eam configuration
TRANSCRIPT
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 1/15
EAM Configuration
Configuring EAM in GRC 10 isn’t a difficult task, but there are some details you have to take into
account !he document "AC 100 #re$%m&lementation 'rom #ost$%nstallation to 'irst Emergency
Access( is useful, but it doesn’t consider all the details )ere %’ll try to give you a com&lete
e*&lanation about ho+ to configure EAM successfully Configure #arameters %n GRC -o*, e*ecute
transaction .#R/ and navigate to here
!he follo+ing &arameters should be set according to the table
ou might +ant to change some of them the recommended values only serve as a guide for the
initial configurationChanges in the &arameters table +ill be included in a trans&ort re2uest, you
should release the trans&ort to your 3A4#R/5 systems +hen you finish the EAM tests and ada&t the
&arameters according to your re2uirements
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 2/15
Parameter 4010: What’s for? %f you’ve been +orking +ith GRC 67, this &arameter should sound
+eird to you !he &ur&ose is to identify to the a&&lication that the user +ho is logging on to the
target system is a 'irefighter %5 !he target system makes a call to the GRC -o* and reads this
configuration to check if the user has this role assigned to them !hat means that you have to
create the role that you’ve set in &arameter 8010 in all the target systems +ith the e*act name
&rovided there 9sually, you co&y it from the standard .A#:GRC:.#M:''%5 ;it contains R'Cauthori<ations= /nly the users +ho have that role assigned in the target system +ill be available
for selection in the GRC -o* as 'irefighters %5s
>indly check belo+ notes
1??@66 $ 'irefighter %5 role name for #aram %5 8010 Adding connector to the .9#MG .cenario
16?B?0 $ AC100 $ %ntergration .cenarios to Connector link At this &oint you have already created
the connectors
o+ you have to link the corres&onding connectors to the .9#MG scenario
Click here
and
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 3/15
Re2uired roles in the GRC -o*
SAP provides standard roles that must be copied to the customer namespace. For this sample
configuration you should need at least to create a copy for the following roles and generate the
corresponding profiles: You can just name them as Z or use a naming convention according to
your company re!uirements.
CAUTION: Pease! foo" he instru#tions $ro%i&e& in tha atta#hment of note:
ote 1??7D8D $ EAM Authori<ation 'i*es for Central /+ners and Reason Codes !here are some
changes you have to made to the standard roles and also theres a com&lete e*&lanation of the
authori<ation obFects 'or more information, kindly refer to the .ecurity Guide ;link &rovided
above= Security considerations for "A# $oles:
Required users in the GRC Box:
In order to show a sample for testing, It’s necessary to create (or use existingones) three users:
FF_OW!": #his user will ser$e as owner for the %re%ghter I&' It should e
assigned to the role _*+_-"+._*/!"_/*!"_0-0#_OW!"
FF_.O#"O1: #his is the %re%ghter controller' 2ou assign_*+_-"+._*/!"_/*!"_0-0#_.#1"'CAUTION: #his user 0/*# ha$e a $alide3mail address maintained in */45 if you want the controller to recei$enoti%cations $ia e3mail'
FI"!FI-6#!": #his is the %re%ghter user, who will e ale to access in the targetsystem with the Fire%ghter I&' 2ou assign_*+_-"+._*/!"_/*!"_0-0#_/*!" in addition to the ase roles' If you don7tassign the ase roles you won7t see the user (FI"!FI-6#!" in this case) a$ailale
for selection in the Fire%ghters I&s'8your user9: #he user who is going to perform the con%gurations, must ha$e atleast the role _*+_-"+._*/!"_/*!"_0-0#_+&0I assigned'
In addition to all the mentioned roles ao$e, all users must ha$e the roles_*+_-"+._W. and _*+_-"+._+*! assigned'
For a theoretical explanation of the users and its responsiilities, referto https:;;help'sap'com;saphelp_grcac54;helpdata;en;5<;=4=>?@<>AA=4?>@aAeB<fe@cf4<B;frameset'htm
Required roles in the target system:In the target system you ha$e to maCe a copy of the role *+_-"+._*0_FFI&
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 4/15
