SAP GRC EAM – resolving conflicts between Emergency Readiness & Compliance
SHARE facebook



By: Krypt Team - December 6th, 2019

Authored by: Vijendra Kargudri


When users have excess access within an SAP system, they can damage the system’s security and break compliance. This can happen due to intentional/accidental misuse, and/or unexplained software conflicts. In such a scenario a developer can investigate the breakdown after obtaining emergency access to the production system.

The grant to access is through a standard process called SAP Emergency Access Management (SAP EAM). SAP GRC access control & process control are automated tools to manage an internal security model, monitor potential risks, and remediate compliance issues.

However, giving the developer access to the production system compromises the system in terms of both – compliance & security. Attending to such an issue requires placing SAP EAM within the purview of your Governance, Risk and Compliance (GRC) programs, known as SAP GRC EAM.

SAP GRC EAM – what is it?

To understand the potential risks of SAP EAM in the context of GRC, at the outset it is necessary to get a basic sense of how EAM works. SAP EAM is a set of features, mostly involving SAP Access Controls, that enables end-users to resolve an emergency situation. SAP EAM is designed to assign emergency access through a controlled and auditable process. For instance, SAP EAM logs all the activities the user undertakes while assigned the temporary ID. Several workflows and functions flow from the role assignment and tracking process.

SAP GRC EAM Tcode – its importance

SAP “firefighter” session has two basic modes of assigning emergency access –

  1. Firefighter ID or FFID is by user ID. This approach exposes the system to greater risk as FFIDs link with specific roles, each assigned to its own tcode. If a user wants to misuse the role (i.e. commit fraud), then he/she can execute tcode from his/her own user ID and then from the FFID. Only stringent monitoring would help catch this person.
  2. Firefighter Role or FFRole is by a user’s assigned role using the user id. In contrast, creating an FFRole with the same tcode creates a scenario where every action taken by the user will appear with their user ID. This makes it easier to detect misuse of emergency credentials.

SAP GRC Firefighter Workflow

It is necessary to establish a workflow for assigning Firefighter credentials. Someone has to serve as an EAM Owner in the IT organization. This person, who should be a trusted individual, receives EAM requests. In a typical workflow, the EAM Owner is the first of two approvers of the EAM request. If he/she rejects the EAM request, then it is the end of the workflow. However, if the EAM owner approves the request, it should flow to a security approver, who can also approve/reject the request.

SAP GRC Firefighter Log Report

The SAP GRC Firefighter Controller log is created by SAP EAM, existing inside SAP Access Controls. The log contains information on EAM requests and approvals as well as Firefighter sessions. It consists of separate logs for transactions (STAD), changes, debug & replace activities, OS commands, and a security audit log.

Challenges using SAP’s built-in EAM Functions

Use of native SAP EAM is challenge ridden as:

  • the Firefighter assignment workflow is manual, which is inefficient
  • end-users have to make decisions, usually without all the information they need
  • it’s time-consuming – to conduct log analysis to detect potential security issues
  • security risks may escape detection if not monitored diligently
  • the process may inadvertently create violations of Segregation of Duties (SoD) controls, required for compliance with regulations like Sarbanes Oxley (SOX).

In general, organizations comply with SOX SoD requirements by reducing access to production systems. And, this conflicts with emergency access requirements. While using the manual SAP EAM process means the user having the Firefighter role needs to contact security and get his/her role removed after completing the required task. This creates a burden on security personnel and a high likelihood of never even occurring— thereby making temporary access permanently open and prone to misuse.

 SAP GRC EAM – the value of automating

SAP GRC EAM automation offers the following values to an organization’s system –

  • balances emergency access needs with security & compliance policies
  • automated process eliminates manual security workflows for issuing emergency access credentials
  • frees security personnel from a time-consuming obligation
  • possible to grant access that stays within SoD controls
  • the solution automatically logs & tracks every activity undertaken by the user during an SAP firecall session
  • generates an easily accessible audit trail and detailed documentation after the emergency session

KRYPT is a preferred SAP Partner and has assisted in the success of global businesses through the implementation of SAP GTS, TM, IBP & EWM.

If you wish to know more about our products/services, please request a DEMO or do contact us.

Follow us on:


Image Credit: Pixabay

Subscribe to Our Blog