Emergency Access request (Fire Fighter)

Similar Messages

• Fire Fighter Roles

  Hi Gurus,
  I am in the process of designing Fire Fighter ROles for the Production process...
  Can any one please help me with the number of roles and Transactions that we use for the design process...
  How many Fire Fighter roles that we need and What are the Transactions.....?
  Thanks in advance
  Guru

  Hi Guru,
  The roles that need to be created for Firefighter ids are based on requirement from the Business process owners of the respective business modules ( example, SD, MM, PP, FICO ).
  Firefighter tool is designed to help you handle exceptional access requests appropriately.
  This tool is used to deal with emergency access requests. For example, when a Production support person needs to investigate an Urgent issue in Production system but does not have enough access. Then you need to assign the Firefighter id and the appropriate Firefighter role(s) to complete the emergency transactions.
  Virsa Firefighter for SAP enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access, and tracks and logs every activity the super-user performs using that temporary ID.
  So you need to consult your BPOs, Internal Audit team, Controllers and come up with the emergency transactions, authorizaton objects, programs, reports, tables and design the roles with appropriate naming conventions.Assign the Firefighter roles to the Firefight IDs in emergency in Production system.

• Populating Fire Fighter ID Descriptions in User Request Search Screen (FF ID)

  Thought I would share this as I just recieved the note that fixes it and I have seen a couple of questions on it as an issue for their End Users.  I applied it in our PRD environment and it worked like a charm.
  1947101 - How can the Firefighter ID/ Role description be
  maintained or updated for those FF Objects that do not have a description
  Symptom
  While creating a Firefighter ID/ Role Request, the
  Firefighter Object (ID/Role) search does not return a description or the
  description field is blank. So where can this description field be maintained?
  Environment
  Access Control 10.0
  Emergency Access Management
  Access Request Administration
  Reproducing the Issue
  Create an Access Request for Request Type: 'Emergency User
  Access'
  Search for a Firefighter ID/role
  The returned FF Objects do not have a description
  maintained. 
  Resolution
  Execute the Program GRAC_EAM_MAINTAIN_FFOBJ_DESCR in SE38.
  Manually enter the FF Object (firefighter ID/Role) which
  does not have the description mainatined.
  Manually enter the Connector ID.
  Click on Execute.
  In th next screen, manually enter the description for each
  of the affected FF Objects and click on the Save button for each of the
  objects.
  This should update the FF Object description in all the
  relevant FF Tables.
  P.S. If this program is not available in your system, please
  implement the SAP Note 1793691 or upgrade to Support Pack 11 or higher. Please
  also check the related notes here if you face any issue with this program.

  Its really helpful..Enduser will be able to distinguish among FF id with their description.
  Thanks,
  Mamoon

• Fire fighter

  Guys,
  From my understanding the use of fire fighter is for emergency access in PRD. For that we can just create separate ID in sap system with almost sap_all authorization (not sap_all) and access PRD whenever there is a need.But why we need sap VIRSA fire fighter or SAP GRC super user privilege management?.

  Virsa Firefighter allows for tracking of who connects where, and what they do while connected. If you assign a generic SAP "super user", you loose these important tracking and auditing features... unless, of course, you create your own tracking system (for instance by activating a user exit upon login, demanding the person who logs in using the "super user" to identify him/herself and store some vital info such as time, date, ip address of the terminal used to connect and so on). Also, you'd need to turn security audit logging on.
  Firefighter gives you all of these security mechanisms in one package, one which tastes good to your auditors, too...
  Trond

• What is FIRE FIGHTER ID

  hi folks,
  can anybody tell me what is FIRE FIGHTER ID.

  Hi,
  When a user in a production system needs help from an IT
  superuser, the application assigns a temporary ID that grants
  the superuser broad yet regulated access. The superuser simply
  logs on to the application’s main console, where a new session
  is opened under the Firefighter ID. Because the Firefighter ID is
  preassigned, the superuser never needs to wait for approval
  before solving a critical problem.
  Ideally Firefighter should be used only for superuser access. The reasoning...
  1) When the firefighter role is being used, the user cannot use his normal transactions
  2) Only one user can use a firefighter role at a time
  3) Complete log of firefighter role usage is available for review.
  Many-a-times it is suggested to use firefighter role for performing the duties of the users on holiday. However I think it is not appropriate. Such users should be assigned normal roles for these duties for the limited period
  Hope I had been able to help you. Please assign points.
  Rgds
  Manish

