If firefighter is invalid user:

Check FF user has authorization to ACTVT 03, and User Group * in S_USER_GRP Object(sap_grc_fn_base)
If you don’t maintain actvt 3 , u cant perform logon and actvt 5 ,you cant perform additional activity.
Make sure the role name maintained parameter 4010 is assigned to the FF ID in target system.
Make sure EAM master data synch job is running.
You need to check the parameters 1000 (The Plug-in Connector) & 1001 (The GRC Connector) in the Plug-in system.
Make sure your RFC user has all the required authorizations. RFC user has SAP_ALL profile

(Decentralized firefighting allows you to use the Emergency Access

Management (EAM) Launchpad directly on the plug-in systems to perform
firefighting activities in case the GRC system is not available.
The most important advantage of decentralized firefighting is that you can continue using firefighter even when the GRC Box is down. In my opinion, it’s also more “user-friendly” since the
firefighter doesn’t have to log on to GRC Box in order to start the firefighting session, he/she only needs to execute a transaction in the plugin system. For some companies, the centralized
approach is better since the user access to a system (GRC Box) and can start firefighter sessions in multiple systems.)

As per GRC Administrator …assign owner types to users in grc system under access control owners.
Frequency of usage (firefighter access) is tracked by reason code.
To view usage by system, select the reason code, then click Open.
Note: if you are unable excute the required tcodes in target system in case of eam…check the service id/ firefighter id (in backend system/arget system) is assigned with profile
sap_all or not …if not then assign …now you can excute

Check the user is locked or not

This tables contain entries:
GRACUSERCONN
GRACRLCONN
GRACACTRULE
This tables does not contain entries:
GRACUSERACTVL
GRACUSERPRMVL
ARA AT USERLEVEL IS NO VIOLATIONS:
seems that your rule set is not working properly. Can you please check if the functions are maintained for the correct system or connector group?

Reports:

RSUSR000 Currently Active Users(Active users are the total number of users in the system.
Interactive users are the users logged on by sap logon.
RFC users are the users logged on by rfc, )

RSUSR002 Users by Complex Selection Criteria

RSUSR002_ADDRESS Users by address data

RSUSR003 Check the Passwords of Users SAP* and DDIC in All Clients

RSUSR004 Restrict User Values to the Following Simple Profiles and Auth. Ob

RSUSR005 List of Users With Critical Authorizations

RSUSR006 Locked Users and Users with Incorrect Logons

RSUSR007 Display Users with Incomplete Address Data

RSUSR008 Critical Combinations of Authorizations at Transaction Start

RSUSR008_009_NEW List of Users With Critical Authorizations

RSUSR009 List of Users With Critical Authorizations

RSUSR010 Transactions for User, with Profile or Authorization

RSUSR011 Lists of transactions after selection by user, profile or obj.

RSUSR012 Search authorizations, profiles and users with specified object va

RSUSR020 Profiles by Complex Selection Criteria

RSUSR030 Authorizations by Complex Selection Criteria

RSUSR040 Authorization Objects by Complex Selection Criteria

RSUSR050 Comparisons

RSUSR060 Where-used lists

RSUSR060OBJ Where-Used List for Authorization Object in Programs and Transacti

RSUSR061 Enter Authorization Fields

RSUSR070 Roles by Complex Selection Criteria

RSUSR080 Users by License Data

RSUSR100 Change Documents for Users

RSUSR101 Change Documents for Profiles

RSUSR102 Change Documents for Authorizations

RSUSR200 List of Users According to Logon Date and Password Change ..vimp

RSUSR300 Set External Security Name for All Users

RSUSR301 Fill non-checking transactions with auth.object S TCODE

RSUSR302 Delete authorization check on object S TCODE from table TSTCA

RSUSR304 Reload Table TSTCA From Table TSTCA_C

RSUSR400 Test Environment Authorization Checks (SAP Systems Only)

RSUSR401 Report to give all SAPCPIC users profile S_A.CPIC

RSUSR402 Download user data for CA manager from Secude

RSUSR403 Assign Profile S_A.CPIC to User SAPCPIC in Current Client

RSUSR404 Conversion Program for Authorizations of Basis Development Environ

RSUSR405 Reset all user buffers in all clients (uncritical)

RSUSR406 Automatically Generate Profile SAP_ALL

RSUSR406_OLD Automatically Generate Profile SAP_ALL

RSUSR408 XPRA: Conversion of USOBX-OKFLAG, USOBX-MODIFIED for upgrade tool

RSUSR409 Transfer all translated titles to generated transaction codes

RSUSR421 Clean-up report: TSTC-CINFO if no check in TSTCA

RSUSR500 User Administration: Compare Users in Central System

RSUSR500D Report RSUSR500D

RSUSR998 Call Reporting Tree Info System

RSUSREXT Enter Correct SNC Names in Table View VUSREXTID (from SAP R/3 4.5)

RSUSREXTID Enter Correct SNC Names in Table View VUSREXTID (from SAP R/3 4.5)

RSUSRLOG Log Display for Central User Administration

RSUSRSCUC CUA: Synchronization of the Company Addresses

RSUSRSUIM User Information System

RSUSR_S_USER_SAS Activate Authorization Object S_USER_SAS

RSUSR_S_USER_SAS_01 Complete Authorization Data for S_USER_SAS in Roles

RSUSR_S_USER_SAS_02 Convert Authorization Defaults

RSUSR_SYSINFO_PROFILE Report cross-system information/profile

RSUSR_SYSINFO_ROLE Report cross-system information/role

RSUSR_SYSINFO_ZBV Report cross-system information/CUM

Here`re the tables :

User/Security tables

DEVACCESS Table of development users including dev access key

USR02 Logon data

USR04 User master authorization (one row per user)

UST04 User profiles (multiple rows per user)

USR10 Authorisation profiles (i.e. &_SAP_ALL)

UST10C Composit profiles (i.e. profile has sub profile)

USR11 Text for authorisation profiles

USR12 Authorisation values

USR13 Short text for authorisation

USR40 Tabl for illegal passwords

OBJT Authorisation objetc table .

