Configure Emergency Access

8/11/2019 Configure Emergency Access

1/29

Configure Emergency Access (EAM) in GRC10

Hello!

Configuring EAM in GRC 10 isnt a difficult task, but there are some details you have to takeinto account. The document AC 10.0 Pre-Implementation From Post-Installation to FirstEmergency Access is useful, but it doesnt consider all the details. Here Ill try to give you acomplete explanation about how to configure EAM successfully.

Configure Parameters:

In GRC Box, execute transaction SPRO and navigate to here:

The following parameters should be set according to the table:

Parameter Recommended value (forinitial configuration)

4000Application type 1 4001Default FirefighterValidity Period (Days)

30

4002Send Email Immediately YES 4003Retrieve Change Log YES 4004Retrieve System log YES
http://scn.sap.com/docs/DOC-1562http://scn.sap.com/docs/DOC-1562http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153023/1.jpghttp://scn.sap.com/docs/DOC-1562http://scn.sap.com/docs/DOC-1562


2/29

4005Retrieve Audit log YES 4006Retrieve OS Commandlog

YES

4007Send Log ReportExecution Notification

Immediately

YES

4008Send FirefightId LoginNotification

YES

4009Log Report ExecutionNotification

YES

4010Firefighter ID role name Chose a role name, forexample

Z_SAP_GRC_SPM_FFID

For a complete description of the above parameters, please refer to the guide:

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) ->Acess Control -> Release 10.0 -> Maintaining Configuration Settings Guide - SAP AC 10.0

You might want to change some of them; the recommended values only serve as a guide for the initialconfiguration.

Changes in the parameters table will be included in a transport request, you should release thetransport to your QA/PROD systems when you finish the EAM tests and adapt the parameters accordingto your requirements.

Parameter 4010: Whats for?

If youve been working with GRC 5.3, this parameter should sound weird to you.
https://service.sap.com/instguideshttps://service.sap.com/instguideshttps://service.sap.com/instguides


3/29

The purpose is to identify to the application that the user who is logging on to the target system is aFirefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if theuser has this role assigned to them.

That means that you have to create the role that youve set in parameter 4010 in all the target systemswith the exact name provided there. Usually, you copy it from the standard SAP_GRC_SPM_FFID (itcontains RFC authorizations).

Only the users who have that role assigned in the target system will be available for selection in the GRCBox as Firefighters IDs.

Kindly check note: 1668255 - Firefighter ID role name for Param ID 4010

For more information regarding default roles provided by SAP, please refer to Security Guide availablehere:

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance(GRC) -> Acess Control -> Release 10.0 -> Security Guide - SAP Access Control 10.0

Adding connector to the SUPMG Scenario:

Please check: Note 1562760 - AC10.0 - Intergration Scenarios to Connector link

At this point you have already created the connectors.

Now you have to link the corresponding connectors to the SUPMG scenario:
http://service.sap.com/sap/support/notes/1668255http://service.sap.com/sap/support/notes/1668255http://service.sap.com/sap/support/notes/1668255https://service.sap.com/instguideshttps://service.sap.com/instguideshttps://service.sap.com/sap/support/notes/1562760https://service.sap.com/sap/support/notes/1562760https://service.sap.com/sap/support/notes/1562760https://service.sap.com/sap/support/notes/1562760https://service.sap.com/instguideshttp://service.sap.com/sap/support/notes/1668255


4/29


5/29

SAP provides standard roles that must be copied to the customer namespace. For this sampleconfiguration you should need at least to create a copy for the following roles and generate thecorresponding profiles:

SAP_GRAC_SUPER_USER_MGMT_OWNER Emergency Access managementowner

SAP_GRAC_SUPER_USER_MGMT_CNTLR Emergency Access managementcontroller

SAP_GRAC_SUPER_USER_MGMT_USER Emergency Access managementfirefighter

SAP_GRAC_SUPER_USER_MGMT_ADMIN Emergency Access managementadministrator

SAP_GRAC_BASE Gives basic authorizationsrequired for all AC users. Youmust assign this role to all ACusers.

