sap grc access control document

Customer Solution Adoption

June 2011

AC 10.0 Centralized Emergency Access

Version 2.0

Purpose of this document

This document is a detailed guide on the emergency access capability of

Access Control 10.0. It explains the basic concepts about emergency

access and provide details on how to configure the application. Also this

document includes additional information on the types of logs available for

monitoring emergency access.

© 2011 SAP AG. All rights reserved. 3

Agenda

Introduction

Configuration

Centralized Firefighting

Reporting

Introduction• New Feature Highlights

• Centralized Emergency Access Overview


What Does It Do? What Is the Value?Focus Area

New Feature HighlightsCentralized Emergency Access

Lowers TCO by eliminating redundancy in

administration, configuration, setup, and

end user training.

An enterprise GRC platform approach

allows you to have complete management

of all risks and controls from a single

environment

Tailoring of routing requirements for

simple to highly complex organizations.

New request forms improve user adoption

and usability.

Streamlines management of technical

roles and eases identification and

selection of appropriate roles for users,

positions, and jobs.

Reduces the effort required to grant and

provision emergency access to multiple

systems. Provides a structured,

documented process around emergency

access

Provides flexibility to ensure an enterprise

wide, compliant provisioning process

Unifies all AC capabilities on a standardized

ABAP platform, offering enterprise

supportability, granular security, transport, and

archiving.

Harmonizes Access Control with Risk

Management & Process Control offers shared

processes, data, and user interface across the

GRC suite.

Standardizes on improved workflow that

supports flexible, multi-tiered routing and

approval matrices. Dynamic user request forms

based on user or system selected.

Provides a standardized role compliance

framework, centralized across organizations,

systems, and applications. Translates roles into

terms business users can understand.

Centralizes firefighting and administration

across all systems. New workflow provides an

auditable process for tracking log report

approval.

Improves compliant provisioning for customers

already using IdM. Allows for initiation of risk

analysis and remediation from IdM or enables

use of IdM to provision compliant requests.

Access Control Harmonization

Unified Compliance Platform

Streamlined User Access

Management

Improved Identity Management

Integration

Centralized Emergency Access

Business Role Governance


Simplified management and

firefighting activities

Reduces repetitive

assignments, easing

administration

Improves log review efficiency

by capturing previously

undocumented activity

Improves log report navigation

Enables documented account of

the controller’s review

Administrators centrally manage

firefighter assignments,

controllers, and other master

data. Centralized firefighters.

New options for group owners

and controllers and improved

provisioning.

New ability for firefighters to

update the activity log with

unplanned firefighting tasks

Access specific log reports from

transaction report

New workflow driven firefighter

log report

New categorization of firefighter

access signifies criticality and

drives workflow logic

Solution Enhancements Key Benefits

Centralized Emergency AccessOverview

Access Control centralizes firefighter

access and administration, enhances

provisioning and introduces automation to

the log review process.


Centralized Emergency AccessOverview

ERP 01

ERP 02

RFC

RFC

Admin

Admin

GRC 10.0

SPM v5.3SAP GUIWebdynpro

Admin,

Reporting,

Logon: ERP 02

Admin,

Reporting,

Logon: ERP 01

ERP 01

ERP 02

RFC

RFC

Central Admin &

Reporting for

ERP 01 & 02

GRC 10.0

System

• FF ID

• Firefighter

• FF Owner

• FF Controller

• Reason Code

• Reporting

Central Logon

ERP 01 & 02Firefighter

Firefighter

Admin Firefighter

Configuration• Overview

• Architecture

• Prerequisites

• Assign an Owner to Firefighter IDs

• Assign a Firefighter ID to Controllers and Firefighters

• Create Reason Codes


The purpose of Emergency Access Management is to allow users to take

responsibility for tasks outside their normal job function. This component allows

temporary access for users when assigned with solving a problem, giving them

provisionally broad, but regulated access.

This temporary access is monitored and recorded in the application.

New in 10.0Access Control 10.0 has been enhanced in the area of Emergency Access

Management with the ability to manage and utilize firefighting activities centrally

from the Access Control 10.0 application.

Also the log file can be distributed to controllers and owner via workflow for

additional approval.

Emergency Access ManagementOverview


The following concepts have not changed since the previous release and are

mentioned here for completeness:

Firefighter: user requiring emergency access

Firefighter ID: user ID with elevated privileges, it can only be accessed in the

GRC server using transaction GRAC_SPM

Firefighting: the act of using a firefighter ID

Owner: user responsible for a firefighter ID and the assignment of controllers and

firefighters.

Controller: reviews and approves (if necessary) the log files generated by a

firefighter.

Emergency Access ManagementTerminology


ID Based Firefighter: The firefighter ID created in the remote system will be

assigned to the user in the GRC system, either manually or via an access

request. The firefighter accesses their assigned firefighter ID in the GRC

server using the SAP GUI and transaction GRAC_SPM. The firefighter ID for

all remote systems assigned to the firefighter will be accessed from this

transaction.

Role Based Firefighter: The firefighter roles created in the remote system

will be assigned to the user in the GRC server. The firefighter directly logs

into the remote system using their user ID and performs activities which are

provided in the user’s role and firefighter role assigned to the user.

