AC 10.

0 Pre-Implementation From Post-Installation to First Emergency Access

Customer Solution Adoption April 11th 2011

Version 1.0

Purpose of this document

This document allows implementation consultants and administrators to setup the required functionality for running an emergency access (firefighter) session after the post-installation has been finished. This is by no means a comprehensive guide for setting up the Emergency Access Management component, rather it allows testing the application is working properly by setting up a basic test case.

Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or noninfringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.

2011 SAP AG. All rights reserved.

Agenda

Requirements
o Adding connector to SUPMG scenario o Creating users and assigning roles o Verifying time zones

Configuration
o o o o Maintaining AC owners Assigning owners to firefighter IDs Assigning firefighter IDs and controllers to firefighters Creating reasons codes

Starting an emergency access session Managing Logs

o Running log collection o Viewing the firefighter reports

2011 SAP AG. All rights reserved.

Requirements
Adding connector to SUPGM scenario Creating users and assigning roles

Adding connector to SUPMG scenario

To create access requests it is required to have the SUPMG scenario linked to the connector, this is done via IMG:

2011 SAP AG. All rights reserved.

Creating users and assigning roles

Please create users and roles as needed. Remember to synchronize again the repository (program GRAC_REPOSITORY_OBJECT_SYNC ). These roles are provided as examples and customer roles need to be created based on their authorizations.

In the AC system Firefighter user Firefighter controller Firefighter owner In the target system Firefighter ID

Role SAP_GRAC_SUPER_USER_MGMT_USER SAP_GRAC_SUPER_USER_MGMT_CNTLR SAP_GRAC_SUPER_USER_MGMT_OWNER Role SAP_GRAC_SPM_FFID

In the AC system the Firefighter ID role is configured in Param ID 4010 (Firefighter ID role name) Reminder: end users will require also the roles based on SAP_GRC_FN_BASE and SAP_GRC_FN_BUSINESS_USER
2011 SAP AG. All rights reserved. 7

Verifying time zones

For logs to be properly captured the time zones in the connected ERP systems need to be configured to match the operating system and also the AC server time zone. This is done in IMG under SAP NetWeaver General Settings Time Zones Maintain System Settings

2011 SAP AG. All rights reserved.

Configuration
Maintaining AC owners Assigning owners to firefighter IDs Assigning firefighter IDs and controllers to firefighters Creating reasons codes

Maintaining AC owners
Go to NWBC Access Management GRC Role Assignments Access Control Owners and maintain the controllers and owners as shown below:

After this is done it is possible to assign those to FireFighter IDs.

2011 SAP AG. All rights reserved.

10

Assigning owners to firefighter IDs

In Access Management go to Superuser Assignment and click on Owners. Here owners are assigned to firefighter IDs.

2011 SAP AG. All rights reserved.

11

Assigning firefighter IDs and controllers to firefighters

Now you need to assign firefighter IDs and controllers to users. This is done by going to Superuser Assignment Firefighter IDs

Note: Multiple firefighter users and controllers can be assigned to a multiple firefighter ID.
2011 SAP AG. All rights reserved. 12

Creating reasons codes

The reason codes available for firefighter users are maintained under Superuser Maintenance Reason Codes

2011 SAP AG. All rights reserved.

13

Starting Emergency Access

Starting a firefighter session

Login to the AC system using the firefighter user and launch transaction GRAC_SPM You will be able to connect to the target system using the firefighter IDs previously assigned

2011 SAP AG. All rights reserved.

15

Managing Logs
Running Log Collection Viewing the firefighter reports

Running log collection

Foreground mode
The foreground job for log collection can be executed from the Update Firefighter Log Button which can be found in the following path:
Reports And Analytics Super User Management Reports Consolidated Log Report

2011 SAP AG. All rights reserved.

17

Running log collection

Background mode
The Background Job for Log Collection can be scheduled periodically from SM36 using program GRAC_SPM_LOG_SYNC_UPDATE.

2011 SAP AG. All rights reserved.

18

Viewing the firefighter reports

The reports can be filtered by using different criteria as shown below.

2011 SAP AG. All rights reserved.

19