Firefighter Configuration

Similar Messages

• Firefighter Configuration - FF Owner should not change the configuration

  Hello Experts,
  We have requirement to restrict Firefighter configuration changes only to Firefighter Administrators.
  1. Restricting Firefighters to make any changes in Firefighter Configuration -- SAP Note 1101665 Superuser Security Role Modifies Tables - Successfully Achieved.
  2. Restricting Firefighter ID Owners (having /VIRSA/Z_VFAT_ID_OWNER) to make any changes in Firefighter Configuration --> Need your inputs on how to achieve this.
  We want that Firefighter ID Owners can only assign the FFID to Firefighters and assign a new controller only, but no following should be allowed to Firefighter Owners -->
  a. Creating a new owner for a FFID.
  b. Changing Firefighter configuration.
  c. Creating or changing Reason Codes.
  And which role should be assigned to Firefighter ID Controller?
  Looking forward to hear from your experiences.
  Thanks & Regards
  Davinderpal Singh

  Thanks Alpesh and Simon for your valuable inputs.
  My observations are, if you assign Firefighter Owner and Controller role only, then user is not able to make any configuration change, Reason Code change, etc, etc - behaviour is as expected.
  And in our case, this problem is coming as FF owners/controllers have been assignbed few other roles/profiles which seems to override the authorisations of FF owner role and allow changes in FF configuration.
  Now searching through each of these roles/profiles for extra set of authorisation objects is a huge security job.
  And we don't have much experience in Security - so as per your experiences what should be the best way to restrict FF owners to not make any change in FF configurations, without removing existing roles/profiles ( as we don't know what all would be removed if we remove all of these roles).
  Is it possible to specify a condition/check so that if a user has been assigned FF owner role, inspite of whatever extra permission he has - he should not be able to make configuration changes - please bear with me if i am expecting too much over here.
  Which authorisation objects controls FF configurations changes?
  Best Regards
  Davinderpal Singh

• Firefighter Logs storage location and size in GRC AC 5.3

  Hello Gurus,
  We are working on Firefighter configuration and are totally confused with following questions, appreciate if someone can show the light here :
  Where does the Firefighter logs stored - in backend or frontend or both? Can we check the size of existing Firefighter logs.
  Is there any mechanism to find out the approximate space requirement for Firefighter usage (based on number of firefighter id and number of transactions executed per day).
  Thanks
  Davinder

  D P,
    The logs are stored in the backend SAP system. I have not seen any space requirement for FF. You can take a look at the sizing guide for AC 5.3 and you may find some useful information.
  Regards,
  Alpesh

• In FireFighter ID after loged in, can Reason and OR Activity screen be mand

  Hello All,
  for Tcode = /VIRSA/VFAT - Firefighter
      Please help, Some one with SAP FireFighter ids experience.
  Once a user loged in as a FireFighter in the Compliance Callibrator, screen pop up asking to enter Reason and Activity need to be performed before a User can take any action or can go any further.
  My question is that, is there any way under FireFighter configuration or so that, the Reason / Activity field can be mandatory?
  Because in our environment most of the users are not entering Reason or Activity they are performing
  please if you know the answer, let me know ASAP.
  Thanks in advance!!!
  Syd.

  Hi Syd,
  I've verified further and find that you can implement text field restrictions in /VIRSA/ZVFAT ABAP program. Check for the below lines:
  data : desc(128), desc1(128), comment(255).
  **Reason And Activity
  data : it_reason like /virsa/reason occurs 0 with header line,
         it_activity like /virsa/activity occurs 0 with header line,
         it_thead like thead,
         it_thead1 like thead,
         it_line like tline occurs 0 with header line,
         it_line1 like tline occurs 0 with header line.
  data : rcode like /virsa/zffrcd-rcode.
  data: t_path1 type string.
  Your ABAPer is the best person to implement this restriction
  Regards,
  Raghu

• How do I lock GRC Production system to prevent any configuration changes.