SAP_GRAC_NWBC

Gives the authorizations tolaunch NWBC. You mustassign this role to all ACusers.

You can just name them as Z_ or use a naming convention according to yourcompany requirements.

CAUTION: Please, follow he instructions provided in tha attachment of note:

Note 1663949 - EAM Authorization Fixes for Central Owners and Reason Codes

There are some changes you have to made to the standard roles and also there's a completeexplanation of the authorization objects.

For more information, kindly refer to the Security Guide (link provided above).

Security considerations for EAM Roles:
https://service.sap.com/sap/support/notes/1663949https://service.sap.com/sap/support/notes/1663949https://service.sap.com/sap/support/notes/1663949


6/29


7/29

In order to show a sample for testing , Its necessary to create (or use existing ones) three users:

FF_OWNER: This user will serve as owner for the firefighter ID. It should be assigned to the role

Z_SAP_GRAC_SUPER_USER_MGMT_OWNER

FF_CONTROL: This is the firefighter controller. You assign Z_SAP_GRAC_SUPER_USER_MGMT_CNTLR.

CAUTION: This user MUST have a valid e-mail address maintained in SU01 if you want the controller toreceive notifications via e-mail.

FIREFIGHTER: This is the firefighter user, who will be able to access in the target system with theFirefighter ID. You assign Z_SAP_GRAC_SUPER_USER_MGMT_USER in addition to the base roles. If youdon't assign the base roles you won't see the user (FIREFIGHTER in this case) available for selection inthe Firefighters IDs.

: The user who is going to perform the configurations, must have at least the roleZ_SAP_GRAC_SUPER_USER_MGMT_ADMIN assigned.

In addition to all the mentioned roles above, all users must have the roles Z_SAP_GRAC_NWBC andZ_SAP_GRAC_BASE assigned.

For a theoretical explanation of the users and its responsibilities, refer tohttps://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htm

Required roles in the target system:

In the target system you have to make a copy of the role SAP_GRAC_SPM_FFID and generate the profile.

CAUTION: The name of this role MUST be the same configured in the parameter 4010 in the GRC Box. Inthis example: Z_SAP_GRC_SPM_FFID.
https://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htmhttps://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htmhttps://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htmhttps://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htmhttps://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htm


8/29

Required users in the target system:

You have to create a user (FIREFIGHTER_ID) in the target system with the corresponding roles requiredroles/profiles according to your requirements. In addition you must assign to the FIREFIGHTER_ID therole Z_SAP_GRC_SPM_FFID.

This user should be of type: Service as per note 1702439

The following note describes an issue you'll face with this kind of users: Note 1586989 - ObjectServices icon not available in Firefighter ID session

I'll update this document when a specific note for GRC 10 is released regarding this issue.

Take into account this important note for service users: 1945098 - Service users are notconsidered in decentralized firefighter

Creating central Owners and controllers:

Access to the NWBC: http:// :/nwbc/ or execute Tcode NWBC in the GRC Box.

Go to the Setup tab and:

Create entries for the Firefighter controller and owner:
https://service.sap.com/sap/support/notes/1702439https://service.sap.com/sap/support/notes/1702439https://service.sap.com/sap/support/notes/1702439https://service.sap.com/sap/support/notes/1586989https://service.sap.com/sap/support/notes/1586989https://service.sap.com/sap/support/notes/1586989https://service.sap.com/sap/support/notes/1586989http://service.sap.com/sap/support/notes/1945098http://service.sap.com/sap/support/notes/1945098http://service.sap.com/sap/support/notes/1945098http://scn.sap.com/http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153028/6.pnghttp://scn.sap.com/http://service.sap.com/sap/support/notes/1945098http://service.sap.com/sap/support/notes/1945098https://service.sap.com/sap/support/notes/1586989https://service.sap.com/sap/support/notes/1586989https://service.sap.com/sap/support/notes/1702439


9/29

Creating reason codes:

You have to create at least one reason code to be able to use the firefighter ID later.
http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153030/8.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153029/7.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153030/8.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153029/7.png


