GRC 10.0 - Centralized Emergency Access

Hi experts,
Have a question lets see if someone else have faced this same concern.
We are facing an implementation of the new GRC - AC 10.0 and when configuring the component Emergency Access (former SPM) we realized that in order to assign and end user to a FF ID, the end user account must be created in the GRC AC server.
This concept changes from the last AC 5.3 version where end users only needed to be created in the SAP ERP and have the role /VIRSA/Z_VFAT_FIREFIGHTER assigned in order to access transaction code /n/VIRSA/VFAT.
So if what Iam saying is correct, that means that we have to create one user in GRC for each user that we have in the SAP ERP, is that correct? And, if that is correct, that means that we need to buy as many licenses for GRC 10.0 as the one that we have for the SAP ERP?
Thanks very much for your support
Best regards,

Hi,
only user who shall be able to use FFIDs (EAM) need a user on the GRC box! I guess these are not all users in your SAP ERP system?!
Regards

Similar Messages

  • GRC 10: Centralized Emergency Access  - SPM Questions

    Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
    Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
    What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?  
    Will I be able to grant a Firefighter ID to a Firefighter User  on hourly basis?
    For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
    Edited by: sarath govindarajual on Mar 16, 2011 4:53 PM

    Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
    - No, GRAC_SPM is the way to go.
    Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
    - Yes. However, the option would be nice to have a workaround in case GRC is down
    What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?
    - As far as I know only for transactional SAP systems.
    Will I be able to grant a Firefighter ID to a Firefighter User on hourly basis?
    - Same as answered already  - no. 
    For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
    - Same as answered already  - no.

  • Integration scenario for Centralized Emergency Access and Helpdesk / CHARM

    Hi,
    Is any of you aware of a scenario doc between GRC and SOLMAN? Since Change Requests are referred in GRC, I assume there is an integrated scenario...
    Thanks in advance,
    Best regards,
    Ádá

    Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
    - No, GRAC_SPM is the way to go.
    Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
    - Yes. However, the option would be nice to have a workaround in case GRC is down
    What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?
    - As far as I know only for transactional SAP systems.
    Will I be able to grant a Firefighter ID to a Firefighter User on hourly basis?
    - Same as answered already  - no. 
    For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
    - Same as answered already  - no.

  • GRC AC 10: Emergency Access Management, Logon button is disabled (GRAC_SPM)

    Hello Gurus,
    I have configured Emergency Access Management in GRC AC 10.
    GRC Box (SID) : GR1 client 100
    Backend ERP system : D24 client 100
    The FIREFIGHTER in GRC system : FFUSER1
    Z_SAP_GRAC_SUPERUSER_MGMTUSER
    Z_SAP_GRC_FN_BASE
    Z_SAP_GRC_NWBC
    In the Backend ERP system the FIREFIGHTER ID: ABC wants to access the FIREFIGHTER(FFUSER1)
    Hence in NWBC (Setup >Superuser Assignment>Firefighter ID) the assignment is done.
    ABC(FIREFIGHTER ID) <--->FFUSER1(FIREFIGHTER)
    Now the User login the GRC system using FFUSER1 assigned following roles
    Z_SAP_GRAC_SUPERUSER_MGMTUSER
    Z_SAP_GRC_FN_BASE
    Z_SAP_GRC_NWBC
    Z_SAP_GRAC_SPM_FFID
    and runs Transaction: GRAC_SPM
    and he is able to see that ABC is assigned .
    Now the user clicks on "Logon" and the status changes from green to "RED".
    A new SAP screen opens asking credintials for Backend ERP system D24 client 100
    The User enters his own Id : ABC and password and logs in.
    Runs the necessary transactions and logs out using transaction: /nex
    The session in GRC is still running and now the "LOGON button" is disabled , he comes out of that screen too.
    When the user tries to login again using FFUSER1 to do more task , the "LOGON Button" is seen disabled.
    and clicking the "unlock" button also doesn;t help.
    When checked in SM04, no live session is reflected .
    How can we "enable" the LOGON button in the transaction : GRAC_SPM for the same FIREFIGHTER (FFUSER1) assigned for Firefighter ID (ABC) ??
    As it is now not possible to click "LOGON" button and the status is "RED".
    Please let me know your opinion .
    Thank You.
    Regards,
    Premjit

    Thanks to All

  • Emergency access procedure - non GRC

    Hi guys,
    Just wondering if you have a written Emergency Access Procedure (FireFighter), which is not based on GRC.
    My client has unfortunately no GRC installed at all.
    Also wondering if Solman can be utilized as currently they use it for change management..
    Thanks a lot
    Cheers
    Greg

