unit 7 labs - emergency access management virtual labs
TRANSCRIPT
Page | 1
Unit 7 – Emergency Access Management Exercise 7.1 – Review Emergency Access Management specific Configuration Objective – To understand the current and available configurations of the GRC v10.0 system
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Execute Transaction SPRO 3. Click SAP Reference IMG 4. Open Folders – Governance Risk and Compliance Access Control Maintain Configuration Settings
a. Review the following settings related to Emergency Access Management b. List which settings are set and their values
i. 6‐Superuser Management:4000‐Application type ii. 6‐Superuser Management:4001‐Default Firefighter Validity Period (Days) iii. 6‐Superuser Management:4002‐Send Email Immediately iv. 6‐Superuser Management:4003‐Retrieve Change Log v. 6‐Superuser Management:4004‐Retrieve System log vi. 6‐Superuser Management:4005‐Retrieve Audit log vii. 6‐Superuser Management:4006‐Retrieve OS Command log viii. 6‐Superuser Management:4007‐Send Log Report Execution Notification Immediately ix. 6‐Superuser Management:4008‐Send FirefightId Login Notification x. 6‐Superuser Management:4009‐Log Report Execution Notification xi. 6‐Superuser Management:4010‐Firefighter ID role name
Page | 2
Unit 7 – Emergency Access Management Exercise 7.1 – Review Emergency Access Management specific Configuration Solution:
Page | 3
Unit 7 – Emergency Access Management Exercise 7.2 – Maintain Reason Codes
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Reason Codes under the Superuser Maintenance section 4. Click Create 5. Create a Reason Code with the following information
a. Reason Code – Emergency Access Reason Code Group xx (where xx is your Participant ID) b. Description – Reason Code Maintenance for GRC Training Course Group xx (where xx is your Participant
ID) 6. Click Add to select the System to allow the Reason Code to be used for.
a. In the Select Systems screen, select ZMGCLNT800 and click ADD arrow to move the system ID to the Selected section
b. Click OK 7. Click Save. A confirmation will appear that the data has been saved 8. Click Close. The Active Queries screen will appear. Verify the information just entered appears.
a. If the information does not appear, click Refresh at the bottom of the query
Page | 4
Unit 7 – Emergency Access Management Exercise 7.2 – Maintain Reason Codes Solution:
Page | 5
Page | 6
Page | 7
Unit 7 – Emergency Access Management Exercise 7.3 – Maintain Owners / Controllers in Central Owner Maintenance
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Access Control Owners under the Access Owners section 4. Click Create 5. Create an Owner for a Firefighter ID with the following information
a. Group Type – Owner b. Owner – ACFFIDOWNxx (where xx is your Participant ID)
i. Enter the ID and press enter or search for the ID c. Click box for Firefighter ID Owner under the Select Column d. Enter comment – FF ID Owner Central Owner Maintenance for GRC Training Course Group xx (where xx
is your Participant ID) 6. Click Save. A confirmation will appear that the data has been saved 7. Click Close. The Active Queries screen will appear. Verify the information just entered appears.
a. If the information does not appear, click Refresh at the bottom of the query 8. Repeat Steps 4‐7 to create an Owner Assignment for the Firefighter ID Controller with the following information:
a. Group Type – Owner b. Owner – ACFFIDCNTLxx (where xx is your Participant ID)
i. Enter the ID and press enter or search for the ID c. Click box for Firefighter ID Controller under the Select Column d. Enter comment – FF ID Controller Central Owner Maintenance for GRC Training Course Group xx (where
xx is your Participant ID)
Page | 8
Unit 7 – Emergency Access Management Exercise 7.3 – Maintain Owners / Controllers in Central Owner Maintenance Solution:
Page | 9
Page | 10
Page | 11
Unit 7 – Emergency Access Management Exercise 7.4 – Assign Owners to Firefighter IDs NOTE: As a prerequisite, the Firefighter IDs have already been created on the ECC System (ZMCCLNT800) and have been assigned the appropriate roles to be used in Emergency Access as well as the Firefighter ID role listed in the Maintain Configuration Settings, Parameter Group 6, Parameter ID 4010. Profile / Role and User Synchronizations have also been performed.
