once access to the firefighter ID is provided, the user (firefighter) can use the firefighter ID. A firefight session opens in the target environment where the firefighter can perform the required actions with the extra access. A detailed log of actions performed using the firefighter ID during an emergency access session is recorded in the target system. SAP Access Control sends these logs to the firefighter controller who monitors and reviews the logs and activities performed by the firefighter.

SAP Access Control system provides emergency access to SAP ABAP target systems' back-end applications and SAP HANA Database through SAP GUI interface. Also, it provides emergency access to SAP ABAP target systems' web based applications through Web GUI interface.

There are two different application types that you can use for EAM, which are ID-based and Role-based. You can only configure one type for use at any given time.

1. ID-based EAM Application

   Firefighter ID is user of service type with elevated privileges in a target system. Administrators create firefighter ID in the target system and assign a specific role to firefighter ID to distinguish the firefighter ID among other service users in the target system. SAP Access Control recognizes a particular service user as Firefighter ID by assignment of this specific role.

   You can assign the firefighter ID to a user either manually or through an access request. Firefighters access their assigned firefighter IDs to conduct a firefight session within validity dates in two ways:

   • In the SAP Access Control system using the ABAP GUI and transaction GRAC_EAM (Centralized Firefighting).
   • In the target back-end system using the ABAP GUI and transaction /GRCPI/GRIA_EAM (Decentralized Firefighting).

   In the previously mentioned transactions (SAP Access Control or target system) a system opens a new ABAP GUI session under Firefighter ID user - a firefight session. The user works there from the firefighter ID user and performs emergency activities. One firefighter can be assigned to several firefighter IDs, and several firefighter IDs can be assigned to one firefighter. Note that only one firefighter can work in a firefight session under a firefighter ID at one point in time. A system shows red indicator if firefighter ID is in use by another firefighter. Changes made during a firefight session are captured in the change history under the firefighter ID user. In firefighting logs everything is documented with the firefighter ID, not the firefighter's user ID.

2. Role-based EAM Application

   Firefighter roles are roles in a target system with elevated privileges. Firefighter roles are assigned to the user in the SAP Access Control system. The user can access the firefighter roles within the validity dates. A firefighter logs on to the target system as usual, using their own user ID and performs activities provided in the user's role and firefighter role assigned to the user. If the user uses a transaction that is contained in the firefighter role, the system treats this as a firefight session. Transactions and change histories are logged with the firefighter's own user ID.

   In both ID-based and role-based EAM scenarios, administrators maintain firefighter owners and controllers for firefighter IDs/roles in SAP Access Control system. Firefighters usually request access to firefighter IDs/roles for certain validity dates through access requests, with a subsequent approval process. Also, administrators can assign firefighter IDs/roles to firefighters without approval process.

Let's go back to one of the preceding examples. Imagine that a technical expert must urgently fix a system error that affects critical business processes. Which systems can the firefighters use to do firefighting activities? Here we distinguish between a centralized and a decentralized access for firefighter ID-based EAM scenario.

The centralized logon pad allows you to:

• Display all firefighter IDs assigned to the user.
• Log on to all target systems using assigned firefighter IDs.

Decentralized firefighting allows you to use and administration the following specific functions on the target back-end system:

• EAM launchpad that shows firefighter IDs for the current target system.
• Extension of validity periods for expired firefighter assignments.

SAP Access Control supports Emergency Access Management for web-based applications of ABAP solutions. Web-based firefighting is ID-based and accessible only through a centralized scenario. For the decentralized firefighter scenario, the web-based firefighting is not supported. To access web-based firefighting, a firefighter opens a Web GUI interface of SAP Access Control. You can see the Web GUI interface of SAP Access Control in the preceding screenshot. Then, the firefighter runs the transaction GRAC_EAM and chooses the required firefighter ID to start a firefight session. The firefight session opens as a new tab in a web browser, where the firefighter can perform actions. Detailed logging of firefighting activities is currently not available for web-based firefighting.

Before you can use the emergency access sessions, some prerequisites must be completed. These prerequisites include:

1. A user exit must be implemented on the target systems to prevent users from logging on with firefight IDs directly to a target system (refer to SAP Note 1545511 for details) in case of ID-based firefighting scenario.
2. Create users as needed in the target systems, refer to the lists below. Synchronize the users with a GRC Repository Sync (transaction GRAC_REP_OBJ_SYNC).
3. Create Firefighter role in target system, import it to SAP Access Control system and mark it for firefighting in Business Role Management component in case of role-based firefighting scenario.
4. Assign owners to firefighter IDs/roles in SAP Access Control.
5. Assign controllers to firefighter IDs/roles in SAP Access Control.
6. Create reason codes for ID-based scenario in SAP Access Control.

Prerequisite users in the SAP Access Control system:

• Firefighter user (for centralized firefighting).
• Firefighter controller.
• Firefighter owner.

Prerequisite users in the target system:

• Firefighter ID with elevated privileges (for ID-based scenario).
• Firefighter user (for decentralized firefighting).
• Firefighter controller / owner (for validity date extension and receiving login notifications in case of decentralized firefighting).

Let's view the prerequisite steps from Step 4 to Step 6 for an ID-based firefighting scenario: assignment of owners, controllers to firefighter ID, and maintaining reason codes. You can define firefighter owners in the Owners of SAP Access Control Fiori Launchpad app.

To make a new firefighter owner - firefighter ID assignment, choose Assign. To view an existing assignment of a firefighter owner or firefighter ID, select a row and choose Open.

While assigning a firefighter owner to a firefighter ID you specify an owner ID and add the firefighter IDs that will be under this owner responsibility. Several firefighter IDs can be assigned to one firefighter owner and several firefighter owners can be assigned to one firefighter ID.

To assign and view firefighter controllers, open the Controllers app.

To make a new firefighter controller - firefighter ID assignment, choose Assign. To view an existing firefighter controller - firefighter ID assignment, select a row and choose Open.

While assigning a firefighter controller to a firefighter ID you specify a controller ID and add firefighter IDs that will be under this controller responsibility. Several firefighter IDs can be assigned to one firefighter controller and several firefighter controllers can be assigned to one firefighter ID. A controller who is assigned to the firefighter ID receives notification of the firefighter activities in the delivery option specified in the assignment. Delivery can be by e-mail, workflow, or log display. The log display option means that the controller personally runs the reports.

Only controllers who are specified for workflow purposes will be approvers of firefight session review requests that are generated after the session.

A user can't be assigned as the controller and firefighter for the same firefighter ID.

When a firefighter starts a firefight session, a system asks to specify a reason code. A reason code helps reviewers and administrators to understand the purpose of a session and filter data in reports by reason codes. SAP Access Control administrators define and maintain reason codes for each target system in the Reason Codes app.