10/29


11/29


12/29

Assign Firefighter IDs to Firefighters

Here you assign the Firefighter ID to the corresponding Firefighters users (one or more)


13/29

And in the controller tab set the controller user:
http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153043/14.png


14/29

Mass upload of assignments: In case you need to perform an initial load or a mass maintenance you canuse one of the programs provided for migration as described here 1744929 - Mass Upload ofAssignments for EAM

Firefighter collector Job:

Execute tx. GRAC_SPM_LOG_SYNC and schedule the log collection periodically as per note: 1617529

Known problems with time zones:

Note 1595462 - Logs not visible in the SPM Reports

Note 1775432 - Transaction logs are not getting captured by GRC 10.0
http://service.sap.com/sap/support/notes/1744929http://service.sap.com/sap/support/notes/1744929http://service.sap.com/sap/support/notes/1744929https://service.sap.com/sap/support/notes/1617529https://service.sap.com/sap/support/notes/1617529https://service.sap.com/sap/support/notes/1617529https://service.sap.com/sap/support/notes/1595462https://service.sap.com/sap/support/notes/1595462https://service.sap.com/sap/support/notes/1775432https://service.sap.com/sap/support/notes/1775432http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-153041/15.pnghttps://service.sap.com/sap/support/notes/1775432https://service.sap.com/sap/support/notes/1595462https://service.sap.com/sap/support/notes/1617529http://service.sap.com/sap/support/notes/1744929http://service.sap.com/sap/support/notes/1744929


15/29

Known problem when connector is set to *:

Note 1726157 - GRAC10 EAM GRAC_SPM_LOG_SYNC_UPDATE doesn t collect data

Performance problems :

Note 1750024 - GRAC - Performance of the SPM Log Sync

You'll find many notes in SAP Marketplace related to performance issues.

Other errors:

Note 1773855 - EAM10.0 Sometimes Workflows and transaction logs are missed

Note 1776070 - GRC EAM program is giving a short dump and no logs generated

Note 1731923 - EAM:Transaction Logs are not being captured while sync

Have you lost EAM logs?

If you lost some EAM logs and the data is still available in the plug-in system you can schedule a time-based special sync:

1934127 - GRC10 EAM: EAM recovery program to retrieve missing log and to generate the missingworkflows

E-mail configuration (Centralized Firefighter):

If you want the controller to receive e-mails (firefighter log on notification and firefighter session details)you have to check the following:
https://service.sap.com/sap/support/notes/1726157https://service.sap.com/sap/support/notes/1726157https://service.sap.com/sap/support/notes/1750024https://service.sap.com/sap/support/notes/1750024https://service.sap.com/sap/support/notes/1773855https://service.sap.com/sap/support/notes/1773855https://service.sap.com/sap/support/notes/1776070https://service.sap.com/sap/support/notes/1776070https://service.sap.com/sap/support/notes/1731923https://service.sap.com/sap/support/notes/1731923http://service.sap.com/sap/support/notes/1934127http://service.sap.com/sap/support/notes/1934127http://service.sap.com/sap/support/notes/1934127http://service.sap.com/sap/support/notes/1934127http://service.sap.com/sap/support/notes/1934127https://service.sap.com/sap/support/notes/1731923https://service.sap.com/sap/support/notes/1776070https://service.sap.com/sap/support/notes/1773855https://service.sap.com/sap/support/notes/1750024https://service.sap.com/sap/support/notes/1726157


16/29

Make sure your Basis team has properly configured outgoing e-emails from GRC Box (Tx. SCOT) Controller notification method was set to: Email (see above) SPRO parameters:

4002 Send E-mail Immediately YES

4007 Send Log Report Execution

Notification Immediately YES

4008 Send FirefightID Logon Notification YES

4009 Log Report Execution Notification YES

Controller user (FF_CONTROL) has "Comm.Method set to E -Mai l in SU01 and has a valid e -mail address.

