SAP GRC 10.

0 – Super User Management

INTRODUCTION
Centralized Emergency Access: The purpose of Emergency Access Management is to allow users to
take responsibility for tasks outside their normal job function. This component allows temporary
access for users when assigned with solving a problem, giving them provisionally broad, but
regulated access. This temporary access is monitored and recorded in this application.

New in 10.0

Access Control 10.0 has been enhanced in the area of Emergency Access Management with the
ability to manage and utilize firefighting activities centrally from the Access Control 10.0
application. Also the log file can be distributed to controllers and owner via workflow for additional
approval.

Feature and Benefits

 Simplified management and firefighting activities.

 Reduces repetitive assignments, easing administration.
 Improves log review efficiency by capturing previously undocumented activity.
 Improves log report navigation.
 Enables documented account of the controller’s review.
 Administrators centrally manage firefighter assignments, controllers, and other master data.
 New options for group owners and controllers and improved provisioning.
 Firefighters centrally access their assignments.
 New ability for firefighters to update the activity log with unplanned firefighting tasks
 Access specific log reports from transaction report
  New workflow driven firefighter log report.
o New categorization of firefighter access signifies criticality and drives workflow
logic.

TERMINOLOGY
Firefighter: User requiring emergency access.

Firefighter ID: User ID with elevated privileges; it can only be accessed in the GRC server using
transaction GRAC_SPM.

Firefighting: The act of using a firefighterID

Owner: User responsible for a firefighterID and the assignment of controllers and firefighters.

Controller: Reviews and approves (if necessary) the log files generated by a firefighter.

Configuration:
Activating BC Sets:

BC Set= Buisness Configuration settings which contains standard data for each component and the
stnadard data is required to configure the components.

We can Use transaction SCPR20 to activate BC Sets.

Path: SPRO--> SAP Reference IMG--> Click on “Existing BC Sets"--> GRC--> General settings--> Key
attributes--> Go-to--> Activate transaction--> activate

BC sets for EAM:

GRAC_SPM_CRITICALITY_LEVEL Criticality Level

Maintain connectors and connection types:

In this Customizing activity, you define connection types, which are then used while connecting to other
systems.

Path: SPRO-->SAP Ref IMG--> GRC--> Common component settings--> Integration frame work--> Maintain
connectors and connection types

Connection types:

EP Enterprise Portal
FILE File system for legacy extraction
LDAP Ldap Connectors
LOCAL Local Data Source
SAP SAP System
SPML1 SPML1
SPML2 SPML2
WS Web service

1. Define connector and maintain connection type

2. Define Connector group and assign respective SAP system into connector group.

Maintain connection settings:

Integration scenarios:

To create access requests it is required to have the SUPMG scenario linked to the connector, which
is done via IMG in the GRC box:

Execute transaction SPRO =>Click on SAP Reference IMG

In this Customizing activity, you assign connectors to an integration scenario. The application uses
the connectors to communicate with other systems in your landscape.

Expand SAP Customizing Implementation Guide =>Governance, Risk and Compliance => Common
Component Settings => Execute Maintain Connection Settings
Use: In this Customizing activity, you assign connectors to an integration scenario. The application
uses the connectors to communicate with other systems in your landscape. For example, if you have
an ERP integration scenario, you assign the connectors of the ERP systems to the integration
scenario.
After execution, a pop-up appear prompting for Integration Scenario. We need to select the
Integration Scenario as “SUPMG”.

Below screen will appear. We then need to select the Sub Scenario SUPMG and double click on
Scenario-Connector Link.
Below screen will appear:

We then need to select the Con. Type E01 (as in this case) and double click on Scenario-Connector
Link.
Select Target Connector and double click on “Maintain file paths for Logical Connector”. Below
screen will display.

We then need to maintain the above entries.

Once above activity is completed, we need to go back in SPRO screen and execute Maintain
Configuration Settings.

Governance, Risk and Compliance => Access Control => Execute Maintain Configuration Settings
Use: In this Customizing activity, you maintain the general configuration settings and parameters
used in the access control application.

Here in the above screen, we need to select the Parm Group as “Superuser Management” and can
configure below Param Ids accordingly.

To maintain the configuration settings:

1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.
2. In the Parameter ID column, select a parameter ID for use with the parameter group. The
short description appears on the right-hand side.
3. Select a Parameter Value from the dropdown list, or enter values in the field.
4. In the Priority field, enter a number for the priority.
5. Choose Save.

