0% found this document useful (0 votes)
31 views96 pages

GRC AC 10 Step by Step Notes

The document outlines the configuration steps for GRC AC 10.0, including client activation, service activation, and the creation of connectors and groups. It details post-installation steps, including the activation of modules and client data copying, as well as various settings and mappings required for proper functionality. Additionally, it covers workflow configuration, synchronization jobs, and the generation of SOD rules for risk analysis, emphasizing the importance of maintaining connection and configuration settings throughout the process.

Uploaded by

tandelankit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
31 views96 pages

GRC AC 10 Step by Step Notes

The document outlines the configuration steps for GRC AC 10.0, including client activation, service activation, and the creation of connectors and groups. It details post-installation steps, including the activation of modules and client data copying, as well as various settings and mappings required for proper functionality. Additionally, it covers workflow configuration, synchronization jobs, and the generation of SOD rules for risk analysis, emphasizing the importance of maintaining connection and configuration settings throughout the process.

Uploaded by

tandelankit
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 96

GRC AC 10.

0 Configuration Steps:
Client activation

SICF services activation

BC sets activation

Create connectors

Create sub sequence connectors

Define groups

Assign connector to connector type

Assign connector to connector groups

Maintain connection settings

Schedule background jobs

Maintain configuration settings (parameter maintenance)

Maintain connector settings

Maintain mapping for actions and connector groups

Timeout parameters settings using t-code SMICM

Perform automatic workflow customizing

Configure RFC destination

Configure 4 components of GRC AC 10.0

MSMP workflow creation (full cycle of user provisioning)

BRF+(Business Rule Framework plus) creation


Post installation steps:
If you install GRCFND_A add-on in your system, you will get Access Control (AC), Process
Control (PC), Risk Management (RM) modules.

If you want you can select Access Control (AC) module only.

Note: t-code for install add-ons in your system is SAINT

You need to activate AC in your system, if you want you can add 3 (AC,PC,RM)

Default clients in your system 000,001 and 066.

Now create 2 clients for our practiced 100 and 200

Client 100 is front end system means GRC AC system and client 200 is back end system

Copy all data from client 000 to 100 as well as 000 to 200.

Note: with in the system no need to install plug-ins. If client is in some other system we need to
install plug-ins in that system. Plug-in name is GRCPINW (need to install)

If it is HR activate one more GRCPIERP install

Client Activation
Go to t-code SPRO

To activate GRCFND_A for Access Components

Click on SAP reference IMG

Expand Governance, Risk and Compliance


Expand General settings and click on Activate Applications in Client

In that screen you can see no.of active applications in client.

If no one are there or need to add one more click on New Entries button

You can select GRC-AC form drop down menu as shown below

Check the check box Active

Note: if you want GRC-PC and GRC-RM activation you can select

Then click on save button

System prompts on box to create customizing request


Click on create button

Give short description

Click on save button

Then transport request created.

Click on nike button.

ICF services activate


Go to t-code SICF

Select Hierarchy type as Service using option


Click on execute

Now select virtual host as DEFAULT_HOST as shown below

Scroll down You can see the default_host and sap connect

Now we need to Activate for that right click on default_host and select activate virtual host
Note: SAP Connect, if any domain we need to select this option we can use

Activate BC sets
Go to t-code SCPR20

Select *GRC* BC sets

You can see 3 BC sets as show below

Select one after one and click on nike button


Now click on Activate button as shown below

You need to create customizing request. If you want to new request click on create button

Otherwise same request

Select option radio button do not overwrite default values

Select option radio button expert mode

You need to do same process again for another 2 BC sets activation

Now search for *GRAC* BC sets.

