AC 10.0 Centralized Emergency Access Customer Solution Adoption June 2011 Version 2.0
Purpose of this document This document is a detailed guide on the emergency access capability of Access Control 10.0. It explains the basic concepts about emergency access and provide details on how to configure the application. Also this document includes additional information on the types of logs available for monitoring emergency access.
Agenda Introduction Configuration Centralized Firefighting Reporting 2011 SAP AG. All rights reserved. 3
Introduction New Feature Highlights Centralized Emergency Access Overview
New Feature Highlights Centralized Emergency Access Focus Area What Does It Do? What Is the Value? Access Control Harmonization Unified Compliance Platform Streamlined User Access Management Business Role Governance Centralized Emergency Access Improved Identity Management Integration Unifies all AC capabilities on a standardized ABAP platform, offering enterprise supportability, granular security, transport, and archiving. Harmonizes Access Control with Risk Management & Process Control offers shared processes, data, and user interface across the GRC suite. Standardizes on improved workflow that supports flexible, multi-tiered routing and approval matrices. Dynamic user request forms based on user or system selected. Provides a standardized role compliance framework, centralized across organizations, systems, and applications. Translates roles into terms business users can understand. Centralizes firefighting and administration across all systems. New workflow provides an auditable process for tracking log report approval. Improves compliant provisioning for customers already using IdM. Allows for initiation of risk analysis and remediation from IdM or enables use of IdM to provision compliant requests. Lowers TCO by eliminating redundancy in administration, configuration, setup, and end user training. An enterprise GRC platform approach allows you to have complete management of all risks and controls from a single environment Tailoring of routing requirements for simple to highly complex organizations. New request forms improve user adoption and usability. Streamlines management of technical roles and eases identification and selection of appropriate roles for users, positions, and jobs. Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured, documented process around emergency access Provides flexibility to ensure an enterprise wide, compliant provisioning process 2011 SAP AG. All rights reserved. 5
Centralized Emergency Access Overview Access Control centralizes firefighter access and administration, enhances provisioning and introduces automation to the log review process. Solution Enhancements Administrators centrally manage firefighter assignments, controllers, and other master data. Centralized firefighters. New options for group owners and controllers and improved provisioning. New ability for firefighters to update the activity log with unplanned firefighting tasks Access specific log reports from transaction report New workflow driven firefighter log report New categorization of firefighter access signifies criticality and drives workflow logic Key Benefits Simplified management and firefighting activities Reduces repetitive assignments, easing administration Improves log review efficiency by capturing previously undocumented activity Improves log report navigation Enables documented account of the controller s review 2011 SAP AG. All rights reserved. 6
Centralized Emergency Access Overview SPM v5.3 Webdynpro SAP GUI Admin Firefighter Admin, Reporting, Logon: ERP 01 RFC ERP 01 Admin Firefighter Admin, Reporting, Logon: ERP 02 RFC ERP 02 GRC 10.0 Admin FF ID Firefighter FF Owner FF Controller Reason Code Reporting Central Admin & Reporting for ERP 01 & 02 RFC ERP 01 GRC 10.0 System Firefighter Central Logon ERP 01 & 02 RFC ERP 02 2011 SAP AG. All rights reserved. 7
Configuration Overview Architecture Prerequisites Assign an Owner to Firefighter IDs Assign a Firefighter ID to Controllers and Firefighters Create Reason Codes
Emergency Access Management Overview The purpose of Emergency Access Management is to allow users to take responsibility for tasks outside their normal job function. This component allows temporary access for users when assigned with solving a problem, giving them provisionally broad, but regulated access. This temporary access is monitored and recorded in the application. New in 10.0 Access Control 10.0 has been enhanced in the area of Emergency Access Management with the ability to manage and utilize firefighting activities centrally from the Access Control 10.0 application. Also the log file can be distributed to controllers and owner via workflow for additional approval. 2011 SAP AG. All rights reserved. 9