Basis/Security Consultant: Hardware/Software requirement analysis • Software Installation •

NetWeaver Environment Validation

GRC AC Tool Consultant • Integration of all 4 tools • Risk Recognition, Remediation,

Mitigation • Rule Building and their Maintenance • Configuration of workflows • Configuration
of Role Attributes • Configuration of Role Generation Methodology • Configuration of Naming
Conventions • Report Generation

Grcac12.0:

SAP is now applying its strategy to move towards mobile devices to the GRC. Therefore it has implemented a large portion of the relevant GRC functions on a
Fiori Launchpad. These now appear as tiles (on that Launchpad) and offer a unified entry point for all GRC Fiori Apps. Also, each user is able to personalise
their own Launchpad and can add, remove or sort apps via drag and drop.

By moving to a Fiori Launchpad, GRC 12.0 offers increased productivity and higher transparency, because users have faster acc ess to relevant information.
Some apps already have KPIs on their tile, e.g. the 'Control Status' or the 'Issue Status'. This means that by just looking at the Launchpad the user will get
significant information right away. Instead of having to pull information out of the system, GRC 12.0 is now pushing the most important numbers to the user.
 . Improved user experience
Perhaps the biggest benefit of SAP GRC 12.0 is an improved user experience, which has been significantly improved from
GRC 10.1.
This is partly because SAP has now included GRC in its broader strategy of moving towards mobile devices. So, you can now
access the functionality and features of 12.0 through Fiori Launchpad, which at a stroke increases the accessibility of the s uite
to users across your organisation and ensures people can do what they need to do while away from the office. This promises
to greatly speed up working practices, particularly as managers - wherever they are - can now immediately review and
approve time-sensitive access requests.
And, along with enhanced access capability, the interface itself is now simpler, cleaner and more intuitive. Modules appear as
tiles, and you can personalise your own Launchpad and use drag and drop to add, remove and sort apps.
Overall, the improved UX of SAP 12.0 will increase productivity and provide greater transparency - as all users now have
faster and easier access to relevant information.
2. Easier user adoption
Although SAP GRC 12.0 is very much new and improved, functionality will be familiar to any user of SAP GRC 10.1 –
making it easy to adapt to and understand. Although things may look different, it is designed to enable an easy transition, so
there will be no vast manual to read, or endless rounds of classroom training to sit through.
At most, what is needed are brief release notes with simple step-by-step instructions introducing users to the key changes. In
short, users can hit the ground running with 12.0 - meaning no costly bill for training or ongoing technical support.
3. Enhanced integration
Cloud applications are now supported via Cloud Identity Access Governance (Cloud IAG) in SAP 12.0. This an important
milestone for the increasing number of SAP customers adopting SAP Cloud solutions such as Ariba, Fieldglass and Concur.
Now that Access Control 12.0 integrates with Cloud IAG, the Risk Analysis and User Provisioning processes can be catered
for across SAP On-Premise and Cloud applications natively. There is also end-to-end integration with SAP SuccessFactors, as
well as access analysis for the following:

 SAP Fiori Apps in SAP S/4HANA on-premise

 Emergency Access Management for SAP HANA database

 SAP Identity Management for centralised provisioning and business role management

 SAP SuccessFactors Employee Central Payroll

With more SAP customers looking to move to SAP S/4 HANA, it’s worth noting that
SAP has also introduced a new risk ruleset library for SAP Access Control for S/4. S/4 HANA has changed the authorisation
model making transactions either obsolete or providing less detail, so this feature will provide some comfort for those
migrating.
4. Better process optimisation
The move to SAP GRC 12.0 has included significant attention to some of the more resource heavy data synchronisation jobs.
These have been re-developed to focus on improved performance and so includes more filters, inherent job splitting and
improved control over the volume of data to be synchronised. The User Access Review data generation, repository sync and
LDAP syncs in particular have been improved through this upgrade. In addition, a mass role methodology update means you
can now re-apply the methodology for multiple roles at a time, and there is simplified Firefighter owner/controller
maintenance.
5. Improvements to SAP Risk Management and SAP Process Control
With SAP GRC 12.0, more features are now available for Risk Assessment Workflow, Automated Aggregation improvements
and Activity Validation Workflow. And with SAP Process Control, users can now trigger ad-hoc business rules for
Continuous Control Monitoring Subprocess Design Assessment workflow.
Having 3 years of Professional experience in SAP R/3 support.

Support users in determination and resolving authorization related issues.

Willingness to learn and adapt to changing and challenging situation.

Ability to interact with all levels of the user community and project team.

Damu anna:

All these owners, monitors, controllers etc are to be created as end users in GRC Server.

To find the owner (Role content owner) and approver (assignment approver) from the table through SE16
provide

the table name GRACROLE and Execute.

https://www.youtube.com/watch?v=BMSjdbZy-
qc&list=PLpnQrZBJqekENg11DyQTFjEHmMdy6AhcZ(traditional yoga)