GRAC_ACCESS_REQUEST_APPL_MAPPING

GRAC_ACCESS_REQUEST_EUP

GRAC_ACCESS_REQUEST_PRIORITY
GRAC_ACCESS_REQUEST_REQ_TYPE

GRAC_RA_RULESET_COMMON

GRAC_RA_RULESET_JDE

GRAC_RA_RULESET_ORACLE

GRAC_RA_RULESET_PSOFT

GRAC_RA_RULESET_SAP_APO

GRAC_RA_RULESET_SAP_BASIS

GRAC_RA_RULESET_SAP_CRM

GRAC_RA_RULESET_SAP_ECCS

GRAC_RA_RULESET_SAP_HR

GRAC_RA_RULESET_SAP_NHR

GRAC_RA_RULESET_SAP_R3

GRAC_RA_RULESET_SAP_SRM

GRAC_ROLE_MGMT_LANDSCAPE

GRAC_ROLE_MGMT_METHODOLOGY

GRAC_ROLE_MGMT_PRE_REQ_TYPE

GRAC_ROLE_MGMT_ROLE_STATUS

GRAC_ROLE_MGMT_SENTIVITY

GRAC_SPM_CRITICALITY_LEVEL

You will get above BC sets

In that,

First 4 related to AEM BC sets

Next 12 related to ARA BC sets

Next 4 related to BRM BC sets


Last 1 related to SPM BC sets

Based on requirement select and activate

We need to activate one after another.

Create connectors
Here source is client 100

Target is client 200

We need to create RFC connections

For that create one user in client 200 with user ID RFC_USR

User type : system user (wrong see the note Below)

Profiles: sap_new and sap_all

Go to T-code SPRO

Expand Governance, risk and compliance

Expand common component settings

Expand integrate framework

Click on create connectors


You will get below screen

Click on create button

Enter RFC Destination ex: GRCCLNT200

Enter connection type as 3


Enter Description1 and description2 and description3

Now select logon&security tab

Enter language as EN

Enter client 200

Enter User

Now click on Connection text and click on Remote logon

If you click on connection test you can see the below screen

If you click on remote logon you can see the below screen
Connection test and remote logon working successfully.

Note: while user creation we selected system user. But system user cannot go to with RFC. So
we need to choose user type as service user

Now go to SPRO T-code

Expand Governance, risk and compliance

Expand common component settings

Expand integrate framework

Click on maintain connectors and connection types

You will get below screen, in that select SAP system as shown below
Now Double click on Define connectors from left side.

Now click on New Entries

Select Target connector as grcclnt200 shown below

Note: logical port and target connectors should be same.


Select max.no.BCG is 3

Click on save button

Create customize request

Now select target connector grcclnt200 and double click on define subsequent connector from
left side.

Select connection type SAP

Click on save button

Note: if I have 10 clients then do same above process to no. of clients to support.

Define Groups

Assign connector to connector type

Assign connector to connector groups


Go to t-code SPRO

Expand Governance, risk and compliance

Expand common component settings

Expand integration framework


Click on maintain connectors and connection types

Select connection type as SAP

Double click on define connectors from left side

Select target connector as grcclnt200 and double click on subsequent connector folder

Select the connection type SAP

Double click on define connector groups you will get below screen

In that select existed connector group SAP_R3_LG


Now double click on Assign connector group to group type

Now should be selected logical group under connector grope type

Note: now we selected logical group from the list, because within the system. If it is some other
system should be selected cross system group

Click on save button


Now select the logical group and double click on Assign connectors to connector group

Select target connector as grcclnt200 and connector type as SAP

Click on save button

Create transport request if required.

Maintain connection settings


Go to t-code SPRO

Expand Governance, risk and compliance

Expand common component settings

Expand integration framework

Click on maintain connection settings

You can see on popup

If you click on work area browse, you can see 4 integration scenarios you can see.
AUTH for ARA means RAR

PROV for ARM means CUP

ROLMG for BRM means ERM

SUPMG for SPM means ERM

Now select AUTH and click on Nike button.

Now double click on scenario connection type link from left side.

Select SAP row

Click on save button


Now double click on scenario-connector link

Select target connector and connector type row and click on save.

