Emergency Access request (Fire Fighter)
Dear Experts,
I am configuring SPM 10.0, I have assigned FF role to the FFID in the backend system. I have configured connectors between GRC system and ERP system.
After running GRAC_ROLEREP_USER_SYNC I am getting below error.
Processing for connector G10
Error: Scenario Link is not defined in grfnconnscnlk table for G10
User sync failed with errors
I have checked the table and Scenario link is existing.
Also, I am trying to assign a owner to a FFID, I am not able to search FFID in the system. I have created Owners but I am not able to assign Owners to a FFID as system is not allowing me to search.
I appreciate your help.
Thanks,
Raj
Hi Raj -
Maybe a few things to try out to solve some of the problems you are running into:
(1) Ensure the connector you are trying to utilize is associated with all the GRC scenarios not just the SUPMG scenario. You can maintain that at IMG -> GRC->Common Component Settings -> Maintain Connection Settings
(2) Assuming you can get your user synchronization running properly, just check to ensure you have the configuration parameter 4010 setup with the FF Role name you are using to assign to all your FFIDs so GRC can make the linkage
(3) In order for someone to be setup as a FF Owner or controller you will need to ensure they are configured with the GRC role assignments. Under the Access Management work Center check the table found at GRC Role Assignments -> Access Controls Owners. Anyone whom will be a FF owner must be associated with the FF ID Owner role
Hope this helps a bit
Similar Messages
-
Hi Gurus,
I am in the process of designing Fire Fighter ROles for the Production process...
Can any one please help me with the number of roles and Transactions that we use for the design process...
How many Fire Fighter roles that we need and What are the Transactions.....?
Thanks in advance
GuruHi Guru,
The roles that need to be created for Firefighter ids are based on requirement from the Business process owners of the respective business modules ( example, SD, MM, PP, FICO ).
Firefighter tool is designed to help you handle exceptional access requests appropriately.
This tool is used to deal with emergency access requests. For example, when a Production support person needs to investigate an Urgent issue in Production system but does not have enough access. Then you need to assign the Firefighter id and the appropriate Firefighter role(s) to complete the emergency transactions.
Virsa Firefighter for SAP enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access, and tracks and logs every activity the super-user performs using that temporary ID.
So you need to consult your BPOs, Internal Audit team, Controllers and come up with the emergency transactions, authorizaton objects, programs, reports, tables and design the roles with appropriate naming conventions.Assign the Firefighter roles to the Firefight IDs in emergency in Production system. -
Populating Fire Fighter ID Descriptions in User Request Search Screen (FF ID)
Thought I would share this as I just recieved the note that fixes it and I have seen a couple of questions on it as an issue for their End Users. I applied it in our PRD environment and it worked like a charm.
1947101 - How can the Firefighter ID/ Role description be
maintained or updated for those FF Objects that do not have a description
Symptom
While creating a Firefighter ID/ Role Request, the
Firefighter Object (ID/Role) search does not return a description or the
description field is blank. So where can this description field be maintained?
Environment
Access Control 10.0
Emergency Access Management
Access Request Administration
Reproducing the Issue
Create an Access Request for Request Type: 'Emergency User
Access'
Search for a Firefighter ID/role
The returned FF Objects do not have a description
maintained.
Resolution
Execute the Program GRAC_EAM_MAINTAIN_FFOBJ_DESCR in SE38.
Manually enter the FF Object (firefighter ID/Role) which
does not have the description mainatined.
Manually enter the Connector ID.
Click on Execute.
In th next screen, manually enter the description for each
of the affected FF Objects and click on the Save button for each of the
objects.
This should update the FF Object description in all the
relevant FF Tables.
P.S. If this program is not available in your system, please
implement the SAP Note 1793691 or upgrade to Support Pack 11 or higher. Please
also check the related notes here if you face any issue with this program.Its really helpful..Enduser will be able to distinguish among FF id with their description.
Thanks,
Mamoon -
Guys,
From my understanding the use of fire fighter is for emergency access in PRD. For that we can just create separate ID in sap system with almost sap_all authorization (not sap_all) and access PRD whenever there is a need.But why we need sap VIRSA fire fighter or SAP GRC super user privilege management?.Virsa Firefighter allows for tracking of who connects where, and what they do while connected. If you assign a generic SAP "super user", you loose these important tracking and auditing features... unless, of course, you create your own tracking system (for instance by activating a user exit upon login, demanding the person who logs in using the "super user" to identify him/herself and store some vital info such as time, date, ip address of the terminal used to connect and so on). Also, you'd need to turn security audit logging on.