WF-BATCH User must also have an e- mail address in SU01; otherwise youll get the followingerror in tx. SLG1:

According to the configuration settings guide:

You can change the parameter and use another user to send the e-mails.

After executing the GRAC_SPM_LOG_SYNC_UPDATE, please execute tx. SOST and check if the e-mails were generated (you have to access the firefighter to get the e-mails).

Implement Firefighter user Exit:

Despite the Firefighter ID password is changed by the application each time you start thefirefighter (you can check it via change documents in the target system), Firefighter Ids need to


17/29

be restricted from Logging in into SAP System directly via SAP GUI. For this purpose either weneed to create and modify the SAP User Login Exit.

Check

1545511 - Firefighter User Exit

1735971 - User exit to prevent direct firefighter login

Security Issue???: http://scn.sap.com/thread/3273562

If the user exit is properly implemented you'll get the following message when trying to log-on

directly with a Firefighter ID ( or any user assigned to role configured in the parameter 1090in the plug-in System !!! ):

Required RFC connections for EAM:

Please check: Note 1701047 - Is it mandatory to use trusted connection in the RFC destinationfor Firefighter Connector?

"Yes it is mandatory to make a trusted relationship so that communication can be establishedbetween the GRC system and the plug-in."
https://service.sap.com/sap/support/notes/1545511https://service.sap.com/sap/support/notes/1545511http://service.sap.com/sap/support/notes/1735971http://service.sap.com/sap/support/notes/1735971http://scn.sap.com/thread/3273562http://scn.sap.com/thread/3273562http://scn.sap.com/thread/3273562http://service.sap.com/sap/support/notes/1701047http://service.sap.com/sap/support/notes/1701047http://service.sap.com/sap/support/notes/1701047http://service.sap.com/sap/support/notes/1701047http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-521284/pastedImage_11.pnghttp://service.sap.com/sap/support/notes/1701047http://service.sap.com/sap/support/notes/1701047http://scn.sap.com/thread/3273562http://service.sap.com/sap/support/notes/1735971https://service.sap.com/sap/support/notes/1545511


18/29

This topic has been discussed here (see comments below). The note is for Centralized FF andtrue is that it works anyway with non trusted connection. In case of decentralized model theconnector is used to retrieve logs, so it doesn't need to be trusted.

Links to more documentation:

Note 1394281 - Superuser Privilege Management Log Report Content

Note 1065048 - Firefighter Log Not sent in Email to Controller


19/29


20/29

Additionally a new synchronization job is available and must be executed in order to synchronizethe EAM data from GRC Box to the plug-in system. Remember that configurations (firefighterassignments, controllers, owners, reason codes, etc.) are still maintained in a centralized way, i.e

in the GRC Box.

In order to sync this data with the plug-in, a new job is available and can be found here:

In the connector field you have to set the corresponding plug-in connector. In order to keep you plugin system updated with the changes you made in the GRC Box, this report should bescheduled periodically, I think hourly would be fine. In addition, if you have multiple plug-insystems, you should follow the same approach as with the log synch: create individual jobs foreach connector instead of a unique job with connector value *.
http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187310/23.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187306/22.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187305/21.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187310/23.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187306/22.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187305/21.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187310/23.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187306/22.pnghttp://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187305/21.png


21/29


22/29

The RFC connection does not require a user. It just has to point to the correct system/instanceand a specific client.

Required users

Controllers have to be created in the GRC Box as well as with centralized firefighting. Inaddition these users must exist in the plugin system and have a valid e-mail address becauselogin notifications are sent from plug-in system

With the decentralized scheme its not necessary to create the firefighter users in the GRC Box,

because they ll start firefighter transaction from the plug-in system.

E-mail considerations (Decentralized model)

Log-in notifications are sent from the plug-in system (the e-mail is sent with the Firefighter user,so remember to properly configure it in SU01):


23/29

But, as with the Centralized approach, Log notifications are sent from GRC Box
http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187317/30.png


24/29

These requires a proper mail configuration (tx. SCOT) in both systems: plug-in and GRC Box.

