GRC 10: Centralized Emergency Access  - SPM Questions

Similar Messages

• GRC 10.0 - Centralized Emergency Access

  Hi experts,
  Have a question lets see if someone else have faced this same concern.
  We are facing an implementation of the new GRC - AC 10.0 and when configuring the component Emergency Access (former SPM) we realized that in order to assign and end user to a FF ID, the end user account must be created in the GRC AC server.
  This concept changes from the last AC 5.3 version where end users only needed to be created in the SAP ERP and have the role /VIRSA/Z_VFAT_FIREFIGHTER assigned in order to access transaction code /n/VIRSA/VFAT.
  So if what Iam saying is correct, that means that we have to create one user in GRC for each user that we have in the SAP ERP, is that correct? And, if that is correct, that means that we need to buy as many licenses for GRC 10.0 as the one that we have for the SAP ERP?
  Thanks very much for your support
  Best regards,

  Hi,
  only user who shall be able to use FFIDs (EAM) need a user on the GRC box! I guess these are not all users in your SAP ERP system?!
  Regards

• GRC AC 10: Emergency Access Management, Logon button is disabled (GRAC_SPM)

  Hello Gurus,
  I have configured Emergency Access Management in GRC AC 10.
  GRC Box (SID) : GR1 client 100
  Backend ERP system : D24 client 100
  The FIREFIGHTER in GRC system : FFUSER1
  Z_SAP_GRAC_SUPERUSER_MGMTUSER
  Z_SAP_GRC_FN_BASE
  Z_SAP_GRC_NWBC
  In the Backend ERP system the FIREFIGHTER ID: ABC wants to access the FIREFIGHTER(FFUSER1)
  Hence in NWBC (Setup >Superuser Assignment>Firefighter ID) the assignment is done.
  ABC(FIREFIGHTER ID) <--->FFUSER1(FIREFIGHTER)
  Now the User login the GRC system using FFUSER1 assigned following roles
  Z_SAP_GRAC_SUPERUSER_MGMTUSER
  Z_SAP_GRC_FN_BASE
  Z_SAP_GRC_NWBC
  Z_SAP_GRAC_SPM_FFID
  and runs Transaction: GRAC_SPM
  and he is able to see that ABC is assigned .
  Now the user clicks on "Logon" and the status changes from green to "RED".
  A new SAP screen opens asking credintials for Backend ERP system D24 client 100
  The User enters his own Id : ABC and password and logs in.
  Runs the necessary transactions and logs out using transaction: /nex
  The session in GRC is still running and now the "LOGON button" is disabled , he comes out of that screen too.
  When the user tries to login again using FFUSER1 to do more task , the "LOGON Button" is seen disabled.
  and clicking the "unlock" button also doesn;t help.
  When checked in SM04, no live session is reflected .
  How can we "enable" the LOGON button in the transaction : GRAC_SPM for the same FIREFIGHTER (FFUSER1) assigned for Firefighter ID (ABC) ??
  As it is now not possible to click "LOGON" button and the status is "RED".
  Please let me know your opinion .
  Thank You.
  Regards,
  Premjit

  Thanks to All

• Integration scenario for Centralized Emergency Access and Helpdesk / CHARM

  Hi,
  Is any of you aware of a scenario doc between GRC and SOLMAN? Since Change Requests are referred in GRC, I assume there is an integrated scenario...
  Thanks in advance,
  Best regards,
  Ádá

  Can Firefighter logon using the Netweaver Business Client to launch Firefighter ID?
  - No, GRAC_SPM is the way to go.
  Is that mandate to use GRC system to launch Firefighter ID using GRAC_SPM transaction code? or can the user logon to local system as well?
  - Yes. However, the option would be nice to have a workaround in case GRC is down
  What about Portal based system Firefighting functionality? Can we have Firefighter IDs on Netweaver Java system?
  - As far as I know only for transactional SAP systems.
  Will I be able to grant a Firefighter ID to a Firefighter User on hourly basis?
  - Same as answered already  - no. 
  For initial setup , how the initial data load of Firefighter Ids Owners, Controllers and Firefighter Users can be done? Are there options like load from Excel or CSV available as part of setup toolset?
  - Same as answered already  - no.