  1. For GRC AC SPM: Does SCC4 client lock setting prevent FireFighter configuration lock too ?
  2. Is there a role or list of actions which would allow someone to make configuration changes in the Java modules (CUP, ERM & RAR)

  You can make your life easy with a test system and try it.
  Designing controls for something which has not been tested by you, yet someone called Julius made claims about it the internet, is not a correct approach. Sorry, just being honest.
  But if you do want to go about it the hard way, then use SE11 to display the delivery classes of the tables and SOBJ to check the views for permitted "current settings" flags. If views have not been used, then you need to check the code which updates the tables directly, but if I remember correctly these are maintenance views.
  Cheers,
  Julius

• Fire Fighter Mail Notification

  Hi Gurus,
  I have an issue with fire fighter....if i am not wrong...When i add a firefighter id to a user id ...it should send a mail...Fore Fighter controller and owner with a link to approve and then they approve the access...then it will send the user access to the user.The above process is not happening with the fire fighter we using..
  The fire fighter owner and controller are just getting the logs...Please let me know how to config the initial mail notification.
  Thanks in advance
  Guru

  Hello Guru,
  When a user probably a Security Administrator assigns Firefighter ID to a Firefighter User there is no such provision of automated e-mail notification in Access Controls 5.2 - Firefighter SP level 5 with Patch 1. Which is at the moment latest available on SAP service market place.
  But you can take it another way. If you have an Honour of using Access Enforcer then you can create a dedicated workflow for Firefighter ID assignment. Where you can define different stages and approvers for all scenarios. Also this way you can intimate the requestor and approver about the status.
  In role expert, you can automate the default Virsa Firefighter, Owner, Administrator and controller roles for users.
  Still there is no such automated functionality which can let you automatically add users to Virsa Firefighter configuration tables and send an e-mail.
  What you can do is, after the approval of the firefighterID assignment your security guy can manually add users to these considered tables and finish the AE workflow notifying all the approvers and requestor.
  I hope i touched the whole scenario.
  If you still have doubts, let me know.
  Thanks & Regards,
  Amol Bharti

• Will FireFighter send a report to the Controller if no activity was done?

  We have our FF system set up to send out a log report each night to the Controllers.  If someone logs into their FFID and then immediately exits back out without doing anything, will the nightly email job (pgm /virsa/zvfat_log_report) report this FF session?
  We are on GRC 5.3 SP13.
  Thanks.

  Hi Bob,
  Firefighter will have 3 types of logs:
  1. Session
  2. Transaction
  3. Change data.
  The answer for your question is a big Yes.
  The FF session (Login/Logout) report will be still sent even though user hasn't performed any thing. However, if user executes any transactions, it will be captured by the transaction log.
  Change data is when any changes made to the configuration.
  Hope this clarifies.
  Regards,
  Raghu

• Runtime Error Firefighter log in GRC 10.0

  When logging into the AC system with a firefighter user the system generates the following runtime error:
  Runtime Errors         OBJECTS_OBJREF_NOT_ASSIGNED_NO
  Except.                CX_SY_REF_IS_INITIAL
  ABAP Program           CL_GRAC_AD_ACCESS_MGMT========CP
  Error analysis
       An exception occurred that is explained in detail below.
       The exception, which is assigned to class 'CX_SY_REF_IS_INITIAL', was not
        caught in
       procedure "RESET_USR_PWD" "(METHOD)", nor was it propagated by a RAISING
        clause.
       Since the caller of the procedure could not have anticipated that the
       exception would occur, the current program is terminated.
       The reason for the exception is:
       You attempted to use a 'NULL' object reference (points to 'nothing')
       access a component.
       An object reference must point to an object (an instance of a class)
       before it can be used to access components.
       Either the reference was never set or it was set to 'NULL' using the
       CLEAR statement.
  This problem should be solved with SAP Note 1591209 or with SP5. We are currently on SP5 and are using:
  GRCPINV - V1000_800 (SAP-10305INGRCPINW) & GRCFND_A - V1000 (SAPK-V1005INGRCFNDA).
  In these software packages the error messages should be resolved, but unfortunately the error remains.
  I have checked the (RFC) users / RFC connection and repository synch. already.
  Does anyone know what more needs to be done here?
  Us
  Thanx in advance.

  Simon,
  Thanx for the quick reply!
  All the configuration has been done according to the manuals and using same functionality/method as in vs. 5.3.
  I configured the following elements:
  - RFC users with the correct RFC role from the new security guide.
  - RFC connections from AC system to back end and back end to AC system. Used the ealier created GRC RFC users with creating the RFC connections.
  - Configured and tested (with success) the SMTP settings in the AC system.
  - Created the Controller (and also owner) user in the AC system and configured the user master data with an emailadress.
  - Connected the controller / owner to the firefighter and firefighter ID with Tx NWBC.
  - Configuration settings for the the SUPMG module have been done with Tx SPRO.
  - Walked through all the settings in SPRO concerning 'connectors' and checked and confirmed that the connector is pointing at the back end system.
  Did I forget anything?