General Note for problems with e-mail in decentralized EAM:

1877706 - Login and Log Report Notifications are not being sent to the firefighter controller incase of decentralized firefighting

Plug-in roles

Youll have to create a new role as a copy of SAP_GRA C_SUPER_USER_MGMT_USER.

You should add the following authorization to it:
http://service.sap.com/sap/support/notes/1877706http://service.sap.com/sap/support/notes/1877706http://service.sap.com/sap/support/notes/1877706http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187318/31.pnghttp://service.sap.com/sap/support/notes/1877706http://service.sap.com/sap/support/notes/1877706


25/29

For some NW releases ACTVT=02 will be also required. Kindly Check 1753459 - EAM:S_USER_GRP with ACTVT=02 required

This role is assigned to the firefighter users. Bear in mind that these users should not have accessto user maintenance transactions, for example SU01. If the firefighter IDs are properly assignedto a group and you can restrict the CLASS field this is not a big issue, since despite they couldchange the password, they wont be able to access because the user exit is implemented in orderto prevent it.

This extra authorization was documented by SAP in November 2013 in the note:

1944417 - In decentralized firefighting firefighter is not able to perform firefighter logon

Previous versions of this post contain this solution as unofficial, but now has become official.

"..The firefighter is not having the authorization to change the passowrd. In centralized firefighting the password is changed by RFC user, but in decentralized version as there is not RFC connection, the password is changed by firefighter. The functionality works as in EAM5.3...."

In addition to this role you also have to create roles for administrator and owner. Remember thatextending the validity period is a new activity available in the plug-in system and owners andadministrators should have access to it.

Known Problems ( specific to decentralized EAM)

Note 1849289 - For Decentral EAM No Reasoncode and Activity desc captured
http://service.sap.com/sap/support/notes/1753459http://service.sap.com/sap/support/notes/1753459http://service.sap.com/sap/support/notes/1753459http://service.sap.com/sap/support/notes/1753459http://service.sap.com/sap/support/notes/1944417http://service.sap.com/sap/support/notes/1849289http://service.sap.com/sap/support/notes/1849289http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-187325/33.pnghttp://service.sap.com/sap/support/notes/1849289http://service.sap.com/sap/support/notes/1944417http://service.sap.com/sap/support/notes/1753459http://service.sap.com/sap/support/notes/1753459


26/29


27/29

General recommendations an errors are included in note: 2029368 - EAM Synchronization JobsNot Completing Resulted in Data Loss

It could be to an authorization issue with the RFC user. The usual one is related to objectS_TOOLS_EX as described 1916172 - User Action Usage Sync Error - User ID showing as -- ? --. Anyway you can trace the RFC user via ST01 in the back-end while performing a log synch andcheck if you have some authorization issue.

Clock skew: check the system time in the GRC box and compare with the plugin system. You cando it by check System -> Status at "the same time" in both systems. A clock skew of 1-2 minutescan cause severe problems in the log collection. Time zones do not need to be same... it doesn'tmake sense by the way, cause having the GRC box in a Server in India and the ECC in Argentinawill be impossible. Even here in South America we usually work with Servers in Chile, Brazil,

Argentina and these countries sometimes do not use the same time zone. So...using differenttime zones has to be a possibility, but you have to be very careful with the clock skews, and if youhave differences ask your Server Admins to check it and use a NTP Sever to keep all systemssynched.

Check that you have data in transaction STAD and ST03N in the plugin system for the FF IDyou're trying to get the logs. If necessary check with your Basis team if the Statics are being

collected properly.Try executing an action usage synch and check in table GRACACTUSAGE ifyou have data for the FF ID.

Remember to schedule the job hourly as per SAP recommendation an not running it just whenyou want to get the logs. This probably will cause lose of data.

Check transaction SLG1 in the GRC Box in order to know the result of the collection. Sometimesyou get there the exact cause, for example "RFC Timeout", "RFC error", etc.

Check for dumps in the plugin system (transaction ST22) and look for dumps created by the RFCuser. TIME_OUT or memory related dumps are usual for large systems.

