SAP Access Controls: Emergency Access Management (EAM)
Emergency Access Management (EAM) in SAP Access Control allows for the definition, management, and monitoring of emergency access. It enables users to take on tasks outside their normal roles by granting temporary access to a super user or “firefighter” ID.
To effectively regulate and control the provisioning of broad authorizations while ensuring compliance, the following structured process is implemented:
- A designated firefighter owner is responsible for managing specialized super users, who are monitored by a firefighter controller. The firefighter owner must approve access to specific firefighter IDs in all cases.
- The SAP Access Control system facilitates the transfer of activity logs from the firefighter to the controller for comprehensive monitoring and review. Detailed records of actions performed during emergency access sessions are consistently documented in the target system.
Furthermore, SAP Access Control provides emergency access to the back-end applications of SAP ABAP target systems and the SAP HANA database through the SAP GUI interface. Additionally, it offers emergency access to web-based SAP ABAP applications via the Web GUI interface. This method ensures accountability and compliance within the organization.
Application Scenarios of EAM
There are two application types for EAM: ID-based and Role-based, but only one can be used at a time.
- ID-based EAM Application
A Firefighter ID is a service user with elevated privileges in a target system, created and assigned by administrators with a specific role to distinguish it from other service users. SAP Access Control identifies a Firefighter ID based on this role.
Users can be assigned Firefighter IDs either manually or through an access request. Firefighters can access the assigned Firefighter IDs within specified validity dates in two ways:
- In the SAP Access Control system using the ABAP GUI and transaction GRAC_EAM (Centralized Firefighting).
- In the target back-end system using the ABAP GUI and transaction /GRCPI/GRIA_EAM (Decentralized Firefighting).
Change history of the activities performed during a Firefighter session will be logged under the Firefighter ID.
- Role-based EAM Application
Firefighter roles are roles in a target system with elevated privileges. Firefighter roles are assigned to the user in the SAP Access Control system. The user can access the firefighter roles within the validity dates. A firefighter logs on to the target system as usual, using their own user ID and performs activities. If the user uses a transaction that is part of the firefighter role, the system treats this as a firefighter session. Change history of the activities performed during a Firefighter session will be logged under the user’s ID.
In both ID-based and role-based EAM scenarios, firefighter owners and controllers for firefighter IDs/roles in the SAP Access Control system are maintained by the administrators. Firefighters usually request access to firefighter IDs/roles for certain validity dates through access requests, with a subsequent approval process.
Firefighter ID-based EAM scenario can be accessed through Centralized and decentralized firefighting, which is explained below:
Centralized Firefighting Overview
Emergency Access Management provides a centralized console in the SAP Access Control system. A firefighter user can log on to different systems for firefighting using the centralized console and do not have to log on to individual client systems to do a firefighting.
The centralized logon pad allows you to:
- View all firefighter IDs assigned to the user.
- Log on to all target systems using assigned firefighter IDs.
Decentralized Firefighting Overview
Decentralized firefighting allows users to use the Emergency Access Management launchpad directly on target systems to perform firefighting activities. It is useful if the SAP Access Control System is not available for centralized firefighting.
Decentralized firefighting allows you to use and administrate the following specific functions on the target back-end system:
- EAM launchpad that shows firefighter IDs for the current target system.
- Validity periods for expired firefighter assignments can be extended.
Prerequisites for using Emergency Access Management
- Create users as needed in the target systems, referring to the lists below. Synchronize the users with a GRC Repository Sync (transaction GRAC_REP_OBJ_SYNC).
- Create Firefighter role in target system, import it to SAP Access Control system and mark it for firefighting in Business Role Management component in case of role-based firefighting scenario.
- Assign owners to firefighter IDs/roles in SAP Access Control.
- Assign controllers to firefighter IDs/roles in SAP Access Control.
- Create reason codes for ID-based scenario in SAP Access Control.
Prerequisite users in the SAP Access Control System
- Firefighter user (for centralized firefighting).
- Firefighter controller.
- Firefighter owner.
Prerequisite Users in the Target System
- Firefighter ID with elevated privileges (for ID-based scenario).
- Firefighter user (for decentralized firefighting).
- Firefighter controller / owner (for validity date extension and receiving login notifications in case of decentralized firefighting).
Firefighter controllers review the Firefighter logs through access request workflow called Firefighter log review. SAP Access Control enables Emergency Access Management for web-based applications of ABAP systems as well. Web-based firefighting is ID-based scenario, and these Firefighter IDs are accessible only through a centralized scenario. It does not support decentralized firefighting, and detailed logging of these activities is unavailable.
To conclude, EAM is a crucial access control module that safeguards critical system accesses, ensuring the elevated access is controlled and audited.