• Fire Fighter Logs details in /n/virsa/vfat

  Hi,
  When i see the Fire Fighter logs through the Tcode /n/virsa/vfat, i am just able to know what tcode was used by a particular user and at what time and date.
  Now if he has used SE38, i do not get the information of what report or program did he run in SE38. Similarly for SE16n I will not have the information of what table was used and modified.
  So is it possible to know the complete details of the activity that user has done throught the FIreFighter.
  Please help.
  Regards
  Anubhav

  In the case of SE16 you can see the generated selection-screen program for that table being submitted both in STAD if you are fast enough (i.e. before the aggregation takes place) and in the security audit log (SM20N - which is actually the correct tool to rely on). They will show reports from SA38 etc as well.
  However SE16N does not generate and submit report type programs so you cannot know which table was accessed. The only little "skidmark" it will leave behind is the memory id entries of the tabname selection parameter and SQL performance traces, but GRC does not access this data and it is unreasonable to assume that the history of these memory ids has been activated on the server side.
  If worst comes worse you will be able to find out the table though - latest with a thumb-screw or bamboo under the finder nails... 
  Cheers,
  Julius

• Fire Fighter Mail Notification

  Hi Gurus,
  I have an issue with fire fighter....if i am not wrong...When i add a firefighter id to a user id ...it should send a mail...Fore Fighter controller and owner with a link to approve and then they approve the access...then it will send the user access to the user.The above process is not happening with the fire fighter we using..
  The fire fighter owner and controller are just getting the logs...Please let me know how to config the initial mail notification.
  Thanks in advance
  Guru

  Hello Guru,
  When a user probably a Security Administrator assigns Firefighter ID to a Firefighter User there is no such provision of automated e-mail notification in Access Controls 5.2 - Firefighter SP level 5 with Patch 1. Which is at the moment latest available on SAP service market place.
  But you can take it another way. If you have an Honour of using Access Enforcer then you can create a dedicated workflow for Firefighter ID assignment. Where you can define different stages and approvers for all scenarios. Also this way you can intimate the requestor and approver about the status.
  In role expert, you can automate the default Virsa Firefighter, Owner, Administrator and controller roles for users.
  Still there is no such automated functionality which can let you automatically add users to Virsa Firefighter configuration tables and send an e-mail.
  What you can do is, after the approval of the firefighterID assignment your security guy can manually add users to these considered tables and finish the AE workflow notifying all the approvers and requestor.
  I hope i touched the whole scenario.
  If you still have doubts, let me know.
  Thanks & Regards,
  Amol Bharti

• Fire fighter on GRC10

  Hi,
  We want to use fire fighter and provisioning of access on GRC10 itself.
  I am using ID based FF access and when trying to add role - SAP_GRAC_SPM_FFID to the user on GRC it does not get the role from the delivered roles.
  Do we need to load something? Is there a way we can activate these functions on our GRC10 environment?
  Regards, Melvin

  Hello,
  Like in simple term
  1) Firefighter id are created on backend system.
  2)GRC Systems need to understand whihc are fighterids
  3)GRAC_SPM_FFID or create any role and assign all firefigher ids.
  4)Make sure this role name is maintained in parameter to identify firefightids.
  Parammeter i think 4010..
  Enter the name of the role assigned to the firefighter ID in the target systems. This is identifies to the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.
  Regards,
  Prasant

• Emergency access procedure - non GRC

  Hi guys,
  Just wondering if you have a written Emergency Access Procedure (FireFighter), which is not based on GRC.
  My client has unfortunately no GRC installed at all.
  Also wondering if Solman can be utilized as currently they use it for change management..
  Thanks a lot
  Cheers
  Greg

  Greg,
  I have experience with two different non-GRC Firefighter procedures, both role-based.
  In one solution, the user submitted a Firefighter request for either the HR or the non HR Firefighter role to be assigned; the form was a custom Outlook form. A custom ABAP program monitored the assignment of these roles, logged the tcode usage of the IDs with the role assigned, sent an audit report to the user's manager which included tcode usage and if the tcodes used were in the user's regular roles or in the FF role, and the manager had to return the report to SAP security as confirmation that it had been reviewed.
  In the other solution, the request logged into the IdM solution to request firecall authority. The requester must be pre-approved to request elevated SAP access. IdM provisioned the extra access to the users account and notifiedboth the user's manager and SAP Security. IdM deprovisioned the extra access at the specified time in the request. SAP Security was responsible for auditing the use and documenting the tcodes used in a report sent to the user's manager and all of this was documented in an IT incident ticket.
  The second solution required a lot more manual effort from the SAP Security team, butit was not invoked often. The first solution, while much more automated, presented its own challenges, as the buffer for the tcode usage statistics  frequently overflowed, and a designated resource would have to work to resolve.
  So from my experience, I would say that there is a good reason why customers choose to implement a GRC firefighter solution.
  Cheers,
  Gretchen

