EAM Configuration

7/25/2019 EAM Configuration

http://slidepdf.com/reader/full/eam-configuration 1/15

EAM Configuration

Configuring EAM in GRC 10 isn’t a difficult task, but there are some details you have to take into

account !he document "AC 100 #re$%m&lementation 'rom #ost$%nstallation to 'irst Emergency

Access( is useful, but it doesn’t consider all the details )ere %’ll try to give you a com&lete

e*&lanation about ho+ to configure EAM successfully Configure #arameters %n GRC -o*, e*ecute

transaction .#R/ and navigate to here

!he follo+ing &arameters should be set according to the table

ou might +ant to change some of them the recommended values only serve as a guide for the

initial configurationChanges in the &arameters table +ill be included in a trans&ort re2uest, you

should release the trans&ort to your 3A4#R/5 systems +hen you finish the EAM tests and ada&t the

&arameters according to your re2uirements

http://sapgrcconsultant.blogspot.com/2014/06/grc-101-eam-configuration.html?m=0

http://sapgrcconsultant.blogspot.com/2014/06/grc-101-eam-configuration.html?m=0



Parameter 4010: What’s for? %f you’ve been +orking +ith GRC 67, this &arameter should sound

+eird to you !he &ur&ose is to identify to the a&&lication that the user +ho is logging on to the

target system is a 'irefighter %5 !he target system makes a call to the GRC -o* and reads this

configuration to check if the user has this role assigned to them !hat means that you have to

create the role that you’ve set in &arameter 8010 in all the target systems +ith the e*act name

&rovided there 9sually, you co&y it from the standard .A#:GRC:.#M:''%5 ;it contains R'Cauthori<ations= /nly the users +ho have that role assigned in the target system +ill be available

for selection in the GRC -o* as 'irefighters %5s

>indly check belo+ notes

1??@66 $ 'irefighter %5 role name for #aram %5 8010 Adding connector to the .9#MG .cenario

16?B?0 $ AC100 $ %ntergration .cenarios to Connector link At this &oint you have already created

the connectors

o+ you have to link the corres&onding connectors to the .9#MG scenario

Click here

and



Re2uired roles in the GRC -o*

SAP provides standard roles that must be copied to the customer namespace. For this sample

configuration you should need at least to create a copy for the following roles and generate the

corresponding profiles: You can just name them as Z or use a naming convention according to

your company re!uirements.

CAUTION: Pease! foo" he instru#tions $ro%i&e& in tha atta#hment of note:

ote 1??7D8D $ EAM Authori<ation 'i*es for Central /+ners and Reason Codes !here are some

changes you have to made to the standard roles and also theres a com&lete e*&lanation of the

authori<ation obFects 'or more information, kindly refer to the .ecurity Guide ;link &rovided

above= Security considerations for "A# $oles:

Required users in the GRC Box:

In order to show a sample for testing, It’s necessary to create (or use existingones) three users:

FF_OW!": #his user will ser$e as owner for the %re%ghter I&' It should e

assigned to the role _*+_-"+._*/!"_/*!"_0-0#_OW!"

FF_.O#"O1: #his is the %re%ghter controller' 2ou assign_*+_-"+._*/!"_/*!"_0-0#_.#1"'CAUTION: #his user 0/*# ha$e a $alide3mail address maintained in */45 if you want the controller to recei$enoti%cations $ia e3mail'

FI"!FI-6#!": #his is the %re%ghter user, who will e ale to access in the targetsystem with the Fire%ghter I&' 2ou assign_*+_-"+._*/!"_/*!"_0-0#_/*!" in addition to the ase roles' If you don7tassign the ase roles you won7t see the user (FI"!FI-6#!" in this case) a$ailale

for selection in the Fire%ghters I&s'8your user9: #he user who is going to perform the con%gurations, must ha$e atleast the role _*+_-"+._*/!"_/*!"_0-0#_+&0I assigned'

In addition to all the mentioned roles ao$e, all users must ha$e the roles_*+_-"+._W. and _*+_-"+._+*! assigned'

For a theoretical explanation of the users and its responsiilities, referto https:;;help'sap'com;saphelp_grcac54;helpdata;en;5<;=4=>?@<>AA=4?>@aAeB<fe@cf4<B;frameset'htm

Required roles in the target system:In the target system you ha$e to maCe a copy of the role *+_-"+._*0_FFI&

https://help.sap.com/saphelp_grcac10/helpdata/en/16/404938695540b398a5e76fe8cfb067/frameset.htm






and generate the pro%le'CAUTION: #he name of this role 0/*# e the samecon%gured in the parameter =454 in the -". ox' In this example:_*+_-"._*0_FFI&'