Firefighter gives you all of these security mechanisms in one package, one which tastes good to your auditors, too...
Trond -
hi folks,
can anybody tell me what is FIRE FIGHTER ID.Hi,
When a user in a production system needs help from an IT
superuser, the application assigns a temporary ID that grants
the superuser broad yet regulated access. The superuser simply
logs on to the applications main console, where a new session
is opened under the Firefighter ID. Because the Firefighter ID is
preassigned, the superuser never needs to wait for approval
before solving a critical problem.
Ideally Firefighter should be used only for superuser access. The reasoning...
1) When the firefighter role is being used, the user cannot use his normal transactions
2) Only one user can use a firefighter role at a time
3) Complete log of firefighter role usage is available for review.
Many-a-times it is suggested to use firefighter role for performing the duties of the users on holiday. However I think it is not appropriate. Such users should be assigned normal roles for these duties for the limited period
Hope I had been able to help you. Please assign points.
Rgds
Manish -
Fire Fighter Logs details in /n/virsa/vfat
Hi,
When i see the Fire Fighter logs through the Tcode /n/virsa/vfat, i am just able to know what tcode was used by a particular user and at what time and date.
Now if he has used SE38, i do not get the information of what report or program did he run in SE38. Similarly for SE16n I will not have the information of what table was used and modified.
So is it possible to know the complete details of the activity that user has done throught the FIreFighter.
Please help.
Regards
AnubhavIn the case of SE16 you can see the generated selection-screen program for that table being submitted both in STAD if you are fast enough (i.e. before the aggregation takes place) and in the security audit log (SM20N - which is actually the correct tool to rely on). They will show reports from SA38 etc as well.
However SE16N does not generate and submit report type programs so you cannot know which table was accessed. The only little "skidmark" it will leave behind is the memory id entries of the tabname selection parameter and SQL performance traces, but GRC does not access this data and it is unreasonable to assume that the history of these memory ids has been activated on the server side.
If worst comes worse you will be able to find out the table though - latest with a thumb-screw or bamboo under the finder nails...
Cheers,
Julius -
Fire Fighter Mail Notification
Hi Gurus,
I have an issue with fire fighter....if i am not wrong...When i add a firefighter id to a user id ...it should send a mail...Fore Fighter controller and owner with a link to approve and then they approve the access...then it will send the user access to the user.The above process is not happening with the fire fighter we using..
The fire fighter owner and controller are just getting the logs...Please let me know how to config the initial mail notification.
Thanks in advance
GuruHello Guru,
When a user probably a Security Administrator assigns Firefighter ID to a Firefighter User there is no such provision of automated e-mail notification in Access Controls 5.2 - Firefighter SP level 5 with Patch 1. Which is at the moment latest available on SAP service market place.
But you can take it another way. If you have an Honour of using Access Enforcer then you can create a dedicated workflow for Firefighter ID assignment. Where you can define different stages and approvers for all scenarios. Also this way you can intimate the requestor and approver about the status.
In role expert, you can automate the default Virsa Firefighter, Owner, Administrator and controller roles for users.
Still there is no such automated functionality which can let you automatically add users to Virsa Firefighter configuration tables and send an e-mail.
What you can do is, after the approval of the firefighterID assignment your security guy can manually add users to these considered tables and finish the AE workflow notifying all the approvers and requestor.
I hope i touched the whole scenario.
If you still have doubts, let me know.
Thanks & Regards,
Amol Bharti -
Hi,
We want to use fire fighter and provisioning of access on GRC10 itself.
I am using ID based FF access and when trying to add role - SAP_GRAC_SPM_FFID to the user on GRC it does not get the role from the delivered roles.
Do we need to load something? Is there a way we can activate these functions on our GRC10 environment?
Regards, MelvinHello,
Like in simple term
1) Firefighter id are created on backend system.
2)GRC Systems need to understand whihc are fighterids
3)GRAC_SPM_FFID or create any role and assign all firefigher ids.
4)Make sure this role name is maintained in parameter to identify firefightids.
Parammeter i think 4010..
Enter the name of the role assigned to the firefighter ID in the target systems. This is identifies to the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.