This is configured in IMG using parameter 4000 (Application Type)

Only one application type can be configured at a given time.

Emergency Access ManagementFirefighter Application Types


ArchitectureGRC Server Package

The main application run in the GRC server. It is possible to maintain the user

assignments for all systems using NWBC or the Portal. Provisioning of the

emergency access can also be done via access requests (workflow)

The web interface facilitates the following: Firefighter ID/Role Owner Maintenance

Firefighter ID/Role Controller Maintenance

Reason Code Maintenance (system specific)

Firefighter ID/Role assignment to Firefighter, Owner, Controller

Firefighter access is done centrally using the GRC server. Firefighters will log on to

the GUI backend and execute transaction GRAC_SPM. Firefighter IDs for

emergency access for all systems assigned to the user will displayed.


ArchitectureRemote Component: Plug-in

There is a component called plug-in which is installed in the remote system

Emergency Access Management accesses the plug-in using RFC

GRC System

Plug-In

ECC 6.0

Plug-In

Other ABAP

Plug-In

R/3


To create access requests it is required to have the SUPMG scenario linked to the

connector, this is done via IMG:

PrerequisitesAdding connector to SUPMG scenario


Please create users and roles as needed. Remember to synchronize again the

users with program GRAC_ROLEREP_USER_SYNC via SE38. These roles are

provided as examples and customer roles need to be created based on their

authorizations.

In the AC system Role

Firefighter user SAP_GRAC_SUPER_USER_MGMT_USER

Firefighter controller SAP_GRAC_SUPER_USER_MGMT_CNTLR

Firefighter owner SAP_GRAC_SUPER_USER_MGMT_OWNER

In the target system Role

Firefighter ID SAP_GRAC_SPM_FFID (configured in parameter 4010)

Reminder: end users will require also the roles based on SAP_GRC_FN_BASE

and SAP_GRC_FN_BUSINESS_USER

PrerequisitesCreating users and assigning roles


Configuring a firefighter IDStep Summary

The following steps are required to configure a firefighter ID

Maintain Access Control Owners

Assign an Owner to a Firefighter ID

Assign a Firefighter ID to Controllers and Firefighters

Create the Reason Codes

After this steps are followed the firefighter is ready to start a firefighter session from

the GRC server


Superuser Assignment and MaintenanceAccessing using the NWBC

User assignments for all systems are done via NWBC or a Portal

Provisioning for Firefighter IDs and roles is possible using access requests


There are 4 types of owners that can be maintained for emergency access.

ID based Application

Firefighter ID Owner

Firefighter ID Controller

Role Based Application

Firefighter Role Owner

Firefighter Role Controller

Access Control OwnersMaintenance


Assign an Owner to Firefighter IDs Step 1

Go to Setup Superuser Assignment Owners



The screen below shows the list of all existing owner assignments

All (new/change) operations relating to a Firefighter owner can be done from this

screen



Click on Assign and a new screen will show up

Select an owner and if needed multiple Firefighter IDs, when you are done click Save

Note: you must run the Sync User job after creating the FF ID role in the backend systems by

running program GRAC_ROLEREP_USER_SYNC, and assign the respective FF ID Role.


Assign an Owner to Firefighter IDs Owner Assignment Ready

New assignments will be shown in the Firefighter Owner list

The list can be filtered by owner, system, or any other column in the list.


Assign a Firefighter ID to Controllers and FirefightersStep 1

Go to Setup Superuser Assignment Firefighter IDs



The screen below shows the list of all existing firefighter ID assignments

The firefighter ID is assigned to a firefighter who can perform the activities in the

backend system. Multiple firefighters can be assigned to a single firefighter ID.

Controllers are also assigned to the firefighter ID for tracking and auditing the

firefighter



Click on Assign and a new screen will show up

Select an owner and if needed multiple Firefighters and Controllers, when you are

done click Save


Create Reason CodesStep 1

Go to Setup Superuser Maintenance Reason Codes



The screen below shows the list of all existing Reason Codes

Whenever a firefighter starts a firefighter session the reason code needs to be

specified and maintained. A Reason Code can be created and assigned multiple

remote systems. This reduces the amount of duplicated administration across

systems



Click on Create and a new screen will show up

Maintain the reason code and systems and when you are done click Save


Reason CodeGlobal Usage

Frequency of usage is tracked by reason code, by system. In the Reason Code

list, you will see the total usage of the reason code across all systems to which it is

assigned.

Usage can be reset for each system or across all systems and helps to determine

the usefulness of the term


Reason CodeUsage by System

To see usage by system, select the Reason Code on the main list, then click Open

Centralized Firefighting• Overview

• Running a firefighter session


Centralized FirefightingOverview

Access Control 10.0 provides a centralized logon pad for accessing the firefighter

IDs in all connected backend systems.