and generate the pro%le'CAUTION: #he name of this role 0/*# e the samecon%gured in the parameter =454 in the -". ox' In this example:_*+_-"._*0_FFI&'
Required users in the target system:
2ou ha$e to create a user (FI"!FI-6#!"_I&) in the target system with thecorresponding roles reDuired roles;pro%les according to your reDuirements' Inaddition you must assign to the FI"!FI-6#!"_I& the role_*+_-"._*0_FFI&'#his user should e of type: E*er$ice as pernote 5B4G=?>
#he following note descries an issue you7ll face with this Cind of users: ote 5A@<>@> 3 OHect
*er$ices icon not a$ailale in Fire%ghter I& sessionI7ll update this document when a speci%c note
for -". 54 is released regarding this issue'
Creating central Owners and controllers:
+ccess to the W.: http:;;8ser$er9:8port9;nwc; or execute tx' W. in the -". ox'
-o to the E*etup ta and:
.reate entries for the Fire%ghter controller and owner:
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 5/15
Creating reason codes:
2ou ha$e to create at least one reason code to e ale to use the %re%ghter I& later'
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 6/15
+ssociate the entry to the corresponding target system'
ynchroni!ation "o#s:
In accordance with note: 5A@A4B>
2ou ha$e to execute the synchroniation Jos in order to maCe the FF I&s a$ailale in -". ox for
selection:
Please make sure that you have performed following conguration steps:
5' 1. Integration Scenarios are congured as explained in note 15!"#
G' !. Please make sure the $ireghter role is assigned to $ireghter I%s in the corresponding
client system and that the same role has &een given as parameter value for conguration
parameter '#1#. (onguration parameters can &e congured in the transaction code SP)* +,
-overnance )isk / (ompliance +, 0ccess (ontrol +, aintain (onguration Settings
?' 2. )un 3ser4)ole4Prole40uth synchroniation 6o&s. 7he 8ink to run these 6o&s can &e found
3nder transaction code SP)* +, -overnance )isk / (ompliance +, 0ccess (ontrol +,
Synchroniation 9o&s.
Once you ha$e executed the auth K repository sync Ho with the corresponding target connector,
the FF I& will e a$ailale for selection in the -". ox'
*ee also ote $%%&'((
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 7/15
*nce you are done with the a&ove steps re;run an Incremental4$ull 3ser Sync for the
$ireghter I%s with the $ireghter )ole to &e S<=(ed into the -)( &ox.
=ow re;launch the application via =>?( or Portal and then search for the $ireghter I%
and this should &e availa&le in $ireghter I% list.
L
Assign Owners:
Assign )ire*ghter I+s to )ire*ghters
6ere you assign the Fire%ghter I& to the corresponding Fire%ghters users (one or more)
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 8/15
+nd in the controller ta set the controller user:
)ire*ghter colector "o#:
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 9/15
!xecute tx' -"+._*0_1O-_*2. and schedule the log collection periodically asper note: 5<5BAG>
@nown pro&lems with time ones:
ote 5A>A=<G 3 1ogs not $isile in the *0 "eportsote 5BBA=?G 3 #ransaction logs are not getting captured y -". 54'4
@nown pro&lem when connector is set to ABC:
ote 5BG<5AB 3 -"+.54 !+0 -"+._*0_1O-_*2._/&+#! doesn t collect data
erformance prolems:
ote 5BA44G= 3 -"+. 3 erformance of the *0 1og *ync
Other errors:
ote 5BB?@AA 3 !+054'4 *ometimes WorCMows and transaction logs are missed
ote 5BB<4B4 3 -". !+0 program is gi$ing a short dump and no logs generatedote 5B?5>G? 3 !+0:#ransaction 1ogs are not eing captured while sync
,-mail con*guration:
If you want the controller to recei$e e3mails (%re%ghter logon noti%cation and%re%ghter session details) you ha$e to checC the following:
• 0aCe sure your asis team has properly con%gured outgoing e3emails from -". ox (#x'*.O#)
• .ontroller noti%cation method was set to: !mail (see ao$e)
• *"O parameters:
=44G *end !3mail Immediately 2!*
=44B *end 1og "eport !xecution
oti%cation Immediately 2!*
=44@ *end Fire%ghtI& 1ogon oti%cation 2!*
=44> 1og "eport !xecution oti%cation 2!*
• .ontroller user (FF_.O#"O1) has N.omm'0ethod set to E!30ail in */45 and has a $alide3mail address'
• WF3+#.6 /ser must also ha$e an e3mail address in */45 otherwise you’ll get thefollowing error in tx' *1-5:
+ccording to the con%guration settings guide:
2ou can change the parameter and use another user to send the e3mails'
+fter executing the -"+._*0_1O-_*2._/&+#!, please execute tx' *O*# andchecC if the e3mails were generated (you ha$e to access the %re%ghter to get thee3mails)'
Im.lement )ire*ghter user ,xit:
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 10/15
&espite the Fire%ghter I& password is changed y the application each time you start the %re%ghter
(you can checC it $ia change documents in the target system), Fire%ghter Ids need to e restricted
from 1ogging in into *+ *ystem directly $ia *+ -/I' For this purpose either we need to create
and modify the *+ /ser 1ogin !xit'
.hecC5A=AA55 3 Fire%ghter /ser !xit
5B?A>B5 3 /ser exit to pre$ent direct %re%ghter login
*ecurity IssuePPP: http:;;scn'sap'com;thread;?GB?A<G
Required R)C connections /or ,A0:
lease checC: ote 5B454=B 3 Is it mandatory to use trusted connection in the "F. destination for
Fire%ghter .onnectorP
D<es it is mandatory to make a trusted relationship so that communication can &e esta&lished
&etween the -)( system and the plug;in.D
1in2s to more documentation:
ote 5?>=G@5 3 *uperuser ri$ilege 0anagement 1og "eport .ontentote 54<A4=@ 3 Fire%ghter 1og ot sent in !mail to .ontroller 883 for A'?, utusefulote 5<5@4=4 3 erformance %x for *0 transaction logs for large systems
ote 5B?G>?@ 3 Fire%ghter incorrect language setting on !" roductionote 5B?4<=> 3 Fire%ghter owner can assign +2 Fire%ghter I& to Fire%ghter /ser
ote 5B=BG@? 3 !+0: !ntries in !+0 logon pad not Qisile for a %re%ghter
33N,4: +ecentrali!ed *re*ghting5as in GRC (678 is a9aila#le as o/$;
+s of *54, !mergency +ccess decentralied %re%ghting features are a$ailale'/sers can install
and use the !+0 1aunchpad to perform I&3ased %re%ghting directly on plug3in systems' #his
means that Fire%ghter session could e started from the plugin system itself without the need to
access the -". ox' #his approach was used in -". A'?' With -". 54 *54 you can chose etween
centralied or decentralied %re%ghting'
#he most important ad$antage of decentralied %re%ghting is that you can continue using
%re%ghter e$en when the -". ox is down' In my opinion, it’s also more Euser3friendly since the
%re%ghter doesn’t ha$e to log on to -". ox in order to start the %re%ghting session, he;she only
needs to execute a transaction in the plugin system' For some companies, the centralied
approach is etter since the user access to a system (-". ox) and can start %re%ghter sessions in
multiple systems'
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 11/15
ottom line, the most important thing is that with *54 you ha$e to option to choose and elow
you’ll %nd information that’ll help you to con%gure decentralied Fire%ghting'
#he idea of a decentralied %re%ghting was sumitted y &aniela orC on *+ Idea lace: +ccess
Fire%ghter application locally in +.54
*o, if you ha$e a good Idea, please share it with *+ customers and employees in the Idealace and maye it ecomes a new functionalityR
4ARNING: T<, )O11O4ING ROC,+UR, IN=T RO,R1> +OCU0,NT,+6 I=11 A++
IN)OR0ATION OR C<ANG, T<, ROC,+UR, A OON A N,4 GUI+, AR, A?AI1AB1,'
0ain documentation can e found in the guide attached to the note: ote 5<>4><= 3 !mergency
+ccess 0anagement O$er$iew &ocumentation
In the -". ox a new parameter is a$ailale and must e set accordingly:
/nder transaction *"O, na$igate to here:
+nd create a new entry for parameter =45A which has to e set to the $alue E2!*
+dditionally a new synchroniation Ho is a$ailale and must e executed in order to synchronie
the !+0 data from -". ox to the plug3in system' "ememer that con%gurations (%re%ghter
assignments, controllers, owners, reason codes, etc') are still maintained in a centralied way, i'e in
the -". ox'
In order to sync this data with the plug3in, a new Ho is a$ailale and can e found here:
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 12/15
In the connector %eld you ha$e to set the corresponding plug3in connector' In order to Ceep you
plugin system updated with the changes you made in the -". ox, this report should e scheduled
periodically, I thinC hourly would e %ne' In addition, if you ha$e multiple plug3in systems, you
should follow the same approach as with the log synch: create indi$idual Hos for each connector
