Firefighter on BW

Similar Messages

• Will FireFighter send a report to the Controller if no activity was done?

  We have our FF system set up to send out a log report each night to the Controllers.  If someone logs into their FFID and then immediately exits back out without doing anything, will the nightly email job (pgm /virsa/zvfat_log_report) report this FF session?
  We are on GRC 5.3 SP13.
  Thanks.

  Hi Bob,
  Firefighter will have 3 types of logs:
  1. Session
  2. Transaction
  3. Change data.
  The answer for your question is a big Yes.
  The FF session (Login/Logout) report will be still sent even though user hasn't performed any thing. However, if user executes any transactions, it will be captured by the transaction log.
  Change data is when any changes made to the configuration.
  Hope this clarifies.
  Regards,
  Raghu

• Is there a way to mass update or replace the SPM Firefighter IDs table?

  We are upgrading from GRC 5.2 to 5.3.  In 5.3 FF/SPM has added an Owners field to the FF ID table (/virsa/zffusers), which is apparently a required field because I keep getting a "Invalid Firefighter ID Owner" error when I try to look at the table.
  Is there a way to mass update, or perhaps import/replace, this table?  I am having problems trying to update this table thru the FF table screen.  When I go to save my changes, it will return the above error because not all of the FFID records have an assignment in this new Owners field.  We have over 160 FFIDs, so I can't change all of the records at the same time.  I can only get about 20 per screen and it will return that error again when I try to page forward.
  Thanks.

  Hi Bob,
  that is perfectly possible - did it a few times already.
  Export the table from within Firefighter, download the owners table (sorry, need to look up the name tomorrow - but you can't miss it), then add the owners through an Excel vlookup. Then re-import the table in Firefighter, and you're ste.
  I'm at home right now - if you have difficulties getting this done shoot me a message tomorrow and I'll send you more details.
  Frank.

• Runtime Error Firefighter log in GRC 10.0

  When logging into the AC system with a firefighter user the system generates the following runtime error:
  Runtime Errors         OBJECTS_OBJREF_NOT_ASSIGNED_NO
  Except.                CX_SY_REF_IS_INITIAL
  ABAP Program           CL_GRAC_AD_ACCESS_MGMT========CP
  Error analysis
       An exception occurred that is explained in detail below.
       The exception, which is assigned to class 'CX_SY_REF_IS_INITIAL', was not
        caught in
       procedure "RESET_USR_PWD" "(METHOD)", nor was it propagated by a RAISING
        clause.
       Since the caller of the procedure could not have anticipated that the
       exception would occur, the current program is terminated.
       The reason for the exception is:
       You attempted to use a 'NULL' object reference (points to 'nothing')
       access a component.
       An object reference must point to an object (an instance of a class)
       before it can be used to access components.
       Either the reference was never set or it was set to 'NULL' using the
       CLEAR statement.
  This problem should be solved with SAP Note 1591209 or with SP5. We are currently on SP5 and are using:
  GRCPINV - V1000_800 (SAP-10305INGRCPINW) & GRCFND_A - V1000 (SAPK-V1005INGRCFNDA).
  In these software packages the error messages should be resolved, but unfortunately the error remains.
  I have checked the (RFC) users / RFC connection and repository synch. already.
  Does anyone know what more needs to be done here?
  Us
  Thanx in advance.

  Simon,
  Thanx for the quick reply!
  All the configuration has been done according to the manuals and using same functionality/method as in vs. 5.3.
  I configured the following elements:
  - RFC users with the correct RFC role from the new security guide.
  - RFC connections from AC system to back end and back end to AC system. Used the ealier created GRC RFC users with creating the RFC connections.
  - Configured and tested (with success) the SMTP settings in the AC system.
  - Created the Controller (and also owner) user in the AC system and configured the user master data with an emailadress.
  - Connected the controller / owner to the firefighter and firefighter ID with Tx NWBC.
  - Configuration settings for the the SUPMG module have been done with Tx SPRO.
  - Walked through all the settings in SPRO concerning 'connectors' and checked and confirmed that the connector is pointing at the back end system.
  Did I forget anything?

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Firefighter Logs storage location and size in GRC AC 5.3

  Hello Gurus,
  We are working on Firefighter configuration and are totally confused with following questions, appreciate if someone can show the light here :
  Where does the Firefighter logs stored - in backend or frontend or both? Can we check the size of existing Firefighter logs.
  Is there any mechanism to find out the approximate space requirement for Firefighter usage (based on number of firefighter id and number of transactions executed per day).
  Thanks
  Davinder

  D P,
    The logs are stored in the backend SAP system. I have not seen any space requirement for FF. You can take a look at the sizing guide for AC 5.3 and you may find some useful information.
  Regards,
  Alpesh

• GRC10 Firefighter - Role-based & ID-based

  GRC Gurus,
  I am looking for a solution or at least theoretical discussion about a scenario in which GRC 10 system is connected to more than 1 target system and in one system I want to use FFID-based option where as in other system it is FF-Role based. For example, in a system where all the users are logging in through SAP GUI, it will be better to have FFID-based firefighter where as in system where most of the users are logging in through portal it will be better to have role-based firefighter. under GRC5.3 it was pretty simple as RTAs were independent in each separate system but in GRC10 since type of firefighter is controlled by single parameter, what will be a way to implement such hybrid approach.
  Regards,
  Shivraj

  Thanks Anji,
  Thanks for the response, I am aware of the 4000 situation, I was just wondering if someone has figured out any workaround for this. Because otherwise, it is a step backward for new version as under 5.3, systems could have been on different setups whereas under GRC10 that is not possible.
  Regards,
  Shivraj Singh