Regards,
Prasant -
Emergency access procedure - non GRC
Hi guys,
Just wondering if you have a written Emergency Access Procedure (FireFighter), which is not based on GRC.
My client has unfortunately no GRC installed at all.
Also wondering if Solman can be utilized as currently they use it for change management..
Thanks a lot
Cheers
GregGreg,
I have experience with two different non-GRC Firefighter procedures, both role-based.
In one solution, the user submitted a Firefighter request for either the HR or the non HR Firefighter role to be assigned; the form was a custom Outlook form. A custom ABAP program monitored the assignment of these roles, logged the tcode usage of the IDs with the role assigned, sent an audit report to the user's manager which included tcode usage and if the tcodes used were in the user's regular roles or in the FF role, and the manager had to return the report to SAP security as confirmation that it had been reviewed.
In the other solution, the request logged into the IdM solution to request firecall authority. The requester must be pre-approved to request elevated SAP access. IdM provisioned the extra access to the users account and notifiedboth the user's manager and SAP Security. IdM deprovisioned the extra access at the specified time in the request. SAP Security was responsible for auditing the use and documenting the tcodes used in a report sent to the user's manager and all of this was documented in an IT incident ticket.
The second solution required a lot more manual effort from the SAP Security team, butit was not invoked often. The first solution, while much more automated, presented its own challenges, as the buffer for the tcode usage statistics frequently overflowed, and a designated resource would have to work to resolve.
So from my experience, I would say that there is a good reason why customers choose to implement a GRC firefighter solution.
Cheers,
Gretchen -
Can someone please describe me how fire fighter works
ThanksThe only actions that are recorded are those of the firefighter ID. The firefighter ID does not record any other actions for any other users.
A good example of what a fire fighter ID could be used for is Basis access. There are additonal tasks that a Basis person is allowed to perform in a non-Production system versus a Production system (as I am sure you are aware). There are times though that he/she may need elevated access to perform a critical task. At that point the firefighter ID is accessed and their actions recorded.
As far as the type of access that you would assign, keeping with the same Basis person example, take a look at what you have defined for your Basis person(s) in your Production environment. Compare that access to what he/she has in QA (and/or Dev). The delta identified is the elevated access that may be required as baseline authorization for the firefighter ID. Of course this is only an example and you would have to tailor it to suite your requirements.
Documents emailed. -
Fire fighter security table download
Dear Experts,
After downloading the Fire fighter Security table(/n/virsa/vfat -> Utilities -> Download) this can be opened in excel and see all the passwords. This is a potential risk in Security and authorization. Kindly suggest me is there any note or corrections to get the data downloaded as encrypted itself ?
Or any other suggestions welcome please.
Thanks and Regards,
ShijuHello Shiju,
Just wanted to ask you what role (s) does the user have, who is downloading and changing the passwords. Are they standard SAP provided or are they custom?
Role "/VIRSA/VFAT_ROLE_ADMINISTRATOR" has access to "Export" the list and role "/VIRSA/Z_VFAT_ADMINISTRATOR" has access to "change" the password.
Also, in case you do not want the export function to be available to any user, you may chosse not to use these SAP default roles for Firefighter but create your own roles and assign them to the users, where you can define the table maintenence for "/VIRSA/ZVIRFFPWD" table, not to be available to anyone to restrict this.
Regards,
Hersh. -
Hello
On our SharePoint Foundation 2013 server approving Access Requests fails with "request approval failed" after pressing the approve button. The user is site administrator, site collection administrator and site owner.