Emergency Access Management Terminology The following concepts have not changed since the previous release and are mentioned here for completeness: Firefighter: user requiring emergency access Firefighter ID: user ID with elevated privileges, it can only be accessed in the GRC server using transaction GRAC_SPM Firefighting: the act of using a firefighter ID Owner: user responsible for a firefighter ID and the assignment of controllers and firefighters. Controller: reviews and approves (if necessary) the log files generated by a firefighter. 2011 SAP AG. All rights reserved. 10
Emergency Access Management Firefighter Application Types ID Based Firefighter: The firefighter ID created in the remote system will be assigned to the user in the GRC system, either manually or via an access request. The firefighter accesses their assigned firefighter ID in the GRC server using the SAP GUI and transaction GRAC_SPM. The firefighter ID for all remote systems assigned to the firefighter will be accessed from this transaction. Role Based Firefighter: The firefighter roles created in the remote system will be assigned to the user in the GRC server. The firefighter directly logs into the remote system using their user ID and performs activities which are provided in the user s role and firefighter role assigned to the user. This is configured in IMG using parameter 4000 (Application Type) Only one application type can be configured at a given time. 2011 SAP AG. All rights reserved. 11
Architecture GRC Server Package The main application run in the GRC server. It is possible to maintain the user assignments for all systems using NWBC or the Portal. Provisioning of the emergency access can also be done via access requests (workflow) The web interface facilitates the following: Firefighter ID/Role Owner Maintenance Firefighter ID/Role Controller Maintenance Reason Code Maintenance (system specific) Firefighter ID/Role assignment to Firefighter, Owner, Controller Firefighter access is done centrally using the GRC server. Firefighters will log on to the GUI backend and execute transaction GRAC_SPM. Firefighter IDs for emergency access for all systems assigned to the user will displayed. 2011 SAP AG. All rights reserved. 12
Architecture Remote Component: Plug-in There is a component called plug-in which is installed in the remote system Emergency Access Management accesses the plug-in using RFC Plug-In ECC 6.0 Plug-In GRC System R/3 Plug-In Other ABAP 2011 SAP AG. All rights reserved. 13
Prerequisites Adding connector to SUPMG scenario To create access requests it is required to have the SUPMG scenario linked to the connector, this is done via IMG: 2011 SAP AG. All rights reserved. 14
Prerequisites Creating users and assigning roles Please create users and roles as needed. Remember to synchronize again the users with program GRAC_ROLEREP_USER_SYNC via SE38. These roles are provided as examples and customer roles need to be created based on their authorizations. In the AC system Firefighter user Firefighter controller Firefighter owner Role SAP_GRAC_SUPER_USER_MGMT_USER SAP_GRAC_SUPER_USER_MGMT_CNTLR SAP_GRAC_SUPER_USER_MGMT_OWNER In the target system Role Firefighter ID SAP_GRAC_SPM_FFID (configured in parameter 4010) Reminder: end users will require also the roles based on SAP_GRC_FN_BASE and SAP_GRC_FN_BUSINESS_USER 2011 SAP AG. All rights reserved. 15
Configuring a firefighter ID Step Summary The following steps are required to configure a firefighter ID Maintain Access Control Owners Assign an Owner to a Firefighter ID Assign a Firefighter ID to Controllers and Firefighters Create the Reason Codes After this steps are followed the firefighter is ready to start a firefighter session from the GRC server 2011 SAP AG. All rights reserved. 16
Superuser Assignment and Maintenance Accessing using the NWBC User assignments for all systems are done via NWBC or a Portal Provisioning for Firefighter IDs and roles is possible using access requests 2011 SAP AG. All rights reserved. 17
Access Control Owners Maintenance There are 4 types of owners that can be maintained for emergency access. ID based Application Firefighter ID Owner Firefighter ID Controller Role Based Application Firefighter Role Owner Firefighter Role Controller 2011 SAP AG. All rights reserved. 18
Assign an Owner to Firefighter IDs Step 1 Go to Setup Superuser Assignment Owners 2011 SAP AG. All rights reserved. 19
Assign an Owner to Firefighter IDs Step 2 The screen below shows the list of all existing owner assignments All (new/change) operations relating to a Firefighter owner can be done from this screen 2011 SAP AG. All rights reserved. 20
Assign an Owner to Firefighter IDs Step 3 Click on Assign and a new screen will show up Select an owner and if needed multiple Firefighter IDs, when you are done click Save Note: you must run the Sync User job after creating the FF ID role in the backend systems by running program GRAC_ROLEREP_USER_SYNC, and assign the respective FF ID Role. 2011 SAP AG. All rights reserved. 21