Click on save button

Create customizing request

Note: Do the same process to rest of 3 scenarios

PROV for ARM means CUP

ROLMG for BRM means ERM

SUPMG for SPM means ERM

Common configuration settings completed it is related to AC.


Now we have to do GRC access control configuration settings

Go to t-code SPRO

Expand Governance, risk and compliance

Expand Access Control

Click on maintain connector settings

Click on new entries

Select target connector grcclnt200

Select application type 001 SAP

Environment should be selected as production

Based on requirement select path ID and PSS check

Here PSS means Password Self Services

Click on save button

Create transport request


Maintain mapping for action for connection groups
Go to t-code SPRO

Expand Governance, risk and compliance

Expand Access Control

Click on maintain mapping for action for connection groups

Click on new entries you will get below screen.

Select connection group which is already existed SAP_R3_LG

Check the check box active

Select application type as 001 SAP

Select the connection group row and double click on assign default connector to connector
group from left side
Check all the check boxes like below screen

Here 4 check boxes means application type 001, 002, 003 and 004

Click on save button

Select connector group as SAP_R3_LG

Maintain plug-in settings


Go to t-code SPRO

Expand Governance, risk and compliance

Expand Access Control

Click on maintain plug-in settings

If you have done plug-ins in different systems

Perform workflow related activities


Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand General settings


Expand workflow

Click on perform automatic workflow configuration

You will get below screen with red into marks

Expand maintain runtime environment.

Then you will get below screen with red marks

Select Configuration RFC destination

Automatic/manual

Click on generate button.

Click on yes.
If you done above activity, In SU01 you can see the WR-BATCH user automatically created

Select logon data tab and give password

Click on save button

Again click on generate button

Now click on execute button

Give password

Actually you can see the green button. But here it show red only because user has no roles.

So, we need to assign roles to WR-BATCH user

Now go to SU01 and select role tab and give SAP_BC_BMT_WFM_SERV_USER role.

And give profiles sap_new and sap_all.

Click on execute button now

You can see the green color

Now select maintain workflow system administrator

Click on generate button

You can see the green color

Now select document generation/form integration

Click on generate button

You can see the green color.

Now select background job for missed deadlines

Click on execute button scheduled in background job

Now select background job for condition evaluation


Click on execution button you can see the green color.

Now select scheduled background job for event queue

Click on generate button

Now select scheduled background job for clearing report

Click on generate button. You can see the green color.

Now expand maintain definition environment

Select maintain prefix numbers

Click on change button

Click on create

Enter profile number 999

Click on save

Now click on local object

Click Nike button

Go back and refresh

Now select check entries for HR control tables.

Go to t-code SA38

Execute RHSOBJCH

Click on execute

Select all
Execute button

Now go back click on execute. Then you can see the green button.

Note : in the same way expand classify tasks as general

And expand guided procedures

Click on generate button then you can see green color.

Perform task-specific customizing


Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand General settings

Expand workflow

Click on perform task-specific customizing

You can see below screen with folders from left side

Expand GRC folder. You can see subfolders as shown below


Note: if no subfolders under GRC folders you need to execute on report

Go to t-code SA38

Enter RS_APPL_REFRESH

Click on execute

Now go back and see the GRC folder. Now you can see the subfolders under GRC folder.

Now click on Assign Agents

Select on TS76300011 as shown below

Now click on Attribute


You can see the below screen. Select option general task

Click on transfer button

Note: same do above process to all assign agents


Now go back to the GRC folder screen

Now click on Activate event as shown below

You can see the below screen

Now expand WS 76300001 you can see the below screen

Click on detail view

Check the check box Event linkage activated

And select Do not change linkage from dropdown menu as shown below
Click on save button

Create customizing request

Go back and do same above process for remaining WS XXXXXXX.

Important steps,
For GRC folder we have no TS (Assign agents) and WS (Activate event)

Then we need to do below process

Go to t-code SWE2

You can see the below screen


O

Select one object type CL_GRAC_ACCESS_APPROVAL_WF and double click on it.