Required users in the target system:

2ou ha$e to create a user (FI"!FI-6#!"_I&) in the target system with thecorresponding roles reDuired roles;pro%les according to your reDuirements' Inaddition you must assign to the FI"!FI-6#!"_I& the role_*+_-"._*0_FFI&'#his user should e of type: E*er$ice as pernote 5B4G=?>

#he following note descries an issue you7ll face with this Cind of users: ote 5A@<>@> 3 OHect

*er$ices icon not a$ailale in Fire%ghter I& sessionI7ll update this document when a speci%c note

for -". 54 is released regarding this issue'

Creating central Owners and controllers:

+ccess to the W.: http:;;8ser$er9:8port9;nwc; or execute tx' W. in the -". ox'

-o to the E*etup ta and:

.reate entries for the Fire%ghter controller and owner:

https://service.sap.com/sap/support/notes/1702439



http://scn.sap.com/docs/DOC-33099




http://scn.sap.com/docs/DOC-33099



Creating reason codes:

2ou ha$e to create at least one reason code to e ale to use the %re%ghter I& later'



+ssociate the entry to the corresponding target system'

ynchroni!ation "o#s:

In accordance with note: 5A@A4B>

2ou ha$e to execute the synchroniation Jos in order to maCe the FF I&s a$ailale in -". ox for

selection:

Please make sure that you have performed following conguration steps:

5' 1. Integration Scenarios are congured as explained in note 15!"#

G' !. Please make sure the $ireghter role is assigned to $ireghter I%s in the corresponding

client system and that the same role has &een given as parameter value for conguration

parameter '#1#. (onguration parameters can &e congured in the transaction code SP)* +,

-overnance )isk / (ompliance +, 0ccess (ontrol +, aintain (onguration Settings

?' 2. )un 3ser4)ole4Prole40uth synchroniation 6o&s. 7he 8ink to run these 6o&s can &e found

3nder transaction code SP)* +, -overnance )isk / (ompliance +, 0ccess (ontrol +,

Synchroniation 9o&s.

Once you ha$e executed the auth K repository sync Ho with the corresponding target connector,

the FF I& will e a$ailale for selection in the -". ox'

*ee also ote $%%&'((










*nce you are done with the a&ove steps re;run an Incremental4$ull 3ser Sync for the

$ireghter I%s with the $ireghter )ole to &e S<=(ed into the -)( &ox.

=ow re;launch the application via =>?( or Portal and then search for the $ireghter I%

and this should &e availa&le in $ireghter I% list.

L

Assign Owners:

Assign )ire*ghter I+s to )ire*ghters

6ere you assign the Fire%ghter I& to the corresponding Fire%ghters users (one or more)



+nd in the controller ta set the controller user:

)ire*ghter colector "o#:



!xecute tx' -"+._*0_1O-_*2. and schedule the log collection periodically asper note: 5<5BAG>

@nown pro&lems with time ones:

ote 5A>A=<G 3 1ogs not $isile in the *0 "eportsote 5BBA=?G 3 #ransaction logs are not getting captured y -". 54'4

@nown pro&lem when connector is set to ABC:

ote 5BG<5AB 3 -"+.54 !+0 -"+._*0_1O-_*2._/&+#! doesn t collect data

erformance prolems:

ote 5BA44G= 3 -"+. 3 erformance of the *0 1og *ync

Other errors:

ote 5BB?@AA 3 !+054'4 *ometimes WorCMows and transaction logs are missed

ote 5BB<4B4 3 -". !+0 program is gi$ing a short dump and no logs generatedote 5B?5>G? 3 !+0:#ransaction 1ogs are not eing captured while sync

,-mail con*guration:

If you want the controller to recei$e e3mails (%re%ghter logon noti%cation and%re%ghter session details) you ha$e to checC the following:

• 0aCe sure your asis team has properly con%gured outgoing e3emails from -". ox (#x'*.O#)

• .ontroller noti%cation method was set to: !mail (see ao$e)

• *"O parameters:

=44G *end !3mail Immediately 2!*

=44B *end 1og "eport !xecution

oti%cation Immediately 2!*

=44@ *end Fire%ghtI& 1ogon oti%cation 2!*

=44> 1og "eport !xecution oti%cation 2!*

• .ontroller user (FF_.O#"O1) has N.omm'0ethod set to E!30ail in */45 and has a $alide3mail address'

• WF3+#.6 /ser must also ha$e an e3mail address in */45 otherwise you’ll get thefollowing error in tx' *1-5:

+ccording to the con%guration settings guide:

2ou can change the parameter and use another user to send the e3mails'

+fter executing the -"+._*0_1O-_*2._/&+#!, please execute tx' *O*# andchecC if the e3mails were generated (you ha$e to access the %re%ghter to get thee3mails)'

Im.lement )ire*ghter user ,xit:



















&espite the Fire%ghter I& password is changed y the application each time you start the %re%ghter

(you can checC it $ia change documents in the target system), Fire%ghter Ids need to e restricted

from 1ogging in into *+ *ystem directly $ia *+ -/I' For this purpose either we need to create

and modify the *+ /ser 1ogin !xit'

.hecC5A=AA55 3 Fire%ghter /ser !xit

5B?A>B5 3 /ser exit to pre$ent direct %re%ghter login

*ecurity IssuePPP: http:;;scn'sap'com;thread;?GB?A<G

Required R)C connections /or ,A0:

lease checC: ote 5B454=B 3 Is it mandatory to use trusted connection in the "F. destination for

Fire%ghter .onnectorP

D<es it is mandatory to make a trusted relationship so that communication can &e esta&lished

&etween the -)( system and the plug;in.D

1in2s to more documentation:

ote 5?>=G@5 3 *uperuser ri$ilege 0anagement 1og "eport .ontentote 54<A4=@ 3 Fire%ghter 1og ot sent in !mail to .ontroller 883 for A'?, utusefulote 5<5@4=4 3 erformance %x for *0 transaction logs for large systems

ote 5B?G>?@ 3 Fire%ghter incorrect language setting on !" roductionote 5B?4<=> 3 Fire%ghter owner can assign +2 Fire%ghter I& to Fire%ghter /ser

ote 5B=BG@? 3 !+0: !ntries in !+0 logon pad not Qisile for a %re%ghter

33N,4: +ecentrali!ed *re*ghting5as in GRC (678 is a9aila#le as o/$;

+s of *54, !mergency +ccess decentralied %re%ghting features are a$ailale'/sers can install

and use the !+0 1aunchpad to perform I&3ased %re%ghting directly on plug3in systems' #his

means that Fire%ghter session could e started from the plugin system itself without the need to

access the -". ox' #his approach was used in -". A'?' With -". 54 *54 you can chose etween

centralied or decentralied %re%ghting'

#he most important ad$antage of decentralied %re%ghting is that you can continue using

%re%ghter e$en when the -". ox is down' In my opinion, it’s also more Euser3friendly since the

%re%ghter doesn’t ha$e to log on to -". ox in order to start the %re%ghting session, he;she only

needs to execute a transaction in the plugin system' For some companies, the centralied

approach is etter since the user access to a system (-". ox) and can start %re%ghter sessions in

multiple systems'


http://service.sap.com/sap/support/notes/1735971

http://scn.sap.com/thread/3273562


























ottom line, the most important thing is that with *54 you ha$e to option to choose and elow

you’ll %nd information that’ll help you to con%gure decentralied Fire%ghting'

#he idea of a decentralied %re%ghting was sumitted y &aniela orC on *+ Idea lace: +ccess

Fire%ghter application locally in +.54

*o, if you ha$e a good Idea, please share it with *+ customers and employees in the Idealace and maye it ecomes a new functionalityR

4ARNING: T<, )O11O4ING ROC,+UR, IN=T RO,R1> +OCU0,NT,+6 I=11 A++

IN)OR0ATION OR C<ANG, T<, ROC,+UR, A OON A N,4 GUI+, AR, A?AI1AB1,'

0ain documentation can e found in the guide attached to the note: ote 5<>4><= 3 !mergency

+ccess 0anagement O$er$iew &ocumentation

In the -". ox a new parameter is a$ailale and must e set accordingly:

/nder transaction *"O, na$igate to here:

+nd create a new entry for parameter =45A which has to e set to the $alue E2!*

+dditionally a new synchroniation Ho is a$ailale and must e executed in order to synchronie

the !+0 data from -". ox to the plug3in system' "ememer that con%gurations (%re%ghter

assignments, controllers, owners, reason codes, etc') are still maintained in a centralied way, i'e in

the -". ox'