Below is the brief detail for the Param Ids for Super user Management:

Superuser Management 4000 Application type

You use this parameter to set the firefighting configuration:

Choose 1 for ID-based firefighting.
Choose 2 for Role-based firefighting.

Superuser Management 4001 Default Firefighter Validity Period (Days)

Set the default validity period (in days) of firefighter ID assignments to a firefighter.

Note: This is only the default period. You can override the validity period for each assignment as
needed in the front-end.

Superuser Management 4002 Send E-mail Immediately

The application sends e-mail notifications to the controller.

Set the value to YES to send the e-mail notifications immediately.
Set the value to NO and the application sends notifications only when the user chooses the Update
Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.
The Update Firefighter Log button is available on the Consolidated Log Report under Superuser
Management Reports.

Superuser Management 4003 Retrieve Change Log

If set to YES then the application fetches the Change Log when the user chooses the Update
Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.
The Update Firefighter Log button is available on the Consolidated Log Report under Superuser
Management Reports.
Note: Plug-in system must have the O/S time and R/3 time zone matched for the logs to be properly
collected. This is because STAD stores the logs in O/S files.

Superuser Management 4004 Retrieve System Log

If set to YES then the application fetches the System Log (debug changes) when the user chooses the
Update Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.
The Update Firefighter Log button is available on the Consolidated Log Report under Superuser
Management Reports.

Superuser Management 4005 Retrieve Audit Log

If set to YES then the application fetches the audit (security) logs when the user chooses the Update
Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.
The Update Firefighter Log button is available on the Consolidated Log Report under Superuser
Management Reports.
Note: You can activate Audit Logs using the transaction SM19.

Superuser Management 4006 Retrieve O/S Command Log

If set to YES then the application fetches the O/S Command Log when the user chooses the Update
Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE. The O/S
Command Log tracks information when O/S commands (SM49) are created, changed, or executed.
The Update Firefighter Log button is available on the Consolidated Log Report under Superuser
Management Reports.

Superuser Management 4007 Send Log Report Execution Notification Immediately

The application can send log reports controllers. The application sends the notifications as e-mails or
workflow items based on the configuration of the controllers.
Set the value to YES and the application sends notifications when the user chooses the Update
Firefighter Log button or runs the program GRAC_SPM_LOG_SYNC_UPDATE.
The Update Firefighter Log button is available on the Consolidated Log Report under Superuser
Management Reports.
Set the value to NO and the application only collects the logs when the user chooses the Update
Firefighter Log button or runs the GRAC_SPM_LOG_SYNC_UPDATE program. The application
sends the e-mail notifications when the G
RAC_SPM_WORKFLOW_SYNC program is run.

After configuring we need to go back to SPRO IMG and select Maintain Criticality Levels for
Superuser Management

In this Customizing activity, you can specify the criticality level for the access control application.

To maintain the criticality levels:

1. Choose the New Entries pushbutton, and then enter a number between 1 and 99 to define the
criticality level.
2. In the Short Description column, enter a user-defined description.
3. Save the entry.
At this point of time, configuration part has been completed. Now we need to maintain the Owner
and Controller for the FF Ids.

Firstly we need to create the Owner and Controller in the GRC box and FireFighter Ids in the R/3
box.
Here in this case Z_OWNER is Owner with the role assignment
SAP_GRAC_SUPER_USER_MGMT_OWNER.

Z_CNTLR is Controller with the role assignment SAP_GRAC_SUPER_USER_MGMT_CNTLR.

Z_FF_01 is the FireFighter with role assignment SAP_GRAC_SUPER_USER_MGMT_USER,

SAP_GRC_FN_BASE, SAP_GRC_FN_BUSINESS_USER.

ZECC_F_ID_01 is the FireFighter Id which we have created in R/3 Box.

Refer below screenshots for the above mentioned users.

Execute t-code NWBC in GRC box and then click on SAP_GRC_NWBC. You will be redirected to
the portal as below screen:
Now click over Access Management and select Access Control Owners. Click create for FireFighter
Owner.

Select FF Owner which you have created in the GRC box and click on OK.
Put your comments if any under FF Id Owner.
We then need to select the Owners under Super User Assignment.

We then need to click on Assign in order to assign the Owner to the FF Id.
Select the Owner.
Find the FF Id which we have created in the R/3 box.
Put your comments and save it.

