cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EAM: In SP09 for centralized access can FFID/User login to plug in system in case GRC 10 is down ?

Go to solution
Former Member

on ‎12-09-2012 6:18 PM

0 Kudos

Hello Gurus,

Got couple of questions:

1. I have SP09 implemented in my GRC 10 system, i have a question, can FFID/User login to plugin system to directly in case GRC 10 is down ?

    I know we can login to pugin directly in case of SP10 but how abt SP09 ?

2. Where can i find the latest release dates of SP from SAP and what changes are made in that SP, for GRC 10 ?

Regards,

Rajesh Nanda.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-10-2012 1:17 AM
0 Kudos

Hi Rajesh

1) If you have implemented the user exit and the corresponding configurations in the back-end system:

1735971 - User exit to prevent direct firefighter login

1545511 - Firefighter User Exit

you can remove the role that identifies the FF users from them: parameter 4010 in GRC Box <-> Parameter 1090 in the plugin system (you've probably made a copy of the standard role SAP_GRAC_SPM_FFID) and then the user will be able to login directly.

If the user exit hasn't been implemented then the firefighter is like any normal user and is able to login directly.

Bear in mind that each time a FF ID is used the password is changed by the application, so, you will have to reset the password.

Of course, you won't get any log in GRC, so you might want to activate a trace to the user for example in such cases.


I don't like this kind of check based on a role assigned to the user :http://scn.sap.com/thread/3273562

2) Interesting. Actually you'll find some notes related to de-centralized FF for example:

Note 1752942 - EAM Decentalization Changes - Interface Note 3

As per my understanding they're still working on this and is still not available for use, but it'll be soon (???)

If you access here: http://service.sap.com/swdc and navigate to

SAP Solutions for Governance, Risk, and Compliance" SAP GRC Access Control" SAP GRC ACCESS CONTROL" SAP ACCESS CONTROL 10.0" Entry by Component" GRC ABAP Components

SAP GRC SHARED COMPONENTS 10.0

and click here for example:

GRCFND_A V1000: Support Package 0010

you'll get all the notes included in SP10 for the GRC ABAP component. You might want to check also SP10 details for GRCPINW/GRCPIERP.

Hope it helps.

Cheers,

Diego.

Show replies
Show replies
Former Member
‎12-10-2012 7:48 AM
0 Kudos

Hi Diego,

If i am understanding correctly. The FF ids will be created and users will directly login to system with those users itself.

For e.g: A is the user in system FP1 and B is the FF id in system FP1.

So if user A needs FF access he will be given the password for user id B and he will login to system with user B ?

If this is the case then how will we monitor the activities done by FF id?

It would be better to use old method of assignment till SP10 is implemented. 

Regards,

Rajesh

Former Member
‎12-10-2012 7:35 PM
0 Kudos

Hi Rajesh,

Yes, I meant that. But this is only a "emergency" procedure in case GRC Box doesn't work. As I mentioned, you have trace the user activities by other methods in such case.

What do you mean by"better to use old method of assignment"? can you explain that?

What's is the change in SP10 that you mentioned "I know we can login to pugin directly in case of SP10 but how about SP09"??

Cheers,

Diego.

Former Member
‎12-12-2012 10:00 AM
0 Kudos

Hi Diego,

I mean to say by old method is:

1. to use tcode /n/virsa/vfat and assign the users FF id manually and do it the way we do in GRC 5.3 and track the activities of FF ids.

2. I just got reply from SAP that in case GRC  is down the user can login to remote system if  FF  assignment is already done for that user. This feature is being introduced in SP10.

I think we will go for method 1 as everything will be jammed if GRC 10 is down till SP09.

Once we implement SP10 we will think of moving to Decentralized approach.

Till SP10 FF will be waste fofr us.

Rajesh

Former Member
‎12-12-2012 7:16 PM
0 Kudos

Hi Rajesh,

Do you have more information on point 2? Is it like an mixed method between centralized an decentralized?

Cheers,
Diego.

Former Member
‎12-13-2012 5:42 AM
0 Kudos

Hi Diego,

Yes with SP10 there is hybrid approach for using FF.

Here are highlights:

1. You can login to plugin system directly with different tcode - /GRCPI/GRAC_EAM(i think this is the tcode)

2. You can extend the validity date in plug in system

3. You can maintain controller,owner etc in plug in system and then sync with GRC 10 system.

4. However, all reporting and assignment has to take place in Central GRC 10 system.

So even in case of decentralized approach you get benefits of central GRC 10 system and i believe decentralized approach is more work for us.

Rajesh

Former Member
‎12-13-2012 12:55 PM
0 Kudos

Hi Rajesh

It's good to know that, but you mean that you can work with both methods at the same time?

and are you sure that SP10 implements decentralized GRC completely? as I've seen in the notes the mentioned "advance corrections".

Cheers,

Diego.

Former Member
‎12-14-2012 4:50 AM
0 Kudos

Hi Diego,

Go through the note - 1690964

Go through this and we can talk.

Rajesh

Former Member
‎12-15-2012 1:22 AM
0 Kudos

Very helpful. Thanks!!

Answers (0)

Ask a Question