In order to sync this data with the plug3in, a new Ho is a$ailale and can e found here:

https://ideaplace.brightidea.com/ct/ct_a_view_idea.bix?c=4F27C74D-5330-4569-8199-D69072C0D4AE&idea_id=5C643027-DCA7-4CB1-871E-BFFAF3A072B3


http://scn.sap.com/community/idea-place














In the connector %eld you ha$e to set the corresponding plug3in connector' In order to Ceep you

plugin system updated with the changes you made in the -". ox, this report should e scheduled

periodically, I thinC hourly would e %ne' In addition, if you ha$e multiple plug3in systems, you

should follow the same approach as with the log synch: create indi$idual Hos for each connector

instead of a uniDue Ho with connector $alue ES'

Con*guration in the .lug-in system

In the plug3in system you’ll %nd new acti$ities under *"O:

#hese acti$ities are descried in here: 5@4=G4B 3 -". !+0 54'4: .on%guration

parameters introduced in *54 for !+0







If you ha$en’t set the parameter 5444 in the plug3in system, you’ll ha$e to do it in order

to use decentralied %re%ghting, otherwise you’ll get an error message as descried

here:5@44BBG 3 !rror 7o &estination speci%ed7 when using transaction ;-".I;-"I+_!+0

#hen, checC the parameter as descried elow:

If the parameter 5444 isn’t present you ha$e to create it and set the $alue to an "F. destination

pointing to the system itself:

*ince this con%guration is transported I recommend to create a new "F. destination in &!Q, T+*and "& system with the same name, let’s say E-"._.O!.#O"' #his will allow you to transport

the con%guration throughout your entire landscape'

#he "F. connection does not reDuire a user' It Hust has to point to the correct system;instance and

a speci%c client'

Required users

.ontrollers ha$e to e created in the -". ox as well as with centralied %re%ghting' In addition

these users must exist in the plugin system and ha$e a $alid e3mail address ecause login

noti%cations are sent from plug3in system

With the decentralied scheme it’s not necessary to create the %re%ghter users in the -". ox,ecause they’ll start %re%ghter transaction from the plug3in system'

,-mail considerations

1og3in noti%cations are sent from the plug3in system:





ut, as with the decentralied approach, 1og noti%cations are sent from -". ox

#hese reDuires a proper mail con%guration (tx' *.O#) in oth systems: plug3in and -". ox'

lug-in roles



2ou’ll ha$e to create a new role as a copy of *+_-"+._*/!"_/*!"_0-0#_/*!"'

2ou should add the following authoriation to it:

For some W releases +.#Q#U4G will e also reDuired' Vindly .hecC 5BA?=A> 3 !+0: *_/*!"_-"

with +.#Q#U4G reDuired

#his role is assigned to the %re%ghter users' ear in mind that these users should not ha$e access

to user maintenance transactions, for example */45' If the %re%ghter I&s are properly assigned to

a group and you can restrict the .1+** %eld this is not a ig issue, since despite they could change

the password, they won’t e ale to access ecause the user exit is implemented in order to

pre$ent it'

#he authoriation added to the role *+_-"+._*/!"_/*!"_0-0#_/*!" isn’t properly

documented y *+ yet' It might e another way to con%gure it'''ut this was the same approach

used in -". A'?'In addition to this role you also ha$e to create roles for administrator and owner' "ememer that

extending the $alidity period is a new acti$ity a$ailale in the plug3in system and owners and

administrators should ha$e access to it'

@nown ro#lems 5 s.eci*c to decentrali!ed ,A08

ote 5@=>G@> 3 For &ecentral !+0 o "easoncode and +cti$ity desc captured

*peci%c for ./+ systems:ote 5@5==44 3 &ecentral call is opening dierent session in ./+

(&ocumentation pro$ided y:-uido *tusinsCy)

Common Issue: 1ogon screen a..ears when starting )) session

It7s possile that we get a logon screen after starting the FF session' #his is an incorrect eha$ior

since the user doesn7t need to enter the FF I& password'

6ere some tips:

• .hecC the "F. connection' erform an authoriation checC in *0A> to checC if the "F. useris OV'

• .hecC that the "F. is pointing to the correct client'

• 1ooC for dumps in *#GG in the plugin system'

• .hecC if the FF I& password is producti$e, reset the password or checC with changing theuser to type N*er$iceN if you are using N&ialogN user for FF I&'

• 6a$e a looC at the following notes:

5@<5>@5 3 #hings to checC when error message 7!rror in opening "F. destination7 appears in

-"+._*0

5BBB4>= 3 !+0 log on is not possile with the error: 7!rror found in "F. (plug in system) and

respecti$e logonXlogons are disaled7

ote 5@@<??G 3 -". 54'4 !+0 prompts for user;password while logging

ote 5@BGB4> 3 1ogon popup shown when launching the !+0 session





http://scn.sap.com/people/earlywatch



















Documents

EAM Configuration