You can see the below screen


In the same screen, check the check box linkage activated and select do not linkage change as
shown below screen

Click on save button

Now go back to the GRC folder screen and do the same process (Assign agent and activate
event) to activate.

Important steps,

Go to t-code PFTC

Select task type as standard task as shown below


Select task as ex: 7630918 (these no. belongs to TS, which we were done in previous step assign
agent)

Click on change button

In that screen go to menu bar select additional data ----- agent assignment -------- maintain

Should select display role (name)

If popup box will display click on no

Note: Event linkage also do same as above

Next step,

Now go to t-code SWDD

You will get below screen


Select workflow are under information area

For that *GRAC* enter in browse

You will get list of GRAC as shown below

Select any one of GRAC workflow

Ex: GRAC_AR selected , screen like below


Now click on Activate button

You can see the graphical model on right side for that workflow.

Background job synchronization


Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access control

Expand synchronization jobs

Click on Authorization synch

You will get below screen


Select connector as grcclnt200

If you want direct click on execute button

Otherwise go to menu bar and select program ----------click on execute in background

Then you will get one popup window as shown below

Don’t select any one just click on Nike button


Now click on immediate button

Now click on save button in same screen

Next step,

Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access control


Expand synchronization jobs

Click on Repository object synch

you will get below screen

Select the connector grcclnt200

If repository object synch is first time then select option Full sync mode as shown below
If you want direct click on execute button

Otherwise go to menu bar and select program ----------click on execute in background

Then you will get one popup window as shown below

Don’t select any one just click on Nike button

Now click on immediate button


Now click on save button in same screen

Next step,

Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access control

Expand synchronization jobs

Click on Action usage synch

You will get below screen and select connector grcclent200

If you want direct click on execute button

Otherwise go to menu bar and select program ----------click on execute in background


Then you will get one popup window as shown below

Don’t select any one just click on Nike button

Now click on immediate button


Now click on save button in same screen

Next step,

Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access control

Expand synchronization jobs

Click on Role usage synch

If you want direct click on execute button

Otherwise go to menu bar and select program ----------click on execute in background


Then you will get one popup window as shown below

Don’t select any one just click on Nike button

Now click on immediate button


Now click on save button in same screen

Configuration of four components


ARA configuration

Maintain configuration settings (setting parameters for risk analysis)

Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access Control

Click on maintain configuration settings

You will get below screen


Set the parameters for Risk analysis from parameter ID 1022 to 1053 as shown below
Note: Risk Analysis is 2 types one is Online Risk analysis and Off-line risk analysis

What is the difference between them?

Online Risk Analysis--- Direct went to the Backend system every time while Risk analysis

Offline Risk Analysis---- While risk analysis data will be stored into either Data base (D) or File(F)

Whenever risk analysis Data fetch from D or F only based on configuration parameters.

Next step,

Generate SOD rules

Go to T-code SPRO

Expand Governance, Risk and Compliance

Expand Access Control

Expand Access Risk analysis

Expand SOD rules

Click on Generate SOD rules

You will get below screen put * in Risk ID field.

Now click on execute button

Otherwise go to menu bar and select program ----------click on execute in background


Then you will get one popup window as shown below

Don’t select any one just click on Nike button

Now click on immediate button


Now click on save button in same screen

Note: whenever we activate BC sets in SCPR20 t-code (GRAC_RA_RULESET_COMMON).


Automatically we are getting some .txt files in back end system.

Files are :

business process.txt

function action.txt

function business process.txt

function permission.txt

functions.txt

risk disc.txt

risk rule set relationship.txt

risk.txt

rule set.txt

Next step,

Batch risk analysis for offline risk analysis

Go to T-code SPRO

Expand Governance, Risk and Compliance

Expand Access Risk Analysis

Expand Batch Risk Analysis

Click on Execute Batch risk analysis


Under system selection enter as below

Job name: Risk Analysis Batch mode. New run

System: grcclent200

Batch processing mode: Full

Rule set: GLOBAL

Select under object selection

Check the check box User Analysis

Check the check box Technical Role


Select under risk analysis type

Check the check box Permission/critical action/critical permission level

Check the check box critical role/profile level

Now go to menu tab select program-------click on execute in background (offline)

Or click on execute button (online)

If offline click on immediate button

Save in same screen.