In the ulsviewer we see the following error:
System.NotSupportedException: No data is available for encoding 1033. at System.Text.Encoding.GetEncodingRare(Int32 codepage) at System.Text.Encoding.GetEncoding(Int32 codepage) at Microsoft.SharePoint.Email.SPMailMessageHelper.GetSocialNotificationMailMessage(SPWeb
web, String senderAddress, String senderName, Boolean useSenderAddressAsFromAddress, String recipientAddress, CultureInfo recipientCulture, String subject, String sidebarHtml, String descriptionHtml, String customMessageHtml, List`1 embeddedAttachments)
at Microsoft.SharePoint.SPSharingEmailHelper.SendAccessRequestsEmail(SPCachedItemEventProperties eventProperties, SPUser sender, String message, SPUser recipient, String recipientEmailAddress, String strSubject, String body) at Microsoft.SharePoint.SPSharingEmailHelper.SendRequestorNotification(SPCachedItemEventProperties
eventProperties, String objRequestedTitle, SPUser reqByUser, SPUser reqForUser, String message, Boolean isMessageUpdate, Int32 status) at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleStatusChangingToApprove(SPCachedItemEventProperties
properties, Int32 reqByUserId, Int32 reqForUserId, Int32 newStatus, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs) at Microsoft.SharePoint.SPAccessRequestsOperationHandler.HandleRequestStatusChanging(SPCachedItemEventProperties
properties, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs) at Microsoft.SharePoint.SPAccessRequestsOperationHandler.ItemUpdating(SPCachedItemEventProperties properties, SPUserCollection users, SPGroupCollection
groups, IEnumerable`1 roleDefs) at Microsoft.SharePoint.SPAccessRequests.UpdateItem(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 permissionLevel, Boolean extendInvitation, String anonLinkType, SPList accReqList,
SPListItem item, SPUserCollection users, SPGroupCollection groups, IEnumerable`1 roleDefs) at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatusCore(Int32 newStatus, SPUser reqFor, String convStr, String permType, Int32 newPermissionLevel,
Boolean extendInvitation, String anonLinkType, SPList accReqList, SPListItem request) at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, SPUser reqForUser, String convStr, String permType, Int32
permissionLevel, Boolean extendInvitation, String anonLinkType, SPWeb web) at Microsoft.SharePoint.SPAccessRequests.ChangeRequestStatus(Int32 itemId, Int32 newStatus, String convStr, String permType, Int32 permissionLevel)
at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.ChangeRequestStatus_MethodProxy(XmlNodeList xmlargs, ProxyContext proxyContext) at Microsoft.SharePoint.ServerStub.SPAccessRequestsServerStub.InvokeStaticMethod(String methodName,
XmlNodeList xmlargs, ProxyContext proxyContext, Boolean& isVoid) at Microsoft.SharePoint.Client.ServerStub.InvokeStaticMethodWithMonitoredScope(String methodName, XmlNodeList args, ProxyContext proxyContext, Boolean& isVoid)
at Microsoft.SharePoint.Client.ClientMethodsProcessor.InvokeStaticMethod(String typeId, String methodName, XmlNodeList xmlargs, Boolean& isVoid) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStaticMethod(XmlElement
xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessOne(XmlElement xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.ProcessStatements(XmlNode xe) at Microsoft.SharePoint.Client.ClientMethodsProcessor.Process() 449c7b9c-6cec-f09a-9792-3d76c4d7e351
The server is running on an English Windows 2012 Server and also the English version of SharePoint Foundation 2013 with the June 2013 CU.
We see exactly the same error when add users to a group with the option "Send an email invitation" enabled.
Any ideas what could cause this problems?
Regards,
ReinhardHi Reinhard ,
According to your error message, it says that no data is available after encoding the social notification mail message. It should be caused by the E-Mail encoding setting.
For troubleshooting your issue, please check the character set of your E-Mail Settings:
Verify that the user account that is performing this procedure is a member of the Farm Administrators group.
On the Central Administration Home page, click System Settings.
On the System Settings page, in the E-Mail and Text Messages(SMS) section, click Configure outgoing e-mail settings.
On the Outgoing E-Mail Settings page, make sure
Character set setting is 65001(Unicode UTF-8).
Best Regards,
Eric
Eric Tao
TechNet Community Support -
User Management - How to submit Additional Access Request on behalf of employee
User Management - how can we configure "Access Requests" so that Managers can submit Additional Access Requests, or Initial Access Requests on behalf of employee?
Have looked at "Manage Proxies" but this seems to allow access to everything - not ideal
Please assist with knowledge and/or experience
Many Thanks
MeAdditional Access Request Registration Process is complete
Giving access to User Management to users is not an option.
What I would like is the scenario below - is this achievable?
When employee goes to iProcurement > Preferences > Access Requests > Request Access | they can submit an access request on behalf of themselves.