SAP has released many enhancements and corrections related to log collection. Just to nameone of them that isn't included in

the latest SP: 1962440 - GRC EAM - Change Log Collection Performance Enhancement butyou'll find others in the marketplace an probably SAP will release more. Make sure you have allthe corrections applied.

A last resort when you have problems with log collection (due to performance) would be to createan index on CDHDR table if the dumps in the back-end are related to some queries with suchtables and indicate that. The official note is 1741151 - GRC 10.0 Indexing on CDHDR table incase of time out issue due to huge data Creating an index on such table is something that youhave to discuss with your DBA, Basis and Development teams. You have to be very careful withthat and you should ask SAP if this is recommended to your scenario and there're no chances toimprove the queries in the code. The table stores change documents and also can be reduced viaarchiving and this should be also an option to discuss before creating an index.

SAP released a note recently indicating that mass activities cannot be performed by Firefighters:1378276 - Mass Transaction support through Firefighter product

Common Issue III: Firefighter sessions remain open

SAP considers that such issue isn't specific to EAM: 1290018 - Firefighter ID is locked in SuperuserPrivilege Management
http://service.sap.com/sap/support/notes/2029368http://service.sap.com/sap/support/notes/2029368http://service.sap.com/sap/support/notes/2029368http://service.sap.com/sap/support/notes/1916172http://service.sap.com/sap/support/notes/1916172http://service.sap.com/sap/support/notes/1962440http://service.sap.com/sap/support/notes/1962440http://service.sap.com/sap/support/notes/1962440http://service.sap.com/sap/support/notes/1741151http://service.sap.com/sap/support/notes/1741151http://service.sap.com/sap/support/notes/1741151http://service.sap.com/sap/support/notes/1378276http://service.sap.com/sap/support/notes/1290018http://service.sap.com/sap/support/notes/1290018http://service.sap.com/sap/support/notes/1290018http://service.sap.com/sap/support/notes/1290018http://service.sap.com/sap/support/notes/1290018http://service.sap.com/sap/support/notes/1290018http://service.sap.com/sap/support/notes/1378276http://service.sap.com/sap/support/notes/1741151http://service.sap.com/sap/support/notes/1741151http://service.sap.com/sap/support/notes/1962440http://service.sap.com/sap/support/notes/1916172http://service.sap.com/sap/support/notes/2029368http://service.sap.com/sap/support/notes/2029368


28/29

Co-existence of firefighting models

Both models could be used. The decentralized firefighter configuration doesnt block the

centralized firefighter approach. Since you can start only one firefighter session at a time, youcannot use both at the same time and this is automatically controlled by the application.

Administration functions

The administration functions are maintained in the GRC Box. The decentralized firefighting addsa couple of tasks in the plugin system such as logging notification customizations and the

possibility to extend the validity date of firefighters if the GRC Box is down. Youll find a niceillustration in the guide attached to note mentioned earlier (1690964).

Access to decentralized FF

Some standard roles do not include the correct SPM transaction. In order to start decentralizedFF the Firefighter user have to type /n/GRCPI/GRIA_EAM in the transaction bar. If you use

other tcodes might see an empty table, and if you don't use /n you'll receive a message statingsomething like it's impossible to execute this function.

GRC 10.1 - What's new for EAM??

In GRC 10.1 a new option is included in order to set the Firefighter ID Role (parameter 4010) ina system-independant manner.


29/29

SPRO documentation:

" This allows you the flexibility of specifying diff erent fir efighter I D r oles per plug-in system.

For example, you can specif y the foll owing:

For Target Connector ERP_001, the fir efighter I D rol e is Z_SAP_F F01.

For Target Connector ERP_002, the fir efighter I D rol e is Z_SAP_FF 02.

I f you choose to not use this option, th e application uses the role name specified in t he configur ation parameter F ir efighter I D Role Name 4010 for allsystems in clu din g plug-i n systems"
http://scn.sap.com/servlet/JiveServlet/showImage/102-33099-28-515931/pastedImage_15.png

Configure Emergency Access

Documents

Transcript of Configure Emergency Access