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Owners under the Superuser Assignment section 4. Click Assign 5. Assign an Owner for Firefighter IDs with the following information
a. Owner ID – ACFFIDOWNxx (where xx is your Participant ID) i. Enter the ID and press enter or search for the ID
b. Click Add. This will open a line in the Firefighter ID section. c. Click Search. Search for Firefighter IDs with FFIDxx* (where XX is your Participant ID) d. Click Go e. Click Add All button (double arrow) to move the 5 Firefighter IDs to the Selected section f. Click OK
6. Add Comments to each ID – Training ID 7. Click Save. A confirmation will appear that the data has been saved 8. Click Close. The Active Queries screen will appear. Verify the information just entered appears.
a. If the information does not appear, click Refresh at the bottom of the query
Page | 12
Unit 7 – Emergency Access Management Exercise 7.4 – Assign Owners to Firefighter IDs Solution:
Page | 13
Page | 14
Page | 15
Page | 16
Unit 7 – Emergency Access Management Exercise 7.5 – Assign Controllers to Firefighter IDs NOTE: As a prerequisite, the Firefighter IDs have already been created on the ECC System (ZMCCLNT800) and have been assigned the appropriate roles to be used in Emergency Access as well as the Firefighter ID role listed in the Maintain Configuration Settings, Parameter Group 6, Parameter ID 4010. Profile / Role and User Synchronizations have also been performed.
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Controllers under the Superuser Maintenance section 4. Click Assign 5. Assign a Controller for Firefighter IDs with the following information
a. Controller ID – ACFFIDCNTLxx (where xx is your Participant ID) b. Click Add c. Search for Firefighter IDs that match FFIDxx* (where xx is your Participant ID) d. Hold the Ctrl key and click each ID desired (FFIDxx01 – FFIDxx05). Click Add arrow (single arrow) to
move to the Selected section e. Click OK
6. Select Notification by Workflow for each ID added 7. Add Comments to each ID – Training ID 8. Click Save. A confirmation will appear that the data has been saved 9. Click Close. The Active Queries screen will appear. Verify the information just entered appears.
a. If the information does not appear, click Refresh at the bottom of the query
Page | 17
Unit 7 – Emergency Access Management Exercise 7.5 – Assign Controllers to Firefighter IDs Solution:
Page | 18
Page | 19
Page | 20
Page | 21
Unit 7 – Emergency Access Management Exercise 7.6 – Assign Firefighter Users to Firefighter IDs NOTE: There are 2 ways to assign Firefighter Users to Firefighter IDs. You can assign a Firefighter to a Firefighter ID (Firefighter IDs quick link) or a Firefighter ID to a Firefighter (Firefighters quick link). This exercise will cover both scenarios.
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACTRNGxx (where xx is your Participant ID) 2. Go to workcenter Setup 3. Click Firefighter IDs under the Superuser Assignment section 4. Click Assign 5. Assign a Firefighter to a Firefighter ID with the following information
a. Firefighter ID – FFIDxx01 (where xx is your Participant ID) i. Enter the ID and press enter or search for the ID
b. Criticality – Medium 6. Click Add 7. Enter Firefighter User ID
a. Enter the ID and press enter or search for the ID 8. Click the Controller tab. Review the information. 9. Click Save. A confirmation will appear that the data has been saved 10. Click Close. The Active Queries screen will appear. Verify the information just entered appears.
a. If the information does not appear, click Refresh at the bottom of the query 11. Click X in upper right corner to close the query window. 12. Click Firefighters under the Superuser Maintenance section 13. Select your FF User Training ID in the query 14. Click Open to add additional Firefighter IDs to this Firefighter
a. Click Add
Page | 22
b. Click Search in Firefighter ID field c. Search for available Firefighter IDs like FFIDxx* (where xx is your Participant ID)
i. Note: The Firefighter ID that has already been assigned will appear in the Selected section d. Select the remaining 4 Firefighter IDs shown in the Available section and click the Add arrows to move to
the Selected section. e. Click OK
15. For each of the Firefighter IDs just entered, you will need to search for an Owner and select from that screen to populate the Owner field.