Would like an option where a manager, navigates to same UI as above, has option to choose a subordinate, and request additional access on their behalf
The table UMX_REG_REQUESTS has columns REQUESTED_FOR_USER_ID & REQUESTED_BY_USER_ID - so it seems they don't have to be same person (manager can submit request on behalf of an employee)
Can this be achieved through UI for "Access Requests"? -
HOW TO CONFIGURE MANAGER or APPROVER USER IN ACCESS REQUEST MANAGEMENT TO APPROVE OR REJECT REQUEST
hi sap gurus,
i configured grc 10 system successfully. I created one user: GR_AR_APP001 and assign following roles:
SAP_GRAC_ACCESS_APPROVER
SAP_GRAC_ACCESS_REQUEST_ADMIN
SAP_GRC_FN_BASE
SAP_GRC_FN_NUSINESS_USER
and I maintained GR_AR_APP001 in access control owners as "POINT OF CONTACT", "SECURITY LEAD" and "WORKFLOW ADMINISTRATOR"
but when i am creating access request for new user and defining MANAGER under user details tab as GR_AR_APP001.
the user GR_AR_APP001 is not receiving any request for APPROVE or REJECT in his WORK INBOX.
can u please guide me how to configure APPROVER or MANAGER to approve or reject request.
I will be very much thankful if you guide me successfully.Hi Colleen,
thanks a lot for your time.
PIC1: I created one user: GR_AR_APP001
and assigned all the GRC ROLES.
PIC2: I assigned owner type to GR_AR_APP001 user : POINT OF CONTACT, SECURITY LEAD and WORKFLOW ADMINISTRATOR in NWBC ACCESS CONTROL OWNERS
PIC3: I created one EUP 980 (copied from default EUP)
PIC4: I maintained default manager as GR_AR_APP001 user in 980 EUP
PIC5: I selected SAP_GRAC_ACCESS_REQUEST process id
PIC6: I created one agent id as ZGRAC_MANAGER11 in which I added approver user id: GR_AR_APP001
PIC7: I saved agent id
PIC8: I added agent id as ZGRAC_MANAGER11 in stage5 in manager stage.
PIC9: I saved
PIC10: I maintained EUP 980 (in which I configured manager as GR_AR_APP001 user) in stage 5 task settings
PIC11: Maintain Route Mapping, I clicked on next
PIC12 and PIC13: I saved and activated.
After this process I created one request for new account and selected the manager as GR_AR_APP001 and one request is created with request no 9000000030.
now I logged into system by user GR_AR_APP001 and checked, there is no request under his work inbox.
please guide me at least one procedure, how to receive request in approver work inbox so that I can learn other procedures to configure approver as per our organization requirement.
thanks for your support Colleen. -
I am site collection administrator and have configured the outgoing email in Central administration but "Access Request and invitations" link is missing, pl advice any additional configurations for this link to show up
I was though able to configure access requests by going to Site Settings->Users and permission and on the ribbon selected "Access Request Settings"
What is the difference in either of the approaches?
Thanks
AbhishekHi there,
I noticed this post, and didnt really find an appropriate solution to your issue. I noticed the same issue when dealing with Access Requests. First of all to make sure that the Request feature is enabled, you need to access
Site Settings -> Site Permissions -> Access Request Settings -> Make sure the
'Allow access requests' option is enabled.
The Allow access screen just allows you to enable the feature and also to specify a email address that notifications are sent to. Whereas the 'Access Requests and Invitations' section provides a screen to manage Access Requests and request history.
I noticed then that the Access Requests and Invitations link under 'User and Permissions' didnt actually appear until someone actually requests to join the site. It seems that this is needed to display the screen. Once actioned once, the option stays there.
Hope it helps
Maybe you are looking for
-
Can i use the time capsule for storage or just backup?
I asked my husband to go and buy a separate harddrive so that we could use to store all of our photos on separately as opposed to the computer (as its full and we cant download any more photos!). He came back with the Time Capsule. from what i can un
-
Changing xwork-community-custom.xml file in Forums Application
Hi, could someone give me details on how to customize the file xwork-community-custom.xml, to override actions defined in xwork-community.xml? My problem in detail: I want to delete the "My questions" area in profile view, because we don´t have a "qu
-
Hello, I have a date in String format like "01/03/2006" How can I get "Mar-2006" in java? Please Help
-
How to handle the messages.
Hi, I am doing interactive report. In that how to handle the error meesages. Regards Srinu
-
SQL Server 2012 Express SP1 will not install on Windows Server 2012 Essentials R2
I have been attempting to install SQL Server 2012 with SP1 Express Edition for about a two weeks and have been unsuccessful. My organization recently purchased a new Dell PowerEdge T320 Server (64 Bit) with Intel Xeon Proc.-E5-2420; 2.2Ghz, 32 Gb RA