    Greg,
    I have experience with two different non-GRC Firefighter procedures, both role-based.
    In one solution, the user submitted a Firefighter request for either the HR or the non HR Firefighter role to be assigned; the form was a custom Outlook form. A custom ABAP program monitored the assignment of these roles, logged the tcode usage of the IDs with the role assigned, sent an audit report to the user's manager which included tcode usage and if the tcodes used were in the user's regular roles or in the FF role, and the manager had to return the report to SAP security as confirmation that it had been reviewed.
    In the other solution, the request logged into the IdM solution to request firecall authority. The requester must be pre-approved to request elevated SAP access. IdM provisioned the extra access to the users account and notifiedboth the user's manager and SAP Security. IdM deprovisioned the extra access at the specified time in the request. SAP Security was responsible for auditing the use and documenting the tcodes used in a report sent to the user's manager and all of this was documented in an IT incident ticket.
    The second solution required a lot more manual effort from the SAP Security team, butit was not invoked often. The first solution, while much more automated, presented its own challenges, as the buffer for the tcode usage statistics  frequently overflowed, and a designated resource would have to work to resolve.
    So from my experience, I would say that there is a good reason why customers choose to implement a GRC firefighter solution.
    Cheers,
    Gretchen

  • I designer I want to create forms for web client, does each client have to purchase form central to access the data?

    I designer I want to create forms for web client, does each client have to purchase form central to access the data?

    Hi,
    In this scenario, you can share the document with the clients to and provide co-author privileges.
    Co-authors can edit the form design, options, responses, and summary report (everything that you can do).
    Note:- They do not require a paid subscription to view the responses, free subscription users can become co-authors.
    Please refer to the following thread to know how to share a form with others:-How do I share a form I created with others?
    Regards,
    Nakul

  • Reason Codes not displaying when performing emergency access management(SPM

    Hello guru,
    I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
    My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction SPM_GRAC.
    Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
    Please help me out with your suggestions.
    Thanks

    Hello guru,
    I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
    My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction GRAC_SPM.
    Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
    Please help me out with your suggestions.
    Thanks

  • GRC AC Emergency Access Management (EAM) and STAD report data

    Dear Community,
    we use EAM (ID based fire fighting) and the Log synchronization jobs are scheduled every half hour in order to get the fire fighter logs from the back-ends for review by the controller. Due to a technical issue the synchronization jobs are not working correctly over several days. We experienced missing session details (executed transactions, programs, changes, etc.) for many Fire fighter sessions. As one the source of of the fire fighter log is STAD on the back end and these data are only buffered 48 hours per default, I expect that I can't recover the logs and they are irreversible lost if GRC is down or the sync-jobs are not running for more that time. That can happen over a weekend....
    I ask you:
    can you confirm my expectation?
    does it make sense to extend the STAD buffer up to e. g. 96 hours for all GRC production back ends?
    have you controls in place to check if the sync-jobs are running and the logs are synchronized correct and complete?
    I would appreciate, if you can share some thoughts with me about this.
    Thanks in advance,
    Andreas Langer

    Hi Andreas,
    - Please check the below note, for missed log entries
    1934127 - GRC10 EAM: EAM recovery program to retrieve missing log and to generate the missing workflows
    - The maximum value is 99, and it is the number of stat files that  are generated. So, you can get records upto 4 days.
    - Periodic Monitoring activity activity can be set, which is done manually. I am not aware if Process Control, can take care of this monitoring.
    regards

  • GRC 10 Add on installation -Access control node missing in IMG SPRO

    Dear Experts
    We have got GRC 10 addon install on our server by basis team and i can verify that by going to saint t code but when i am going to SPRO i cannot see aplication by name GRC .Where as i can see GRC Process control and GRC risk management , GRC access control is missing , following are the attached files. quick response will be appreciated. thanks in advance.