• GRC 10 EAM - Unable to assign Firefighter roles to owners

  Greetings SAP gurus,
  I am currently on a new GRC 10 installation and having issues with the Emergency Access Management (EAM) component previously known as FireFighter or SPM.  Note: We are trying to implement the Firefighter ''Role-Based" Approach.
  Issue: We are unable to assign EAM roles to owners within NWBC. Click on 'Assign owners to Firefigher ID's and provision Firefighter ID's to firefighters' via the Access Management Tab within NWBC, option Superuser Assignment. Click on Assign.  We are able to find the owners, but when I search for roles to assign, I get the error, 'No records found for the search criteria entered''.
  We are on SP7.
  Items completed:
  1) All post installation tasks were completed correctly, i.e. BC sets activated, connector groups created and working.
  2) EAM roles created on target system and imported via BRM.
  3) EAM role properties edited for "Firefighting' usage in BRM, role owners defined, functional areas defined, business process and sub process areas defined.
  4) Access control owners (i.e. role owners and controllers) defined.
  5) The ID being used for configuration is currently assigned all GRC_NWBC roles available.
  6) The connector groups are working fine and we are using for the Access risk Analysis component which is working fine.
  7) The post EAM configuration steps has been completed.
  Has anyone else experienced a similar issue?  I look forward to your responses.
  Rgds,
  Prevlin Moodley

  Hello Prevlin,
  Are you using a FF role owner for the assignment. This might be helpful:
  [Note 1289579 - Firefighter Owner additional authorization for Role based FF|https://service.sap.com/sap/support/notes/1289579]
  Cheers,
  Diego.

• Role Based FireFighter

  Greetings All,
  We are doing SAP GRC Access Control implementation in our company. We have Modulewise Master Roles working as firefighter Roles. In emergency we assign it to a user for 24 hours. Now when we are implementing FireFighter we want to keep existing Role Model but use the funcationality of FF. Have anyone gone through this scenario, do let me know the steps we need to configure the existing model with new FF Model and AE.
  Thanks in advance,
  Regards,
  Sabita Das

  Try Firefighter roles instead of Firefighter users.
  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• Firefighter doesnt start

  Hi guys,
  I need your help regarding firefighter aka SPM 5.3.
  I have just finished configurating the firefighter but the firefighter user doesn't pop up. When I try to log into the firefighter user with my assigned firefighter ID and enter a reason code and possible activities and press "choose" nothing happens.
  The role that is assigned to my user is /VIRSA/Z_VFAT_FIREFIGHTER and I removed the RFC destiniation according to note 1143955.
  The configuration of SPM 5.3 looks like this:
  Send Firefighter Login Notification Immediately     YES
  Assign FF Roles Instead of FF IDs                     NO
  Remote Function Call                                                     M03
  Any help for solving this issue is greatly appreciated.
  Thanx,
  Max

  I solved this problem by myself ... the firefighter user was defined as a system user and I changed it do Dialogue user !
  CU
  Max

• Firefighter - assign FF roles Instead of FF IDs

  Hi all, I'm trying to configure SAP FF using Roles instead of FF IDs.
  A problem occurs while defining Firefighters:
  "You are not defined as Owner for the Firefighter Role"
  The problem is that the user is already defined as the owner of the role i'm trying to assign.
  Any help is accepted.
  Regards...

  When I use the report view log as FF admin user I don't see nothing in the spool (sp01)
  attached exsmple spool
                                                                                  FireFightID    Date         Time       Server Name            Transaction Code       Program/Report                                                                               
  -?-         19.06.2008   14:57:03   MTESAP_PRD_01                                 SAPMSYST         
      -?-         19.06.2008   14:57:09   MTESAP_PRD_01                                 Login_Pw                                                                               
  could you help me, please?
  Regards
  Sara