IMP NOTE: After execution of above step risk analysis report will generate and store into File (F)

Location which we specified in the parameters 1052 risk analysis-spool D:\spool\

Next Step,
To see these Reports

Go to NWBC in client 100

Click on /nwbc

Select Access Management tab

And click on user level under Access Risk Analysis as shown below
You well get below screen
Select the system as shown below and click on ok button

Select the user as shown below and click on ok button

Select the required fields and click on Run in foreground button


Now you can see the Result page as shown below screen
You can select summary report from dropdown menu based on requirement as shown below

Next Step,
Mitigation ID Creation. For that need to do some steps

Step1: Create Mitigation owner and controller

Step2: Define Organization structure

Step3: Define Access control owner (mitigation controller, owner)

Step4: Assign controller, owner to the organization hierarchy

Step5: Creating mitigation ID’s and Assigning controller approver

Step6: Parameter settings for mitigation control

Step1: Create Mitigation owner and controller

Create Mitigation owner and controller in GRC system (in client 100)

Ex: MGT_CON and MGR_OWN

Go to SU01
With roles

SAP_GRAC_CONTROL_MONITOR

SAP_GRAC_CONTROL_OWNER

Step2: Define Organization structure

Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Shared master data settings

Click on create root organization hierarchy

You will get below screen


Select organization view as standard hierarchy

Under details

Enter Root Org unit : GRC USA

Child Org Unit: GRC California

Click on execute button

Next step,

Where we can see these Org structure?


Go to t-code NWBC

Click on setup tab

Under organization click on organizations

You can see the Hierarchy as shown below screen

Step3: Define Access control owner (mitigation controller, owner)

Go to t-code NWBC

Select setup tab


Click on access control owners under access owners

You will get below screen

Then click on create button


You will get below screen

Now under group type select option owner

Under group details select user ID which we create earlier i.e, controller userID : MTG_CON
Under owner type, check the check box mitigation monitors

Same above process do again for MGT_OWN and check the check box mitigation approver
Click on save button

Step4: Assign controller, owner to the organization hierarchy

Go to t-code NWBC

Select Master Data

Under organizations click on Organizations


Select Organization Hierarchy

Select the org structure ex: GRC California

Click on Open button

In next screen select owners tab


Click on Add row button

Select owner, controller user IDs as shown below and click on ok button
Click on save button

Step5: Creating mitigation ID’s and Assigning controller approver

Go to t-code NWBC

Select setup tab

Click on mitigating controls under mitigation controls


You will get below screen

Then click on create button

Then next screen select general tab and fill the required fields based on requirement as shown
below and enter notes (write something related to process)
Now select access risks tab and click on Add row button

Select the Risk ID and Enter the Rule ID (enter * in this field) as shown below
Now select owners tab

Select controller --as---monitor

Select owner ---as---- approver


Click on save button

Step6: Parameter settings for mitigation control

Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access control

Click on Maintain Configuration settings

Then you will get below screen


You need set the parameters from 1011 to 1013 as shown below screen

Click on save button


Related topics:

Mitigation logs

Where we can assign mitigation control ID’s to user

How to mitigate the risk

Mass mitigation process

Mass user risk analysis

Simulation process.
Next Topic:

EAM (SPM)- Emergency Access Management:


Purpose of EAM is to allow users to take Responsibility for tasks outside their normal job
function.

This component allows temporary access for users when assigned with solving a problem,
giving them provisionally broad. But regulated access.

Temporary access is monitored and recorded in the application.

Advantages of GRC 10.0 EAM:


EAM with ability to manage and utilize firefighting activities centrally from access control 10.0
application.

The log files can be distributed to the controllers, owners via workflow for additional approval.