The centralized logon pad allows:

Displaying all firefighter ID assigned to the user

Logging in to all connected backend systems

Sending messages to other firefighters who are using a specific firefighter ID

Unlocking a firefighter session not closed properly


Centralized FirefightingStep Summary

The following steps are required to use centralized firefighting:

The firefighter logons to central GRC system

Execute transaction GRAC_SPM, a screen will open up which will display all

firefighter IDs which are assigned to the current firefighter in various systems

Click Logon to log into any of the systems assigned

Select a Reason Code

Enter a description

Enter a list of the actions to be performed

Click on Execute

The Firefighter can now do firefighting activities on the connected backend system.

When finished you need to close the session.


Centralized FirefightingOther Activities

These are some optional steps that can be executed from the centralized logon

pad:

Firefighter can click the Additional Activity button any time to enter more

information. If additional actions were done in the remote system that were not

listed during logon, these actions can now be updated using this functionality.

If firefighter ID is in use by another firefighter then notification can be sent to

other firefighter by clicking Message button.

The Unlock button can be used to unlock the firefighter ID in the event it is

locked


Centralized FirefightingStep 1

Logon to the central AC system (here GF2) with the firefighter ID.

Execute transaction GRAC_SPM



Click Logon to log into any of the systems assigned

Select a Reason Code, enter a description and also the actions to be performed



You are now in the remote system (here GI7) using the firefighter ID selected


Centralized Firefighting While a Firefighter Session is Running

While a firefighter session is open the status of the firefighter ID will turn to red

A firefighter can click Additional Activity any time to enter more information.

If a firefighter ID is in use by another firefighter, then notification can be sent to the

other firefighter by clicking Message

Unlock can be used to unlock the firefighter ID in the event it is locked

Reporting• Report Types

• Log Collection

• Log Retrieval


ReportingReport Types

The reports can be accessed using the NWBC or the Portal and are located under

Reports and Analytics Superuser Management Reports



Consolidated Log Report: This report provides information based on the following

logs from the remote system:

Transaction Log: Captures transaction execution from transaction STAD

Change Log: Captures change log from change document objects (tables

CDPOS and CDHDR)

System Log: Captures Debug & Replace information from transaction SM21.

Security Audit Log: Captures Security Audit Log from transaction SM20

OS Command Log: Captures changes to OS commands from transaction SM49.

Invalid Superuser Report: This Report gives the details of all the users (firefighter,

controller, owner, firefighter ID) who are either Expired, Locked or Deleted. In the

case of Role Based Firefighter, it gives the details of whether the role has been

generated or not.



Firefighter Log Summary: Provides details of the session the firefighter logged into

the remote system using the FFID for the ID based FF Application.

Reason Code and Activity Report: This Report provides the details of information

of Reason and Activity used by the firefighter.

SOD Conflict Report for Firefighter ID: When the firefighter logs in to the remote

system using the FFID in to the remote system and performs certain transactions

which violates access risk rules.


Log CollectionOverview

The details of the transaction executed by the firefighter lies in the remote system in

in the CDHDR, CDPOS, STAD, SM19, SM49, and debug & replace information.

The data from the remote system can be fetched using the Log Collector which can

be executed as a foreground or background job.


Log Collection Foreground Job

The foreground Job for Log Collection can be executed from the Update

firefighter log button which can be found in the Consolidated Log Report


Log CollectionBackground Job

The Background Job for log collection can be scheduled from SM36 which can be

scheduled on a periodic basis. The status of the background job can be checked

from the SM37 transaction

The program name for the background job is: GRAC_SPM_LOG_SYNC_UPDATE


Consolidated Log ReportOverview

The consolidated log report is a new report which enables the user to segment the

various logs collected or view them all in one combined report.


Consolidated Log ReportTransaction Log

The consolidated log report allows filtering criteria like System, Firefighter, FFID,

Reason Code, Transaction, Date or Owner .


Consolidated Log Report Change Log

The Change Log can be retrieved from the consolidated Log Report by selecting the

Report type as Change Log


Consolidated Log Report System Log

The System Log can also be found in the consolidated Log Report by choosing the

Report type as System Log


Consolidated Log Report Audit Log

The Audit Log is also contained in the consolidated Log Report as Report type as

Audit Log. This audit function will show the details of the user(s) subject to auditing

The user(s) to be audited are configured/selected in transaction SM19


Consolidated Log Report OS Command Log

An OS Command Log can be retrieved from the consolidated Log Report by

selecting the Report type as OS Command

This logs tracks the changes which the user makes in SM49 for OS Command


Invalid Superuser Report

The Invalid Superuser Log is launched by the according link from the Super User

Management Reports area

This Log is used to analyze the users who are expired, locked or deleted.


Firefighter Log Summary Report

Firefighter Log Summary Report can be found in the screen shown below

The Details of FFID Logged in sessions are captured in this Log Report


Reason Code and Activity Report

Reason code and activity can be retrieved from the link in the portal for Reason

Code and Activity

This Report Gives the Details of the Reason Code and Activity used when FFID

Logs in to the Report System

Thank You!

Contact information:

Luis Bustamante

Customer Solution Adoption (GRC)

[email protected]

mailto:[email protected]


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.

SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.

The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

sap grc access control document

Documents

provision emergency

monitoring emergency

activity log

user interface

user adoption

new workflow

centralized firefighters

compliant provisioning