GRC 10.1 - Significance of EAM Configuration Parameters

Purpose

This document is to explain the details and significance of configuration parameters used in Governance Risk and Complaince - Emergency Access Management 10.0. 

Overview

The configuration parameters have impact on the behavior of the application. With each configuration, the application flow changes. So the proper combination of the configurations is required so that the application runs smoothly.

Available Configuration Parameters

Go to SPRO->Governance, Risk and Compliance->Access Control->Maintain Configuration Settings 

EAM related configuration starts with 4000. Till now the configurations till 4015 is available.

Explanation of Configuration Parameters

Following is the explanation for each configuration parameter:

(1) 4000 (Application Type): It specifies whether the user is using ID based or Role based application. If the parameter value is 1 then Firefighter will be assigned Firefighter ID otherwise if the value is 2 then Role based application is set.

(2) 4001 (Default Firefighter Validity Period (Days)): When you provide valid from and valid to dates as you assign a Firefighter Role or Firefighter ID to a Firefighter, these dates will be applied to the assignment, overriding the Default Firefighter Validity Period setting. Initially the Firefighter ID or Role assigned is from the current date. When you omit the “to date” and you have not set Default Firefighter Validity Period, the assignment will be active until 12/31/9999. When you omit the to date and you have set a Default Firefighter Validity Period, then the assignment you are assigning will remain active until the current date, plus the number of days you specified for the Default Firefighter Validity Period.

(3) 4002 (Send Email immediately): If the Send Email Immediately is set to Yes, the Firefighter Login Notification is sent to the Controller immediately as the firefighter login.

(4) 4003 (Retrieve Change Log): The Change Log information for Firefighter ID is captured from the SAP Change Log that is stored in the CDHDR/CDPOS tables. The Retrieve Change Log parameter specifies whether you to capture Change log information. The parameter value can be set to YES, or NO. If this parameter is set to YES, then only the Change Log information (including document number, old value, new value etc.) are captured when Firefighter log sync program is executed.

(5) 4004 (Retrieve System log): The System log information is captured from SM21. If the parameter is set to YES then only the System Log information is captured for Firefighter ID in GRC Box.

(6) 4005 (Retrieve Audit log): The Audit log information is captured from SM20. If the parameter is set to YES then only the Audit Log information is captured for Firefighter ID in GRC Box.

(7) 4006 (Retrieve OS Command log): The Changes in SM49 is captured in OS Command log. If the parameter is set to YES then only the OS command changes are captured for Firefighter ID in GRC Box.

(8) 4007 (Send Log Report Execution Notification Immediately): If the Send Log Report Execution Notification Immediately is set to Yes, the Firefighter Log Report Notification is sent to the Controller immediately as the logs are updated in GRC Box. If the Send Log Report Execution Notification Immediately is set to No, the Firefighter Log Report Notification is sent depending on the frequency (Hourly/ Daily / Weekly) of the corresponding background job. Then the separate background Job for Report GRAC_SPM_WORKFLOW_SYNC needs to be scheduled.

(9) 4008 (Send FirefightId Login Notification): The Send FirefightID Login Notification option specifies whether to send Login Notification emails to Controllers with information about when a Firefighter session was started and by whom. If this parameter is set to NO then no Login notification will be sent even if parameter 4002 is set to YES. Also the Login notification always sent as an Email, for this no workflow is initiated. If this parameter is set to YES then controllers for the Firefighter ID in question will receive an Email.

(10) 4009 (Log Report Execution Notification): The Log Report Execution Notification parameter specifies whether Log Report notifications that contain information about Firefighter activity should be sent to the Controllers. If this parameter is set to NO then no log notification in form of email or workflow will be generated even if parameter 4007 is set to YES.

(11) 4010 (Firefighter ID role name): There are many users in a system. To distinguish Firefighter ID from a normal user this Role is has to be assigned in the plug-in system. If the Application type is 2 i.e. Role based application is used, then there is no need to set this parameter.

(12) 4012 (Default users for forwarding the Audit Log workflow): This parameter is introduced in SP06. In case of EAM log notification workflow the controller can forward the workitem to any user. This user can submit the SPM/EAM Audit review. It should not be possible to forward to any user but only to other controller. So a customizing is provided for it whether the workitem could be forwarded to controllers only or to all users.

(13) 4013 (Firefighter ID owner can submit request for Firefighter ID owned): The Parameter is introduced in SP08.This parameter is used in Access request to allow or disallow the owner to submit the request for Firefighter ID owned by him.

(14) 4014 (Firefighter ID controller can submit request for Firefighter ID controlled): The Parameter is introduced in SP08.This parameter is used in Access request to allow or disallow the controller to submit the request for Firefighter ID for which he is the controller.

(15) 4015 (Enable Decentralized Firefighting): This parameter is introduced in SP10. In SP10 De-centralized version of EAM is provided. So this customizing entry will be used whether to use De-centralized version or not. If this parameter is set to YES then the Firefighter can use logon pad available in plug-in system directly. The Firefighter IDs available for that system will be available there for Firefighter to Login. 

Related Content

Related Documents 

https://service.sap.com/instguides - > SAP BusinessObjects Governance, Risk and Compliance (GRC) -> Access Control -> Release 10.0 -> Maintaining Configuration Settings Guide - SAP AC 10.0

Related Notes

SAP Note:1632953 - EAM Audit review workflow could be forwarded to other users

SAP Note: 1668255 - Firefighter ID role name for Param ID: 4010

SAP Note: 1768556 - Customizing changes for Decentralize Firefighting

SAP Note: 1659219  - UAM: FFID owner & controller can create own request for FFID