Difference between 5.3 and 10.0 EAM:


GRC AC 5.3

This access can be get through SPM1

Fire fighter can access FFID through t-code /n/virsa/vfat

Fire fighter needs to login into the same system which is assigned FFID access to the firefighter
user.

Fire fighter logs can be read from the same system

Fire fighter owner, controller and fire fighter should be exist in the same system

No need to assign any other common role except required emergency access role to FFID

GRC AC 10.0

Here access can be get EAM

Here can be access through t-code GRAC_SPM

Here user needs to login through central system (GRC) and remotely loged into backend system
through RFC or connectors

Logs can be maintained or read from central system GRC


Fire fighter owner, controller should be exist in central system and fire fighter need to exist in
both system GRC+Backend

We need to assign a common role which we define or configured parameter called EAM=4010

Ex: SAP_GRAC_SPM_FFID (ROLE)

If you assign this role user can act as FF user.

Pre-requisites
Create users and assign required access roles

Create basis FFID and assign below the roles

Login to GRC system (client 200)

Execute T-code SU01

Enter user ID FFID_BC

User type should be service type

Select roles tab

Assign already created emergency access role Z:BC_clientadm

T-code in that role SCCL,SCC4,SCC8,SCC9,SCC5

Authorization object S_RFC

And assign which we configured role in the parameter 4010 (ex:SAP_GRAC_SPM_FFID)

CREATE FIRE FIGHTER CONTROLLER

Login GRC system with client 100

Enter user ID as FFC_BC

User type : dialog

Select role tab enter role SAP_GRAC_SUPER_USER_MGMT_CNTLR.

CREATE FIRE FIGHTER OWNER

Login GRC system with client 100


Enter user ID FFO_BC

User type: dialog

Role: SAP_GRAC_SUPER_USER_MGMT_OWNER

CREATE FIREFIGHTER USER

Login GRC system with client 100 and backend system client 200 (login user ID sap*)

Go to t-code SU01

User ID: FF_USER

User type: dialog

Role: SAP_GRAC_SUPER_MGMT_USER

STEP1:
Go to t-code SPRO

Expand Governance, Risk and Compliance

Expand Access Control

Expand synchronization jobs

Click on Repository object synch

you will get below screen


Select the connector grcclnt200

If repository object synch is first time then select option Full sync mode as shown below

If you want direct click on execute button

Otherwise go to menu bar and select program ----------click on execute in background


Then you will get one popup window as shown below

Don’t select any one just click on Nike button

Now click on immediate button


Now click on save button in same screen

OR
Go to SA38

Execute a program GRAC_ROLEREP_USER_SYNC

STEP2:
Go to t-code NWBC

Select Setup tab

Under Access owners, select Access Control owners


You will get below screen, in that click on create button.

Select the radio option owner, under Group type


Select the owner user ID FFC_BC, under group details as shown below

Now under owner type, check the check box Fire Fighter ID controller

Click on save button

Next step,

Again go to t-code NWBC

Select setup tab

Select access control owner

Click on create

Select radio option owner

Select owner user ID FFO_BC


Click on Save button

STEP3:
Go to t-code NWBC

Select setup tab

Select owners, under super user assignment


You will get below screen, in that click on assign button

Select FFO_BC row

Click on OK button

Click on ADD button

Select Fire fighter ID FFID_BC row

Click on right arrow to move to right side

Click on OK button

Click on save button, then you will get screen like below
STEP4:
Go to t-code NWBC

Select setup tab

Click on Fire fighter IDs, under super user assignment

Click on Assign button

Select FFID_BC row

Click on OK button
Click on ADD button (select Fire fighter tab)

Popup window open, in that select firefighter FF_USER

Click on save.

Next, select Controller tab

Click on ADD button

Select fire fighter user ID row

Select FFC_BC

Write in notification log display

Click on save button, you can see the screen like below.

STEP5:
Go to t-code NWBC

Select setup tab

Click on Reason codes as shown below.


You will get below screen, in that click on create button.