16. Add Comments to each ID – Training ID 17. Adjust the Valid To date for the FFIDxx03, FFIDxx04, and FFIDxx05 to 12/31/9999 18. Click Save. A confirmation will appear that the data has been saved 19. Click Close. The Active Queries screen will appear. Verify the information just entered appears.
a. If the information does not appear, click Refresh at the bottom of the query
Page | 23
Unit 7 – Emergency Access Management Exercise 7.6 – Assign Firefighter Users to Firefighter IDs Solution:
Page | 24
Page | 25
Page | 26
Page | 27
Page | 28
Page | 29
Unit 7 – Emergency Access Management Exercise 7.7 – Execute a Firefight Session New Feature: Firefight sessions are executed from the GRC 10.0 ABAP client instead of each individual system
1. Logon to ABAP client for GRC V10.0 (ZMC) with user ID ACFFIGHTERxx (where xx is your Participant ID) 2. Execute Transaction GRAC_SPM or select from the SAP Easy Menu 3. Click Logon for FFIDxx01 (where XX is your Participant ID) 4. Select Reason Code and Enter additional data about Firefighter session execution
a. Reason Codes – Select the Reason Code you created previously b. Enter additional Comments for Reason Code – Execute Firefight Session for GRC Training Course Group
xx (where XX is your Participant ID) c. Enter the actions you anticipate to perform – OB52; PFCG; d. Click Green Check to confirm
5. A new SAP session will open. Check to see that the correct system and ID have been logged into. 6. Execute the following transactions (please do not make any changes to the data that appears)
a. OB52 b. PFCG c. SU01D
7. After executing the last transaction, enter /nex to exit from the Firefight Session or use navigation arrows to log off.
8. On the Superuser Privilege Management screen, click Additional Activity. a. Enter comments as to the additional activity that was executed that was not anticipated.
i. After entering Session, it was required to execute SU01D Group xx (where xx is your Participant ID)
b. Click Green Check to confirm 9. Log off ZMC ABAP client.
Page | 30
Unit 7 – Emergency Access Management Exercise 7.7 – Execute a Firefight Session Solution:
Page | 31
Page | 32
Page | 33
Page | 34
Page | 35
Page | 36
Page | 37
Page | 38
Page | 39
Page | 40
Unit 7 – Emergency Access Management Exercise 7.8 – Review Log Report from Firefight Session
1. Logon to NWBC client for GRC V10.0 (ZMC) with user ID ACFFIDOWNxx (where xx is your Participant ID) 2. Go to workcenter Reports and Analytics 3. Click Consolidated Log Report under Superuser Management Reports section 4. Click Update Firefighter Log 5. When finished, a confirmation will appear that the Firefighter log updated successfully 6. Search for the log report for the session just completed above with the following information:
a. System – ZMGCLNT800 b. Owner – ACFFIDOWNxx (where xx is your Participant ID)
7. Click Run in Foreground 8. Review the data that appears. Scroll to the left to see more data. 9. Click on Session Details at the end of the column to see a different version of the Log Reports
Page | 41
Unit 7 – Emergency Access Management Exercise 7.8 – Review Log Report from Firefight Session Solution:
Page | 42
Page | 43
Page | 44
Page | 45
Page | 46
Page | 47
Firefighter ID Owner Firefighter ID Owners are responsible for maintaining firefighter IDs and their assignments to firefighters Firefighter Role Owner Firefighter Role Owners are responsible for maintaining firefighter roles and their assignments to firefighters Risk Owner Risk Owners are assigned to risks and are commonly responsible for approving changes to risk definitions and violations of the risk. Risk Owners may also receive conflicting and critical action alerts. Role Owner Role owners are responsible for approving either role content or user‐role assignment or both Mitigation Monitors Mitigation Monitors are assigned to controls to monitor activity and may receive control monitor alerts. Mitigation Approvers Mitigation Approvers are assigned to controls and are responsible for approving changes to the control definition and assignments when workflow is enabled. Firefighter ID Controller Firefighter ID Controllers are responsible for reviewing the log report generated during firefighter ID usage. Firefighter Role Controller Firefighter Role Controllers are responsible for reviewing the log report generated during firefighter role usage. Point of Contact Point of Contact is an approver for a specific Functional Area. Functional Area is an attribute used to categorize users and roles. Security Lead Security Lead is a group or individual that can provide secondary approval for access requests and reviews Workflow Administrator Workflow administrator is responsible for reassignment of workflows due to an incorrect approver, error condition, or escalation.