• Firefighter IDs Not Populating in GRC 10

  We're having an issue getting the firefighter IDs to populate in GRC 10.
  We have:
  1) Configured the integration scenario 'SUPMG' in GRC system (SPRO - Governance, Risk and Compliance - Common Component Settings - Integration Framework - Maintain Connection Settings)
  2) Added 'SAP' connection type, 'CL_GRAC_AD_SUPER_USER_RFC' class/interface under 'Scenario-Connection Type Link' for integration scenario 'SUPMG'
  2) Configured the 'Target Connectors' under the 'SUPMG' scenario
  3) Verified that the superuser firefighter role 'SAP_GRAC_SPM_FFID' is configured under parameter 4010 (SPRO - Governance, Risk and Compliance - Access Control - Maintain Configuration Settings)
  4) Verifed that the superuser firefighter role exists in the target system and that full authorizations have been added and generated for 'S_RFC' authorization object
  5) Created a firefighter ID in the target system, setting the user type = 'Service' and assigning the superuser firefighter role to the user ID
  6) Executed the 'GRAC_AUTH_SYNC', 'GRAC_REP_OBJ_SYNC', 'GRAC_ROLEREP_USER_SYNC' and 'GRAC_ROLEREP_ROLE_SYNC' for target system
  I've read that the 'SAP_GRAC_SPM_FFID' (or custom variation) role needs to exist in both the GRC and target system.  It currently exists in the target system but not in the GRC system.  Is this step necessary?
  Other than that, we can't figure out why the firefighter IDs would not be populating in GRC?!?
  Any insight would be appreciated.  Thanks!

  Hi Parag,
  Please check this blog post which gives you clear idea about all the details required for your EAM configuration.
  http://scn.sap.com/community/grc/blog/2014/01/16/de-centralized-eam-grc-100
  Regards,
  Madhu.

• How to create a "Firefighter" type role when we do not have GRC

  I am just looking for advice or input on this situation.
  Currently my company does not have GRC or any other type of software that will allow for automated Firefighter type access and apparently there are no plans in the near future to purchase anything.
  Our current process of creating a very powerful role to sign out to users on a case by case basis for a 24 hour period is not working and is getting out of hand.
  I have been tasked with coming up with a better solution and they want me to build multiple roles for emergency access based on business area. Since there are thousands of transaction codes in SAP I find this to be a rather daunting task. My question is this...would it be a really bad idea to build say a Finance emergency role with F* in s_tcode and full access? I realize that there are more Finance codes that do not start with F but I am really just looking for input.
  Has anyone else faced this situation and how did you approach it?
  If someone out there has done this and could provide me with sample roles, that would be great.
  Any help or advice is greatly appreciated.
  Thanks
  Bobbi

  Hi Bobbi
  There are couple of ways I did it in my previous customers. I am guessing you need these roles during Go-Live and Production Support
  1. Create FF roles by business Process ( OTC, RTR etc) or Module wise. Get hold of the respective Functional people and ask them the nodes in SPRO Tcode what they think should be there for those FF roles. Then create those roles accordingly. Remove the Basis / Security admin tcodes and make 03 where-ever necessary.
  2. Another way of doing it is you might already have global roles for different modules / business processes. So identify the roles that are best suited for the FF roles and during Go-Live/ Prod Support. Group them and may be create composite roles for those Global single roles
  You might need FF roles for Transactional access and Configuration Access.
  Transactional FFID: FFID with change access to business transactions of the stream/function. (Can use the create/change access roles built for end users)
  Configuration FFID: FFID for any manual configu2019s to be performed directly in production and cannot/may not be transported (ex: number ranges)
  There should be process for giving the FF roles and proper approval. Appropriate role owners should be identified for these roles who will give approval
  Hope this helps

• Logs of FireFighter user dont sync

  Hi experts,
  I need obtain the logs of emergency users from backend system. for this reason, i excute the progra GRAC_SPM_LOG_SYNC in SE38.
  The program runs with error: "LOAD_PROGRAM_NOT FOUND"
  Thanks and regards.
  Claudio

  Hi Claudio,
  The reports available for log collection and log notifications are:
  (1) GRAC_SPM_LOG_SYNC_UPDATE: This Report is used for log collection and if the configuration parameter 4007 in SPRO is set to YES, then this will send the log notifications also.
  (2) GRAC_SPM_LOG_UPDATE: This Report is internally called in GRAC_SPM_LOG_SYNC_UPDATE to collect logs for Firefighter IDs when application type (configuration parameter 4000) is 1.
  (3) GRAC_SPM_LOG_UPDATE_ROLE: This Report is internally called in GRAC_SPM_LOG_SYNC_UPDATE to collect logs for Firefighter Roles when application type (configuration parameter 4000) is 2.
  (4) GRAC_SPM_WORKFLOW_SYNC: When the configuration parameter 4007 is set to No i.e. the log notifications are not sent immediately when the logs are updated, then this report is used to let the notifications scheduled at specific time whenever required.
  Note: GRAC_SPM_LOG_SYNC report is an old report and should not be used for log collection.
  Regards,
  Madhu.