• Reason Codes not displaying when performing emergency access management(SPM

  Hello guru,
  I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
  My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction SPM_GRAC.
  Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
  Please help me out with your suggestions.
  Thanks

  Hello guru,
  I am experiencing a little problem when using superuser privilege management (emergency access) functionality in AC 10.0.
  My problem is that the reason codes created in the AC system via the reason code link in the workcenter does not appear as drop down for me when I click on the logon button in the initial screen displayed in transaction GRAC_SPM.
  Suffice to say that i do not have any reason code to pick from in the drop down for superuser privilege management in the AC system when i logon with the firefighter user to perform SPM.
  Please help me out with your suggestions.
  Thanks

• Emergency access procedure - non GRC

  Hi guys,
  Just wondering if you have a written Emergency Access Procedure (FireFighter), which is not based on GRC.
  My client has unfortunately no GRC installed at all.
  Also wondering if Solman can be utilized as currently they use it for change management..
  Thanks a lot
  Cheers
  Greg

  Greg,
  I have experience with two different non-GRC Firefighter procedures, both role-based.
  In one solution, the user submitted a Firefighter request for either the HR or the non HR Firefighter role to be assigned; the form was a custom Outlook form. A custom ABAP program monitored the assignment of these roles, logged the tcode usage of the IDs with the role assigned, sent an audit report to the user's manager which included tcode usage and if the tcodes used were in the user's regular roles or in the FF role, and the manager had to return the report to SAP security as confirmation that it had been reviewed.
  In the other solution, the request logged into the IdM solution to request firecall authority. The requester must be pre-approved to request elevated SAP access. IdM provisioned the extra access to the users account and notifiedboth the user's manager and SAP Security. IdM deprovisioned the extra access at the specified time in the request. SAP Security was responsible for auditing the use and documenting the tcodes used in a report sent to the user's manager and all of this was documented in an IT incident ticket.
  The second solution required a lot more manual effort from the SAP Security team, butit was not invoked often. The first solution, while much more automated, presented its own challenges, as the buffer for the tcode usage statistics  frequently overflowed, and a designated resource would have to work to resolve.
  So from my experience, I would say that there is a good reason why customers choose to implement a GRC firefighter solution.
  Cheers,
  Gretchen

• GRC 10.0 Upgrade & Functionality - 4 Questions

  Hi Forum,
  We are currently evaluating upgrading to GRC 10.0 from 5.3 and also start using SPM. Currently, we only use RAR. Can you guys help me with following 4 questions?
  1. We have a number of different firefighter roles used by different teams and approved by different approvers. Can we have separate requester and approver lists for different firefighter accounts in GRC 10.0 SPM?
  2. Do we have to implement GRC 10.0 Portals for SPM approval workflow?
  3. We have license for all GRC modules. Does this also include Continuous Transaction Monitoring with Oversight or is a separate license required for this?
  4. Does GRC 10.0 support automatic archiving of AC-RAR SoD reports? - When I start a weekly background job, can it be automatically archived into an archive folder of my desigantion?
  Thanks so much for your input.
  Joerg

  hi Joerg
  1.Yes, you can have different approvers per firefighter ID and have the requestors assigned to different ones as well.
  2.You do not need to install portal but you will need to facilitate some access to the front end components through activating the NWBC Netweaver Business client or using a web browser to view the internet facing services in SICF.
  3. I don't believe that your GRC license automatically entitles you to the Oversight product suite as they are still separately marketed, however the GRC Process Controls and Risk Management modules can be included if you have a full enterprise GRC license from SAP.
  4. You could certainly manage to archive the reports using standard SAP ABAP functionality (SARA). However, If you mean the standard Batch risk Analysis, then I think you'll find that the offline content is overwritten with the latest and only the summary data is retained in the historical data tables for trend analysis. From an audit perspective, historical detailed data is not partuicularly useful since they are more interested in current exposure. Auto archiving of the SPM logs is available as standard.
  Regards,
  Simon

• I designer I want to create forms for web client, does each client have to purchase form central to access the data?