For creating controllers, we need to follow the similar process as we did for OWNER.

Make sure to check the correct boxes for controllers as in below screenshot.
Now for Controller Assignment, we need to click on Controllers as in below screenshot.
Add FireFighter to the controller
As of now, we have assigned controllers to the FF Id.

Now for FireFighter mapping, we need to click on FireFighters under superuser maintenance.

We then need to populate the FF Ids and map it with the Fire Fighter.

FF Assignment has been completed now.

CREATE REASON CODES

Whenever a firefighter starts a firefighter session the reason code needs to be specified and
maintained. A Reason Code can be created and assigned multiple remote systems. This reduces the
amount of duplicated administration across systems.
Frequency of usage is tracked by reason code, by system. In the Reason Code list, you will see the
total usage of the reason code across all systems to which it is assigned.

HOW TO ACCESS FIREFIGHTER ID

Logging into GRC box.

Use Tcode GRAC_SPM to login to SPM.

Maintain Reason Code
It will take you to R/3 system with FFID logon

Moreover the status will change to Red.

While a firefighter session is open the status of the firefighter ID will turn to red
A firefighter can click Additional Activity any time to enter more information.
If a firefighter ID is in use by another firefighter, then notification can be sent to the other firefighter
by clicking Message.
Unlock can be used to unlock the firefighter ID in the event it is locked.

REPORTING
The reports can be accessed using the NWBC or the Portal and are located under
Reports and Analytics Superuser Management Reports

Consolidated Log Report: This report provides information based on the following logs from the
remote system.

Transaction Log: Captures transaction execution from transaction STAD

Change Log: Captures change log from change document objects (tables CDPOS and CDHDR)
System Log: Captures Debug & Replace information from transaction SM21.
Security Audit Log: Captures Security Audit Log from transaction SM20
OS Command Log: Captures changes to OS commands from transaction SM49.
Invalid Superuser Report: This Report gives the details of all the users (firefighter, controller, owner,
firefighter ID) who are Expired, Locked or Deleted. In the case of Role Based Firefighter, it gives
the details of whether the role has been generated or not.
Firefighter Log Summary: Provides details of the session the firefighter logged into the remote
system using the FFID for the ID based FF Application.
Reason Code and Activity Report: This Report provides the details of information of Reason and
Activity used by the firefighter.
SOD Conflict Report for Firefighter ID: When the firefighter logs in to the remote system using the
FFID in to the remote system and performs certain transactions which violates access risk rules.

Log Collection Overview: The details of the transaction executed by the firefighter lies in the remote
system in the CDHDR, CDPOS, STAD, SM19, SM49, and debug & replace information. The data
from the remote system can be fetched using the Log Collector which can be executed as a
foreground or background job.

Foreground Job: The foreground Job for Log Collection can be executed from the Update firefighter
log button which can be found in the Consolidated Log Report

Background Job: The Background Job for log collection can be scheduled from SM36which can be
scheduled on a periodic basis. The status of the background job can be checked from the SM37
transaction.

The program name for the background job is: GRAC_SPM_LOG_SYNC_UPDATE

Consolidated Log Report Transaction Log: The consolidated log report allows filtering criteria like
System, Firefighter, FFID, Reason Code, Transaction, Date or Owner.

System Log: The System Log can also be found in the consolidated Log Report by choosing the
Report type as System Log.

Audit Log: The Audit Log is also contained in the consolidated Log Report as Report type as Audit
Log. This audit function will show the details of the user(s) subject to auditing.
The user(s) to be audited are configured/selected in transaction SM19.
OS Command Log: An OS Command Log can be retrieved from the consolidated Log Report by
selecting the Report type as OS Command.
This logs tracks the changes which the user makes in SM49 for OS Command.

Invalid SuperuserReport: The Invalid Superuser Log is launched by the according link from the
Super User Management Reports area.
This Log is used to analyze the users who are expired, locked or deleted.