    Hi Luciana.,
    Thanks for your great explanation and you have answered my query all the way Thanks once again.
    But one more query please
    Regarding below,
    "The GRCPIERP is an addon basically for your system that has SAP HR installed, so you can integrate HR into GRC, to get requests for new hires, termination, etc."
    Does this means if I have no need of  HR trigger/my plugin systems is not HR system then GRCPIERP is not at all required for ARQ, EAM, ARA and BRM for even single functionality?
    BR,
    Mangesh

  • Emergency Access request (Fire Fighter)

    Dear Experts,
    I am configuring SPM 10.0, I have assigned FF role to the FFID in the backend system. I have configured connectors between GRC system and ERP system.
    After running GRAC_ROLEREP_USER_SYNC I am getting below error.
    Processing for connector G10
    Error: Scenario Link is not defined in grfnconnscnlk table for G10
    User sync failed with errors
    I have checked the table and Scenario link is existing.
    Also, I am trying to assign a owner to a FFID, I am not able to search FFID in the system. I have created Owners but I am not able to assign Owners to a FFID as system is not allowing me to search.
    I appreciate your help.
    Thanks,
    Raj

    Hi Raj -
    Maybe a few things to try out to solve some of the problems you are running into:
    (1) Ensure the connector you are trying to utilize is associated with all the GRC scenarios not just the SUPMG scenario.  You can maintain that at IMG -> GRC->Common Component Settings -> Maintain Connection Settings
    (2) Assuming you can get your user synchronization running properly, just check to ensure you have the configuration parameter 4010 setup with the FF Role name you are using to assign to all your FFIDs so GRC can make the linkage
    (3) In order for someone to be setup as a FF Owner or controller you will need to ensure they are configured with the GRC role assignments.  Under the Access Management work Center check the table found at GRC Role Assignments -> Access Controls Owners.  Anyone whom will be a FF owner must be associated with the FF ID Owner role
    Hope this helps a bit

  • Simple MSMP workflow for Emergency Access Management

    Hi,
    I am not able to get the EAM to work in Access Control 10. The user is able to successfully place a access request for FFid but there is a error in the workflow logs. I have not done any customization of the MSMP for GRAC_DEFAULT_PATH and other similar stages, as I am not aware of the the specific values that need to be maintained.
    I want to avoid customizing as much as possible and use what SAP offers by default. The workflow steps I am looking for is : user places a request for FFid and the request is received by the FFid Owner (Manager) and approved by him, Once approved, the FFID is provisioned automatically and the user can login to tcode GRAC_SPM and use his FFid, and the Controller gets alerted about the log.

    Hi Veera,
    Did you define a condition in your initiator decision table in BRF+ to route your EAM requests to firefighter path.
    Do you have stage called FF Owner?
    Did you create a Firefighter path in MSMP configuration with FF Owner stage in it?
    Did you maintained route mapping in your MSMP workflow configuration?
    Please share your BRF+ initiator decision table and MSMP workflow config screenshots to help you further.
    If you are new to MSMP and BRF+ config, please check this link for understanding the concept.
    MSMP - Multi Step Multi Process &amp;#8211; GRC&amp;#82... | SCN
    Regards,
    Madhu.

  • GRC AC compatibility with HR Access

    Hi all,
    I would like to know if SAP GRC Access Control is theoretically compatible with HR Access.
    If so, are you aware of any concrete practical implementation ?
    Thanks for your help,
    Sophie

    Hi,
    I was refering to http://www.hraccess.com/, which is a competitor to both SAP HR and PeopleSoft.
    Thanks for your help,
    Edited by: Sophie Planchais on Oct 16, 2009 10:19 AM

  • GRC 10.0 SP 14 access request form displays unassigned roles

    Dear experts, when I open the Access Request form and I select a user, and then I click on existing assignments, I am shown a list of roles and systems assigned to this user. However, when I go to those corresponding backend systems to see if the roles are actually assigned, it turns out that they are not. I have rerun all the sync jobs and they all completed successfully. Auto provisioning works on all these systems and there are no issues in terms of the RFC. However, as indicated by the attachments, it continues to show rules that were unassigned from this user some time ago. where might these assignments be coming from?

    Hi Santosh,
    did you run the repository object sync job in full mode for this connector? This has mostly to do with outdated sync information as you can also see in the following note:
    http://service.sap.com/sap/support/notes/1667112
    Please check again.
    Regards,
    Alessandro

  • Centralized (MS Access) database

    hi,
    In my application, i am using MS access as database.
    currently i am using database in all client place. i want make one database in one sever, all client need to update their details in that.
    current sample code
    String szPath;
                   szPath = System.getProperty("user.dir") + File.separator+"db.mdb";
                   con = DriverManager.getConnection("jdbc:odbc:Driver={Microsoft Access Driver (*.mdb)};DBQ="
                             szPath";PWD="hai");
    Note:
    All client are connected with in the network

    User845466 wrote:
    hi,
    In my application, i am using MS access as database.
    currently i am using database in all client place. i want make one database in one sever, all client need to update their details in that.
    As noted it is possible you will have problems if you attempt multiple users.
    Or not.
    MS Access requires file level access at the OS level.
    You CANNOT do this in java.
    It means that the MS Access file must exist somewhere on a single box and all of the client boxes (ie using explorer) must be able to see that file. Again this has nothing to do with java.
    Once you have that set up then you use the file path, for example "Z:\\myAppData\\db.mdb", in the JDBC connection string.