Then you will get below screen

In that, enter Reason code Ex: client open

Enter Description

Then click on ADD button as shown below


Then you will get one popup window, and then select system grcclnt200.

Click on right arrow button to more right sides

Click on ok button

Click on save button. Then you can see the screen like below.
STEP6:
Log in to client 100 with user ID FF_USER

Execute the t-code GRAC_SPM

Click on button in column logon using FFID

You will get one popup window

Select Reason codes from Drop down which we defined in NWBC

Enter T-codes in Reason codes box

Enter description in below box


Click on continue button

Now you will be in client 200

You can do the any activities here based on requirement

Means you got the emergency activity to do some activities.


LOG REPORTS:
Note: Log on with controller or owner user ID’s

Reporting

1. Report types
2. Log collection
3. Log retrieval

Report types: The reports can be accessed using the NWBC the portal and are located under
reports and analytics

1) Consolidated log reports:

This Report provides information based on the following logs from the remote system.
Transaction log:

Capture transaction execution from transaction STAD.


Change log:

Capture change log from change document objects (table CSPOS and CDHDR)

System log:

Capture debug and replace information from transaction SM21


Security audit log:

Capture security audit log from transaction SM20


OS command log:

Captures changes to OS commands from transaction SM49


2) Invalid super report:

This report gives the details of the entire user (FIREFIGHTER, CONTROLLER, OWNER, and
FIREFIGHTER ID) who are expired, locked or deleted. In the case of role based fire fighter, it
gives the details of whether the role has been generated or not.

3) Fire fighter log summary:

It provides details of the session the fire fighter logged into the remote system using the
FFID for ID based FF application.
4) Reason code and activity report:

This report provides the details of information of reason and activity used by the fire
fighter.
5) SOD conflict report for fire fighter ID:

When the firefighter logs in to the remote system using the FFID into the remote
system and perform certain transactions which violations access risk rules.

LOG COLLECTION:
The details of the transaction executed by the fire fighter lies in the remote system in the
CDHDR, CDPOS, STAD, SM19, SM49 and debug and replace information.

The data from the remote system can be fetched using the log collector which can be executed
as a foreground or background job.

LOG COLLECTION FOREGROUND JOB:

Go to t-code NWBC

Select the report and analytics

Click on consolidated log report under Emergency access management report

You can see the consolidated log report screen.

In that, select report name from dropdown menu (transaction log, change log, auditlog ect..)

Select system as grcclnt200

Select firefighter ex: FF_USER

Click on update fire fighter log button

You can see firefighter log updated successfully message.


Then click on update firefighter log button

Log collection background job:

The background job for log collection can be scheduled from SM36. Which can be
scheduled on a periodic basis. The status of the background job can be checked from the SM37
transaction.

The program name for the background job is GRAC_SPM_LOG_SYNC_UPDATE.


Consolidated log report: (transaction log)

Go to t-code NWBC

Select Report and analytics

Click on consolidated log reports under Emergency access management Reports.

Select report name as transaction log

Select system as grcclnt200

Select firefighter ex: FF_USER

Click on Run in Foreground button

You can see the list in below result screen

Consolidated log report: (change log)

Now select change log from dropdown menu list instated of transaction log

Do the same above process.

Remaining log also do like above process.

Invalid super user Report:

Go to NWBC

Select report and analytics tab

Click on invalid super user report

Select system: grcclnt200

Select firefighter : FF_USER

Select owner: FFO_BC

Select firefighter ID: FFID_BC

Select controller : FFC_BC

Click on Run in foreground button

You can see result in below screen FFO_BC locked


Firefighter log summary report:

Go to t-code NWBC

Select report and analytics

Click on firefighter log summary report

Select required fields

Click on run in foreground button.

Reason codes and activity reports:

Go to t-code NWBC

Select Reports and Analytics

Select Reason codes and activity report

Under emergency access management report

Select required fields

Click on run in foreground button

You can see the result in below screen.

You might also like