FireFighter Log Synch:

In this Customizing activity, you can get the logs of firefighter activities from the back-end system
and store them in the GRAC repository. The synchronization gets data for firefighter activities from
the time the activity was last executed to the current time.
The activity performs the log synchronization in the background and does not display any screens.
The cursor spins to indicate the application is performing the task. Once the cursor stops spinning,
the task is done.
The following tables are updated:

GRACAUDITLOG
GRACCHANGELOG
GRACOSCMDLOG
GRACSYSTEMLOG
GRACFFLOG

This log is only updated during FireFighter Log synch if you have maintained the Send Log Report
Execution Notification Immediately parameter as Yes, or else it is updated during Firefighter
Workflow Synch. You maintain this in the Customizing activity Maintain Configuration Settings,
parameter ID 4007.

GRACROLEFFLOG
This log is updated for role based applications. You can set whether an application is Role or User
based in the Customizing activity. This log is updated for role based applications. You can set
whether an application is Role or User based by using the Customizing activity Maintain
Configuration Settings, parameter ID 4000 - Application Type.
FireFighter Workflow Synch:

In this Customizing activity, you can generate requests for the FFID log and send the workflow to
controller. The activity updates the GRACFFLOG and GRACROLEFFLOG tables , triggers the
firefighter workflow, and creates firefighter work items.
FIREFIGHTER APPLICATION TYPES

ID Based Firefighter:

The firefighterID created in the remote system will be assigned to the user in the GRC system, either
manually or via an access request. The firefighter accesses their assigned firefighterID in the GRC
server using the SAP GUI and transaction GRAC_SPM. The firefighterID for all remote systems
assigned to the firefighter will be accessed from this transaction.

In this scenario:
Each Firefighter ID has its own User Master Record with roles assigned to it.
An SAP End-user (Firefighter) executes a transaction code (/n/virsa/vfat in AC 5.3) and checks out
an ID. Multiple users can check-out each Firefighter ID but only one user can have it checked out at
any time.
A reason and the expected activity must be documented prior to gaining firefighter access.
Relevant changes in SAP are captured in the change history under the Firefighter ID, not the user’s
normal ID.

ID-Based Firefighter usage is available in all versions of Superuser Privilege Management (formerly
Firefighter). It is used widely by customers for granting emergency and elevated access.

Role Based Firefighter:

The firefighter roles created in the remote system will be assigned to the user in the GRC server. The
firefighter directly logs into the remote system using their user ID and performs activities which are
provided in the user’s role and firefighter role assigned to the user.

In this scenario:
Each Firefighter Role is assigned through Superuser Privilege Management to an SAP end-user.
End-users do not check out a separate ID.
Transaction and change history is logged with the user’s own ID.
The end-user is not aware when they are utilizing emergency / firefighter access.

Firefighter role-based usage:

It is available in versions 5.2 and above of Superuser Privilege Management (formerly Firefighter)
Was created for customers that did not want users to have access with two IDs.

When role-based firefighter is chosen, the Superuser Privilege Management screen will display the
following configuration:
In order for this configuration to be displayed, the configuration parameter Assign FF Roles Instead
of FF IDs must be set to YES as shown below.

Steps:

Step 1: Create Firefighter Role:

Role should be created using transaction PFCG with specific security for performing the task
assigned to the Firefighter role. Preferred practice is to assign specific security and not to assign
access similar to ‘SAP_ALL’.
The role(s) should not be assigned to any user via transaction SU01 or PFCG and should only be
assigned as Firefighter level access.

Step 2: Assign Firefighter Owner:

Assign an Owner to the Firefighter Role.

Owners can assign Firefighting roles to Firefighters.
Owners cannot assign Firefighter Roles to themselves. Same as above, think they need to have
config option turned on to prevent this.

Step 3: Assign Firefighter Controller:

Assign a Controller to the Firefighter Role. Controllers are responsible for reviewing the log report,
and can receive e-mail notification of firefighter role use.
Firefighter Role Controllers can also be Firefighter Role Owners.
Step 4: Assign Firefighter:
Assign a Firefighter (existing SAP user ID) to the Firefighter Role. Firefighters can access the roles
assigned to them within the validity dates indicated in the Firefighters table, and as defined by
Firefighter Owners.

Additional Points:

1. One ffid can be assigned to multiple fire fighters but they cannot use at a time.
2. In out EAm, Additional activity is one extra tab added to maintain extra activities.
3. We can send a message to existing ff if we would like to use the same ffid.
4. We can also unlock the ffid which is being used by another ff.
5. FF owner can assign ffids which are owneed by him/her to fire fighters and controllers.
6. Decentralized fire figthing concept is also available in GRC 10 from Support pack 10
onwards.