Assign an Owner to Firefighter IDs Owner Assignment Ready New assignments will be shown in the Firefighter Owner list The list can be filtered by owner, system, or any other column in the list. 2011 SAP AG. All rights reserved. 22
Assign a Firefighter ID to Controllers and Firefighters Step 1 Go to Setup Superuser Assignment Firefighter IDs 2011 SAP AG. All rights reserved. 24
Assign a Firefighter ID to Controllers and Firefighters Step 2 The screen below shows the list of all existing firefighter ID assignments The firefighter ID is assigned to a firefighter who can perform the activities in the backend system. Multiple firefighters can be assigned to a single firefighter ID. Controllers are also assigned to the firefighter ID for tracking and auditing the firefighter 2011 SAP AG. All rights reserved. 25
Assign a Firefighter ID to Controllers and Firefighters Step 3 Click on Assign and a new screen will show up Select an owner and if needed multiple Firefighters and Controllers, when you are done click Save 2011 SAP AG. All rights reserved. 26
Create Reason Codes Step 1 Go to Setup Superuser Maintenance Reason Codes 2011 SAP AG. All rights reserved. 28
Create Reason Codes Step 2 The screen below shows the list of all existing Reason Codes Whenever a firefighter starts a firefighter session the reason code needs to be specified and maintained. A Reason Code can be created and assigned multiple remote systems. This reduces the amount of duplicated administration across systems 2011 SAP AG. All rights reserved. 29
Create Reason Codes Step 3 Click on Create and a new screen will show up Maintain the reason code and systems and when you are done click Save 2011 SAP AG. All rights reserved. 30
Reason Code Global Usage Frequency of usage is tracked by reason code, by system. In the Reason Code list, you will see the total usage of the reason code across all systems to which it is assigned. Usage can be reset for each system or across all systems and helps to determine the usefulness of the term 2011 SAP AG. All rights reserved. 31
Reason Code Usage by System To see usage by system, select the Reason Code on the main list, then click Open 2011 SAP AG. All rights reserved. 32
Centralized Firefighting Overview Running a firefighter session
Centralized Firefighting Overview Access Control 10.0 provides a centralized logon pad for accessing the firefighter IDs in all connected backend systems. The centralized logon pad allows: Displaying all firefighter ID assigned to the user Logging in to all connected backend systems Sending messages to other firefighters who are using a specific firefighter ID Unlocking a firefighter session not closed properly 2011 SAP AG. All rights reserved. 34
Centralized Firefighting Step Summary The following steps are required to use centralized firefighting: The firefighter logons to central GRC system Execute transaction GRAC_SPM, a screen will open up which will display all firefighter IDs which are assigned to the current firefighter in various systems Click Logon to log into any of the systems assigned Select a Reason Code Enter a description Enter a list of the actions to be performed Click on Execute The Firefighter can now do firefighting activities on the connected backend system. When finished you need to close the session. 2011 SAP AG. All rights reserved. 35
Centralized Firefighting Other Activities These are some optional steps that can be executed from the centralized logon pad: Firefighter can click the Additional Activity button any time to enter more information. If additional actions were done in the remote system that were not listed during logon, these actions can now be updated using this functionality. If firefighter ID is in use by another firefighter then notification can be sent to other firefighter by clicking Message button. The Unlock button can be used to unlock the firefighter ID in the event it is locked 2011 SAP AG. All rights reserved. 36
Centralized Firefighting Step 1 Logon to the central AC system (here GF2) with the firefighter ID. Execute transaction GRAC_SPM 2011 SAP AG. All rights reserved. 37
Centralized Firefighting Step 2 Click Logon to log into any of the systems assigned Select a Reason Code, enter a description and also the actions to be performed 2011 SAP AG. All rights reserved. 38
Centralized Firefighting Step 3 You are now in the remote system (here GI7) using the firefighter ID selected 2011 SAP AG. All rights reserved. 39
Centralized Firefighting While a Firefighter Session is Running While a firefighter session is open the status of the firefighter ID will turn to red A firefighter can click Additional Activity any time to enter more information. If a firefighter ID is in use by another firefighter, then notification can be sent to the other firefighter by clicking Message Unlock can be used to unlock the firefighter ID in the event it is locked 2011 SAP AG. All rights reserved. 40