  I designer I want to create forms for web client, does each client have to purchase form central to access the data?

  Hi,
  In this scenario, you can share the document with the clients to and provide co-author privileges.
  Co-authors can edit the form design, options, responses, and summary report (everything that you can do).
  Note:- They do not require a paid subscription to view the responses, free subscription users can become co-authors.
  Please refer to the following thread to know how to share a form with others:-How do I share a form I created with others?
  Regards,
  Nakul

• GRC AC Emergency Access Management (EAM) and STAD report data

  Dear Community,
  we use EAM (ID based fire fighting) and the Log synchronization jobs are scheduled every half hour in order to get the fire fighter logs from the back-ends for review by the controller. Due to a technical issue the synchronization jobs are not working correctly over several days. We experienced missing session details (executed transactions, programs, changes, etc.) for many Fire fighter sessions. As one the source of of the fire fighter log is STAD on the back end and these data are only buffered 48 hours per default, I expect that I can't recover the logs and they are irreversible lost if GRC is down or the sync-jobs are not running for more that time. That can happen over a weekend....
  I ask you:
  can you confirm my expectation?
  does it make sense to extend the STAD buffer up to e. g. 96 hours for all GRC production back ends?
  have you controls in place to check if the sync-jobs are running and the logs are synchronized correct and complete?
  I would appreciate, if you can share some thoughts with me about this.
  Thanks in advance,
  Andreas Langer

  Hi Andreas,
  - Please check the below note, for missed log entries
  1934127 - GRC10 EAM: EAM recovery program to retrieve missing log and to generate the missing workflows
  - The maximum value is 99, and it is the number of stat files that  are generated. So, you can get records upto 4 days.
  - Periodic Monitoring activity activity can be set, which is done manually. I am not aware if Process Control, can take care of this monitoring.
  regards

• Emergency Access Management & SPM 5.3 - add default text!

  Hi, is there a way to initialize the text fields, which pop up when you logon as a firefighter, with default values (such as Enter Ticket Number here: #)?
  Would be interesting for 5.3 as well as 10.0.
  Thank you

  HI Andreas,
  There is no such possibility, You can only configure the reason codes, but I dont think there is any way to configure predfeined texts as such, since this is ABAP, you might find  a user exit that might allow you to write your own custom code. I have never explored the option.
  Regards,
  Chinmaya

• Emergency Access request (Fire Fighter)

  Dear Experts,
  I am configuring SPM 10.0, I have assigned FF role to the FFID in the backend system. I have configured connectors between GRC system and ERP system.
  After running GRAC_ROLEREP_USER_SYNC I am getting below error.
  Processing for connector G10
  Error: Scenario Link is not defined in grfnconnscnlk table for G10
  User sync failed with errors
  I have checked the table and Scenario link is existing.
  Also, I am trying to assign a owner to a FFID, I am not able to search FFID in the system. I have created Owners but I am not able to assign Owners to a FFID as system is not allowing me to search.
  I appreciate your help.
  Thanks,
  Raj

  Hi Raj -
  Maybe a few things to try out to solve some of the problems you are running into:
  (1) Ensure the connector you are trying to utilize is associated with all the GRC scenarios not just the SUPMG scenario.  You can maintain that at IMG -> GRC->Common Component Settings -> Maintain Connection Settings
  (2) Assuming you can get your user synchronization running properly, just check to ensure you have the configuration parameter 4010 setup with the FF Role name you are using to assign to all your FFIDs so GRC can make the linkage
  (3) In order for someone to be setup as a FF Owner or controller you will need to ensure they are configured with the GRC role assignments.  Under the Access Management work Center check the table found at GRC Role Assignments -> Access Controls Owners.  Anyone whom will be a FF owner must be associated with the FF ID Owner role
  Hope this helps a bit