  • Is there centralized control access for html5 notifications permissions?

    the desktop notifications permissions used by websites to control the creation of desktop notifications—for things like email and twitter—seems to have no centralized control. looking around i found the permissions manager (about:permissions) and the alert slide effect toggle in about:config but neither of these seem to have the permissions for the display of notifications.
    as far as i can tell the only place i can go to control these permissions are the individual pages themselves for which the permission was granted, under the page info > permissions tab. this would be fine but if i wanted to revoke this/these permissions globally i would need to remember and revisit all websites to which i had granted the permission.
    permissions manager seems like it was made for just such a purpose: to centrally locate global and individual permissions granted to websites. but the websites that i have granted this permission do not even show up in the list. i find this curious as in those pages "view page info" > permissions tab the same permissions that other sites have that are listed in permissions manager are listed directly above the notifications permission in the page info window.
    is there a centralized control for the notifications permission? if yes; where is it? if no; could it please be implemented?
    chrome has notification permission control in their advanced settings. easy to find. not like about:permissions.

    i should have stated in my original question: i am using firefox 27.0.1. my addons/extensions consist almost entirely of privacy and developer themed addons ie: noscript, priv3, ghostery, firebug, jsonview, and html validator.
    the exceptions button you referred to in the security tab is not for allowing collective things. that button is for listing the sites allowed/denied to install addons. i checked every page and every button in the options window before i started looking online for information about notifications. that is how i found the about:permissions page.
    the functionality of notifications i refer to is built into firefox. it is not from a addon/extension as the desktop notifications work while i am running in safe mode. so no, it is not a third party addon. if it were then the management of the permissions it is granted would be done through it. there are likely addons i could get for desktop notifications but i doubt they would be using the html5 spec notifications feature and thus not useful for my purposes.
    for reference the specific website that brought this feature to my attention and hence the management thereof was mail.google.com. on the general tab of the settings page for your inbox allows you to turn on or off desktop notifications of incoming mail as it is received. if you turn on the notifications the browser will ask you to grant or deny permission to the site for the display of notifications. a few days later i was thinking about these notifications and was curious how i would go about revoking the permission after it had been granted. i knew how to turn off the display of notifications by gmail, but that was not the same as revoking the permission. this search ultimately led me here.
    as i stated before the permissions of a site can be viewed by looking at the page info > permissions tab, accessible from the right click menu on the page. this however, as guigs2 found, seems to be the only place where the notifications permission is found. if it were also available on the about:permissions page that would satisfy my desire for a centralized control system of the notifications permission.

Maybe you are looking for

  • CRW32.EXE has encountered a problem and needs to close launching CR 10

    Happens trying to open an existing report, although the report will open on any other workstation.  Also happens when trying to create a blank report.  System is XP Pro, SP2; 2 GB of RAM, over 100 GB disk space. Had CR 8.5 also installed.  Uninstalle

  • Why I got error ORA-02429 when I tried to drop a tablespace?

    I use the following command to drop the tablespace: drop tablespace users including contents and datafiles;The error message is below: Error report: SQL Error: ORA-00604: error occurred at recursive SQL level 1 ORA-02429: cannot drop index used for e

  • HTML page is jumbled when sent as email

    Hello, I have an app that creates a schedule for the users and allows them to email it to themselves. I am using InputStreamReader() to capture all the html from that page and insert it in-line into an email. When I output the stream, it works perfec

  • Adobe Acrobat Crashes - Cant access Preferences/Convert from PDF

    Hello all, Ive googled this for days but cant find a fix ... I have an Xserve running Server 10.7.5.  Application I am having problems with is Adobe Acrobat Pro 9. When I try to access a Preference for changing the way the app converts pdfs to a post

  • Loading external data

    This question was posted in response to the following article: http://help.adobe.com/en_US/air/html/dev/WS5b3ccc516d4fbf351e63e3d118a9b90204-7cfd.html