• Fire Fighter in Virsa

  Can someone please describe me how fire fighter works
  Thanks

  The only actions that are recorded are those of the firefighter ID. The firefighter ID does not record any other actions for any other users.
  A good example of what a fire fighter ID could be used for is Basis access. There are additonal tasks that a Basis person is allowed to perform in a non-Production system versus a Production system (as I am sure you are aware). There are times though that he/she may need elevated access to perform a critical task. At that point the firefighter ID is accessed and their actions recorded.
  As far as the type of access that you would assign, keeping with the same Basis person example, take a look at what you have defined for your Basis person(s) in your Production environment. Compare that access to what he/she has in QA (and/or Dev). The delta identified is the elevated access that may be required as baseline authorization for the firefighter ID. Of course this is only an example and you would have to tailor it to suite your requirements.
  Documents emailed.

• Fire fighter security table download

  Dear Experts,
  After downloading the Fire fighter Security table(/n/virsa/vfat -> Utilities -> Download) this can be opened in excel and see all the passwords. This is a potential risk in Security and authorization. Kindly suggest me is there any note or corrections to get the data downloaded as encrypted itself ?
  Or any other suggestions welcome please.
  Thanks and Regards,
  Shiju

  Hello Shiju,
  Just wanted to ask you what role (s) does the user have, who is downloading and changing the passwords. Are they standard SAP provided or are they custom?
  Role "/VIRSA/VFAT_ROLE_ADMINISTRATOR" has access to "Export" the list and role "/VIRSA/Z_VFAT_ADMINISTRATOR" has access to "change" the password.
  Also, in case you do not want the export function to be available to any user, you may chosse not to use these SAP default roles for Firefighter but create your own roles and assign them to the users, where you can define the table maintenence for "/VIRSA/ZVIRFFPWD" table, not to be available to anyone to restrict this.
  Regards,
  Hersh.

• Approving the access request gives error in Sharepoint Foundation 2013 / Email notification codepage problem

  Hello
  On our SharePoint Foundation 2013 server approving Access Requests fails with "request approval failed" after pressing the approve button. The user is site administrator, site collection administrator and site owner.
  In the ulsviewer we see the following error:
  System.NotSupportedException: No data is available for encoding 1033.     at System.Text.Encoding.GetEncodingRare(Int32 codepage)     at System.Text.Encoding.GetEncoding(Int32 codepage)     at Microsoft.SharePoint.Email.SPMailMessageHelper.GetSocialNotificationMailMessage(SPWeb
  web, String senderAddress, String senderName, Boolean useSenderAddressAsFromAddress, String recipientAddress, CultureInfo recipientCulture, String subject, String sidebarHtml, String descriptionHtml, String customMessageHtml, List`1 embeddedAttachments)    
  at Microsoft.SharePoint.SPSharingEmailHelper.SendAccessRequestsEmail(SPCachedItemEventProperties eventProperties, SPUser sender, String message, SPUser recipient, String recipientEmailAddress, String strSubject, String body)     at Microsoft.SharePoint.SPSharingEmailHelper.SendRequestorNotification(SPCachedItemEventProperties
  eventProperties, String objRequestedTitle, SPUser reqByUser, SPUser reqForUser, String message, Boolean isMessageUpdate, Int32 status)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleStatusChangingToApprove(SPCachedItemEventProperties
  properties, Int32 reqByUserId, Int32 reqForUserId, Int32 newStatus, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleRequestStatusChanging(SPCachedItemEventProperties
  properties, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequestsOperationHandler.ItemUpdating(SPCachedItemEventProperties properties, SPUserCollection users, SPGroupCollection
  groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequests.UpdateItem(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 permissionLevel, Boolean extendInvitation, String anonLinkType, SPList accReqList,
  SPListItem item, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatusCore(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 newPermissionLevel,
  Boolean extendInvitation, String anonLinkType, SPList accReqList, SPListItem request)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, SPUser reqForUser, String convStr, String permType, Int32
  permissionLevel, Boolean extendInvitation, String anonLinkType, SPWeb web)     at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, String convStr, String permType, Int32 permissionLevel)    
  at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.ChangeRequestStatus_MethodProxy(XmlNodeList xmlargs, ProxyContext proxyContext)     at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.InvokeStaticMethod(String methodName,
  XmlNodeList xmlargs, ProxyContext proxyContext, Boolean& isVoid)     at Microsoft.SharePoint.Client.ServerStub.InvokeStaticMethodWithMonitoredScope(String methodName, XmlNodeList args, ProxyContext proxyContext, Boolean& isVoid)    
  at Microsoft.SharePoint.Client.ClientMethodsProcessor.InvokeStaticMethod(String typeId, String methodName, XmlNodeList xmlargs, Boolean& isVoid)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStaticMethod(XmlElement
  xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessOne(XmlElement xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStatements(XmlNode xe)     at Microsoft.SharePoint.Client.ClientMethodsProcessor.Process() 449c7b9c-6cec-f09a-9792-3d76c4d7e351
  The server is running on an English Windows 2012 Server and also the English version of SharePoint Foundation 2013 with the June 2013 CU.
  We see exactly the same error when add users to a group with the option "Send an email invitation" enabled.
  Any ideas what could cause this problems?
  Regards,
  Reinhard