• GRC 10.1 Simplified Access Request and Remediation View Issues

  Hi Everyone,
       We recently upgraded our GRC 10.0 environment to 10.1, SP 5 and am having the following issues--has anyone else also experienced?
  In the simplified access request form, it keeps telling me to enter a “valid user ID”—even though the ID is valid and works fine in the normal access request screen. Also tried to search and then select the ID in this field with the same error.
  In the SoD Remediation view, I keep getting “No Data Found”, even though in the detail view, there are risks the same request:
  I’ve checked the following things:
  I’ve used IE 8, IE 9, FireFox, Chrome, and the NWBC to see if any of these fix the issue
  I double checked the 10.1 “upgrade guide” to make sure Gateway configurations are correct
  It looks like we are on the latest support packs:
  Any help on this would be greatly appreciated!
  Thanks,
  Brett

  Hi Brett,
  For Remediation issue you can check the below thread.
  http://scn.sap.com/thread/3574790
  Regards,
  Neeraj

• Class Access & Package Question - Please Help

  Hi,
  I have a question regarding how to access a class in an abnormal directory structure.
  Here's the type of directory structures:
  -Documenter
  -com
  -xyz
  -business
  -AppBase
  -com
  -xyz
  -util
  I have a class called Hash that is in the util directory and I want to access it from a class in the business directory. How can I do that? Any help would be appreciated.

  Thanks, I should have mentioned that WebApp is the same parent directory for the Documenter & AppBase directories:
  -c:\WebApp
  -Documenter
  -com
  -xyz
  -business
  -c:\WebApp
  -AppBase
  -com
  -xyz
  -util
  Can I still just make sure the that the classpath contains the above directories? Thanks in advance.

• Non Central Advanced Adapter Engine Question

  Hi All,
  I have a question on non-central adv adapter engine. We have a proposal of installing a non central AAE for demographic reasons. Central PI instance is in North America. New AAE is going to be installed in Europe.
  Now question is if we run ICO based scenarios in non central AAE, would they run with out any impact if the central instance is unavailble due to connectivity issues?
  Please provide us some insight into this or any other relevant issues.
  Thanks
  Ven

  Hi Ven,
  >>>Now question is if we run ICO based scenarios in non central AAE, would they run with out any impact if the central instance is unavailble due to connectivity issues?
  All  ICO based scenarios running on Decentral Adapter Engines (DAE), will definitely run successfully even if the central instance (Integration Engine) is unavailable due to connectivity issues.
  Please take a look at the following links:
  http://help.sap.com/saphelp_nwpi71/helpdata/en/46/69f88453070ea1e10000000a155369/content.htm
  http://help.sap.com/saphelp_nwpi71/helpdata/en/8f/d906d01f77fa40a4c84683c3f8326f/frameset.htm
  Regards, Gaurav

• GRC 5.3 Restrict access in RunRiskAnalysis

  Hi All,
  We are using GRC 5.3 and are looking to restrict access to variant deletion in the RunRiskAnalysis section. The variants are our primary way to run reports for different systems and hence we do not want these to be deleted (accidentally or otherwise).We have created a custom role in UME with action RunRiskAnalysis ad ViewInformer only.
  Please let me know if you have any pointers or suggestions
  Thanks in advance
  Vijaya

  per my knowledge this is not possible.
  GRC created permissions for every different action items in RAR. you can create message with SAP GRC to check if they had created any permission for variant. (i doubt)
  if not please request SAP for one.
  also please check security guide of GRC, will contain all the permission delivered in AC 5.3.
  regards,
  Surpreet