Reporting Report Types Log Collection Log Retrieval
Reporting Report Types The reports can be accessed using the NWBC or the Portal and are located under Reports and Analytics Superuser Management Reports 2011 SAP AG. All rights reserved. 42
Reporting Report Types Consolidated Log Report: This report provides information based on the following logs from the remote system: Transaction Log: Change Log: System Log: Security Audit Log: OS Command Log: Captures transaction execution from transaction STAD Captures change log from change document objects (tables CDPOS and CDHDR) Captures Debug & Replace information from transaction SM21. Captures Security Audit Log from transaction SM20 Captures changes to OS commands from transaction SM49. Invalid Superuser Report: This Report gives the details of all the users (firefighter, controller, owner, firefighter ID) who are either Expired, Locked or Deleted. In the case of Role Based Firefighter, it gives the details of whether the role has been generated or not. 2011 SAP AG. All rights reserved. 43
Reporting Report Types Firefighter Log Summary: Provides details of the session the firefighter logged into the remote system using the FFID for the ID based FF Application. Reason Code and Activity Report: This Report provides the details of information of Reason and Activity used by the firefighter. SOD Conflict Report for Firefighter ID: When the firefighter logs in to the remote system using the FFID in to the remote system and performs certain transactions which violates access risk rules. 2011 SAP AG. All rights reserved. 44
Log Collection Overview The details of the transaction executed by the firefighter lies in the remote system in in the CDHDR, CDPOS, STAD, SM19, SM49, and debug & replace information. The data from the remote system can be fetched using the Log Collector which can be executed as a foreground or background job. 2011 SAP AG. All rights reserved. 45
Log Collection Foreground Job The foreground Job for Log Collection can be executed from the Update firefighter log button which can be found in the Consolidated Log Report 2011 SAP AG. All rights reserved. 46
Log Collection Background Job The Background Job for log collection can be scheduled from SM36 which can be scheduled on a periodic basis. The status of the background job can be checked from the SM37 transaction The program name for the background job is: GRAC_SPM_LOG_SYNC_UPDATE 2011 SAP AG. All rights reserved. 47
Consolidated Log Report Overview The consolidated log report is a new report which enables the user to segment the various logs collected or view them all in one combined report. 2011 SAP AG. All rights reserved. 48
Consolidated Log Report Transaction Log The consolidated log report allows filtering criteria like System, Firefighter, FFID, Reason Code, Transaction, Date or Owner. 2011 SAP AG. All rights reserved. 49
Consolidated Log Report Change Log The Change Log can be retrieved from the consolidated Log Report by selecting the Report type as Change Log 2011 SAP AG. All rights reserved. 50
Consolidated Log Report System Log The System Log can also be found in the consolidated Log Report by choosing the Report type as System Log 2011 SAP AG. All rights reserved. 51
Consolidated Log Report Audit Log The Audit Log is also contained in the consolidated Log Report as Report type as Audit Log. This audit function will show the details of the user(s) subject to auditing The user(s) to be audited are configured/selected in transaction SM19 2011 SAP AG. All rights reserved. 52
Consolidated Log Report OS Command Log An OS Command Log can be retrieved from the consolidated Log Report by selecting the Report type as OS Command This logs tracks the changes which the user makes in SM49 for OS Command 2011 SAP AG. All rights reserved. 53
Invalid Superuser Report The Invalid Superuser Log is launched by the according link from the Super User Management Reports area This Log is used to analyze the users who are expired, locked or deleted. 2011 SAP AG. All rights reserved. 54
Firefighter Log Summary Report Firefighter Log Summary Report can be found in the screen shown below The Details of FFID Logged in sessions are captured in this Log Report 2011 SAP AG. All rights reserved. 55
Reason Code and Activity Report Reason code and activity can be retrieved from the link in the portal for Reason Code and Activity This Report Gives the Details of the Reason Code and Activity used when FFID Logs in to the Report System 2011 SAP AG. All rights reserved. 56
Thank You! Contact information: Luis Bustamante Customer Solution Adoption (GRC) luis.bustamante@sap.com
2011 SAP AG. All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iseries, pseries, xseries, zseries, eserver, z/vm, z/os, i5/os, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, ianywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages. 2011 SAP AG. All rights reserved. 58