The SAP GRC Emergency Access Management (EAM) log level has been the subject of a lot of questions and debate. In this post I have summarised the current available logs together with their purpose and a description of what is captured.
There are five key logs available in EAM:
Transaction Log - This is the equivalent of the STAD data and a log entry will appear whenever a transaction is called by the Firefighter ID.
Change Log - This is based upon the data held in tables CDHDR and CDPOS for business change documents. All changes logged by those tables will be captured alongside the nature of the change. This includes the field and values updated. However, this does not include a number of system administration functions if not covered by the business change header tables. Therefore, it is not guaranteed to capture each and every change made in the system.
OS Command Log - This captures operating system commands executed from within SAP systems (via transaction SM49).
System Log - This reads from the SAP Application to show debug and replace entries from transaction SM21.
Audit Log - This reads entries from the SM20 system audit log assuming that this is configured correctly in SM19.
The present solution does not read the DB Table log but there is a planned enhancement to include this.
Turnkey Consulting is helping to make the world a safer place to do business by specialising its expertise across Integrated Risk Management, Identity and Access Management, and Cyber and Application Security. We provide business consulting, technology implementation and managed services to help customers safeguard their application environments - protecting critical ERPs (such as SAP, Oracle and MS Dynamics) and wider enterprise systems.