instead of a uniDue Ho with connector $alue ES'
Con*guration in the .lug-in system
In the plug3in system you’ll %nd new acti$ities under *"O:
#hese acti$ities are descried in here: 5@4=G4B 3 -". !+0 54'4: .on%guration
parameters introduced in *54 for !+0
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 13/15
If you ha$en’t set the parameter 5444 in the plug3in system, you’ll ha$e to do it in order
to use decentralied %re%ghting, otherwise you’ll get an error message as descried
here:5@44BBG 3 !rror 7o &estination speci%ed7 when using transaction ;-".I;-"I+_!+0
#hen, checC the parameter as descried elow:
If the parameter 5444 isn’t present you ha$e to create it and set the $alue to an "F. destination
pointing to the system itself:
*ince this con%guration is transported I recommend to create a new "F. destination in &!Q, T+*and "& system with the same name, let’s say E-"._.O!.#O"' #his will allow you to transport
the con%guration throughout your entire landscape'
#he "F. connection does not reDuire a user' It Hust has to point to the correct system;instance and
a speci%c client'
Required users
.ontrollers ha$e to e created in the -". ox as well as with centralied %re%ghting' In addition
these users must exist in the plugin system and ha$e a $alid e3mail address ecause login
noti%cations are sent from plug3in system
With the decentralied scheme it’s not necessary to create the %re%ghter users in the -". ox,ecause they’ll start %re%ghter transaction from the plug3in system'
,-mail considerations
1og3in noti%cations are sent from the plug3in system:
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 14/15
ut, as with the decentralied approach, 1og noti%cations are sent from -". ox
#hese reDuires a proper mail con%guration (tx' *.O#) in oth systems: plug3in and -". ox'
lug-in roles
7/25/2019 EAM Configuration
http://slidepdf.com/reader/full/eam-configuration 15/15
2ou’ll ha$e to create a new role as a copy of *+_-"+._*/!"_/*!"_0-0#_/*!"'
2ou should add the following authoriation to it:
For some W releases +.#Q#U4G will e also reDuired' Vindly .hecC 5BA?=A> 3 !+0: *_/*!"_-"
with +.#Q#U4G reDuired
#his role is assigned to the %re%ghter users' ear in mind that these users should not ha$e access
to user maintenance transactions, for example */45' If the %re%ghter I&s are properly assigned to
a group and you can restrict the .1+** %eld this is not a ig issue, since despite they could change
the password, they won’t e ale to access ecause the user exit is implemented in order to
pre$ent it'
#he authoriation added to the role *+_-"+._*/!"_/*!"_0-0#_/*!" isn’t properly
documented y *+ yet' It might e another way to con%gure it'''ut this was the same approach
used in -". A'?'In addition to this role you also ha$e to create roles for administrator and owner' "ememer that
extending the $alidity period is a new acti$ity a$ailale in the plug3in system and owners and
administrators should ha$e access to it'
@nown ro#lems 5 s.eci*c to decentrali!ed ,A08
ote 5@=>G@> 3 For &ecentral !+0 o "easoncode and +cti$ity desc captured
*peci%c for ./+ systems:ote 5@5==44 3 &ecentral call is opening dierent session in ./+
(&ocumentation pro$ided y:-uido *tusinsCy)
Common Issue: 1ogon screen a..ears when starting )) session
It7s possile that we get a logon screen after starting the FF session' #his is an incorrect eha$ior
since the user doesn7t need to enter the FF I& password'
6ere some tips:
• .hecC the "F. connection' erform an authoriation checC in *0A> to checC if the "F. useris OV'
• .hecC that the "F. is pointing to the correct client'
• 1ooC for dumps in *#GG in the plugin system'
• .hecC if the FF I& password is producti$e, reset the password or checC with changing theuser to type N*er$iceN if you are using N&ialogN user for FF I&'
• 6a$e a looC at the following notes:
5@<5>@5 3 #hings to checC when error message 7!rror in opening "F. destination7 appears in
-"+._*0
5BBB4>= 3 !+0 log on is not possile with the error: 7!rror found in "F. (plug in system) and
respecti$e logonXlogons are disaled7
ote 5@@<??G 3 -". 54'4 !+0 prompts for user;password while logging
ote 5@BGB4> 3 1ogon popup shown when launching the !+0 session