  Hi Reinhard ,
  According to your error message, it says that no data is available after  encoding the social notification mail message. It  should be caused by the E-Mail encoding setting.
  For troubleshooting your issue, please check the character set of your E-Mail Settings:
  Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
  On the Central Administration Home page, click System Settings.
  On the System Settings page, in the E-Mail and Text Messages(SMS) section, click Configure outgoing e-mail settings.
  On the Outgoing E-Mail Settings page, make sure
  Character set setting is  65001(Unicode UTF-8).
  Best Regards,
  Eric
  Eric Tao
  TechNet Community Support

• User Management - How to submit Additional Access Request on behalf of employee

  User Management - how can we configure "Access Requests" so that Managers can submit Additional Access Requests, or Initial Access Requests on behalf of employee?
  Have looked at "Manage Proxies" but this seems to allow access to everything - not ideal
  Please assist with knowledge and/or experience
  Many Thanks
  Me

  Additional Access Request Registration Process is complete
  Giving access to User Management to users is not an option.
  What I would like is the scenario below - is this achievable?
  When employee goes to iProcurement > Preferences > Access Requests > Request Access | they can submit an access request on behalf of themselves.
  Would like an option where a manager, navigates to same UI as above, has option to choose a subordinate, and request additional access on their behalf
  The table UMX_REG_REQUESTS has columns REQUESTED_FOR_USER_ID & REQUESTED_BY_USER_ID - so it seems they don't have to be same person (manager can submit request on behalf of an employee)
  Can this be achieved through UI for "Access Requests"?

• HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST

  hi sap gurus,
  i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
  SAP_GRAC_ACCESS_APPROVER
  SAP_GRAC_ACCESS_REQUEST_ADMIN
  SAP_GRC_FN_BASE
  SAP_GRC_FN_NUSINESS_USER
  and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
  but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
  the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
  can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
  I will be very much thankful if you guide me successfully.

  Hi Colleen,
  thanks a lot for your time.
  PIC1: I created one user: GR_AR_APP001
  and assigned all the GRC ROLES.
  PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
  PIC3: I created one EUP 980 (copied from default EUP)
  PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
  PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
  PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
  PIC7: I saved agent id
  PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
  PIC9: I saved
  PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
  PIC11: Maintain Route Mapping, I clicked on next
  PIC12 and PIC13: I saved and activated.
  After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
  now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
  please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
  thanks for your support Colleen.

• SharePoint 2013 - Site Settings - Users and permissions - "Access Request and invitations" link missing

  I am site collection administrator and have configured the outgoing email in Central administration but "Access Request and invitations" link  is missing, pl advice any additional configurations for this link to show up
  I was though able to configure access requests by going to Site Settings->Users and permission and on the ribbon selected "Access Request Settings"
  What is the difference in either of the approaches?
  Thanks
  Abhishek

  Hi there,
  I noticed this post, and didnt really find an appropriate solution to your issue. I noticed the same issue when dealing with Access Requests. First of all to make sure that the Request feature is enabled, you need to access 
  Site Settings -> Site Permissions -> Access Request Settings -> Make sure the
  'Allow access requests' option is enabled.
  The Allow access screen just allows you to enable the feature and also to specify a email address that notifications are sent to. Whereas the 'Access Requests and Invitations' section provides a screen to manage Access Requests and request history.
  I noticed then that the Access Requests and Invitations link under 'User and Permissions' didnt actually appear until someone actually requests to join the site. It seems that this is needed to display the screen. Once actioned once, the option stays there.
  Hope it helps