Day14-Day15

BRM Role Methodology via Condition Groups https://blogs.sap.com/2015/02/18/brm-role-methodology-via-condition-groups/ BRM Role Approval via Condition Groups https://blogs.sap.com/2014/12/05/brm-default-approvers-via-condition-groups/ ( In Approval, we need to maintain the user in ( NWBC -> Access Management -> Role Owner_)













Parameters for Role

Default Roles



Workflow Parameter for Role







Emergency Access Management • EAM allows user to take responsibility for tasks outside of their normal job function. • The log file can be distributed to controllers and owner via workflow. Firefighter Application Types • ID Based Firefighter Application • Role Based Firefighter Application Only one application type can be configured at a given time • Reason codes are mandatory to maintain to access the firefighter. • It is mandatory to assign owner & controller to FFID then only it will appear in request. • Tables: GRACRLCONN, GRACROLE, GRACUSERROLE, GRACUSERCONN & GRACFFUSER





1000 means maintain the plugin connector id same as created in GRC box ( Plugin ---GRC) 1001 is the connector id of GRC system and should exist in SM59 of plugin system. ( Same name as created in GRC box, will be created in plugin system as well )

• SAP_GRAC_FN_BUSINESS_USER required for FF_USERS to get pop out in NWBC

Role Based Firefighter https://wiki.scn.sap.com/wiki/display/GRC/Steps+to+configure+Role-Based+Firefighter+application • No Firefighter Required • Role is declared as Firefighter role • 4010 parameter not need to maintain • When a user id is assigned with firefighter role then it become difficult for auditors to differentiate between the task performed by user belong to his/her daily task or elevated task. • While creating the role through BRM, we need to enable role for firefighter in properties.

Monitoring Emergency Access Reports type include: Consolidated Log Report Invalid Superuser Report Firefighter Log Summary Reason code and activity record SOD conflict report for Firefighter ID



Program name: GRAC_SPM_LOG_SYNC_UPDATE, TRANSACTION: GRAC_SPM_LOG_SYNC

Firefighter Log Analysis https://wiki.scn.sap.com/wiki/display/GRC/How+does+the+Firefighter+application+fetch+the+Change+Log+data

Firefighter Log FireFighter Log Synch Synchronization (GRAC_SPM_LOG_SYNC_UPDATE) Firefighter workflow Synch EAM Master Data Synch (GRAC_SPM_SYNC) Decentralized firefighter we need to schedule this job)

How to Extract FF log Summary report using tables https://blogs.sap.com/2015/01/12/how-to-extract-ff-log-summary-report-using-tables-in-grc-10/ Overall workflow: MSMP instance ids—–>External key——>FFLog_id—–> Action_id—->Fflogs • Few notable points: • For every MSMP Instance id there is only one external key generated, but for every external key there may be one or more FFlog_id leading to equivalent number of action_id and Logs. • There can be more than one controller maintained for a particular flavor of firefighter (unique combination of firefighter id and connector).













Business • When a contractor join a company and need to Scenario complete some standard tasks then FFID access for FF ID required. • A person who is usually not responsible for this has to release an urgent purchase order, because the person responsible is not available. • FF mainly for our Developers who are restricted to Display activity in the SAP production system. • We also have used it to provide external auditors the access they may need during their audit review • The ABAPERs need it for the debugging. • The ABApers donot have SE38 it in the PRD • Support Users required FFID • Client access required for user

CREATING REQUEST FOR EAM • SPRO -> Governance Risk & Compliance -> Access Control -> User Provisioning -> Define Request Type • Create a new request and assign action as : Super user Assignment Reference Blog: https://blogs.sap.com/2015/01/24/eam-requesting-emergency-access- via-access-request-workflow-in-sap-grc-step-by-step/