• GRC 10 EAM - Unable to assign Firefighter roles to owners

  Greetings SAP gurus,
  I am currently on a new GRC 10 installation and having issues with the Emergency Access Management (EAM) component previously known as FireFighter or SPM.  Note: We are trying to implement the Firefighter ''Role-Based" Approach.
  Issue: We are unable to assign EAM roles to owners within NWBC. Click on 'Assign owners to Firefigher ID's and provision Firefighter ID's to firefighters' via the Access Management Tab within NWBC, option Superuser Assignment. Click on Assign.  We are able to find the owners, but when I search for roles to assign, I get the error, 'No records found for the search criteria entered''.
  We are on SP7.
  Items completed:
  1) All post installation tasks were completed correctly, i.e. BC sets activated, connector groups created and working.
  2) EAM roles created on target system and imported via BRM.
  3) EAM role properties edited for "Firefighting' usage in BRM, role owners defined, functional areas defined, business process and sub process areas defined.
  4) Access control owners (i.e. role owners and controllers) defined.
  5) The ID being used for configuration is currently assigned all GRC_NWBC roles available.
  6) The connector groups are working fine and we are using for the Access risk Analysis component which is working fine.
  7) The post EAM configuration steps has been completed.
  Has anyone else experienced a similar issue?  I look forward to your responses.
  Rgds,
  Prevlin Moodley

  Hello Prevlin,
  Are you using a FF role owner for the assignment. This might be helpful:
  [Note 1289579 - Firefighter Owner additional authorization for Role based FF|https://service.sap.com/sap/support/notes/1289579]
  Cheers,
  Diego.

• Role Based FireFighter

  Greetings All,
  We are doing SAP GRC Access Control implementation in our company. We have Modulewise Master Roles working as firefighter Roles. In emergency we assign it to a user for 24 hours. Now when we are implementing FireFighter we want to keep existing Role Model but use the funcationality of FF. Have anyone gone through this scenario, do let me know the steps we need to configure the existing model with new FF Model and AE.
  Thanks in advance,
  Regards,
  Sabita Das

  Try Firefighter roles instead of Firefighter users.
  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• Role based Firefighter approach in AC 10

  I am in the process of implementing "role based" FF (ID based approach not implemented as users are not comfortable to login to GRC system to execute the tcodes).  I have a query about it.
  If we maintain the role based FF logins, and we run risk report, still all the conflicts are found associated with that FF ids as they have the conflicting role assigned to them in SU01.  So is it ok, to live with these conflict found related to FF ids.  what will be the case during audit, will they accept these risks occuring for the FF can be ignored.

  Hello,
  I think the best approach is to mitigate the risk as Alexander describes here:
  Why Role based Firefighter
  Cheers,
  Diego.

• GRC 10 Role based firefighter multiple users

  Hi All
  We are using GRC AC 10 SP12 and have Role based EAM implemented. We are looking at way to prevent the same user from being assigned multiple firefighters or a way for approver to know that another Firefighter ID is already assigned to this user?
  Thanks in advance
  Regards
  Vijaya

  Hi Vijaya,
  You can train approvers to Click on existing assignment button(in Access Request) to know the roles already assigned.
  And if in your environment, FF roles has distinguished naming convention then it can easily be identified
  by role owners.
  Thanks,
  mamoon

• Firefighter Configuration

  Hi Experts,
  For Firefighter configuration, do we need to define all the paramters with YES or NO value OR we can leave the one which we dont require, e.g "Assign FF Roles Instead of FF IDs" - we dont need this, so still do we need to make an entry for this paramater with value NO.
  What is we define both the paramters "Send Log Report Execution Notification" and "Send Log Report Execution Notification Immediately" ?
  FF reads CDHDR table for the changes, how can we find out which all changes would be covered in that - i mean does the RFC connection creation, deletion and change will be recorded ?
  Thanks
  Davinder

  Hello Davinder,
    For the particular parameter you mentioned in this post "Assign FF Roles Instead of FF IDs" the default value is NO.
  By default the table logging is ON for most of the tables but not all. For those tables for which table logging is not ON the data will not be captured in STAD and thus will not be fetched by firefighter.
  You can contact your basis admin to check if table logging is ON for a particular table or not. If the operation you performed did not get captured in STAD then the table logging for that table might not
  be active.
  Regarding the 2 parameters "Send Log Report Execution Notification" and "Send Log Report Execution Notification Immediately" you can refer to the information available in the configuration guide of
  AC5.3. Here is what these are all about:
  1. Send Log Report Execution Notification - This parameter specifies whether log reports that contain information about Firefighter activity are emailed to controllers. If you set this to YES, then the report will be
                                                                  sent to controller otherwise if you set this one to NO then the report will not be sent at all.
  2. Send Log Report Execution Notification Immediately - This option specifies whether the log reports are sent to the controllers as soon as the background job (/VIRSA/ZVFATBAK) is executed or at                                                                               
  a predefined date and time. To send log report email notifications to the controller inboxes as soon as the /VIRSA/ZVFATBAK job runs, set                                                                               
  this parameter to Yes. If you plan to receive the job at regular intervals, schedule the job /VIRSA/ZVFAT_LOG_REPORT at regular intervals,                                                                               
  and set this parameter to No.
  Regards,
  Varun

• Firefighter doesnt start

  Hi guys,
  I need your help regarding firefighter aka SPM 5.3.
  I have just finished configurating the firefighter but the firefighter user doesn't pop up. When I try to log into the firefighter user with my assigned firefighter ID and enter a reason code and possible activities and press "choose" nothing happens.
  The role that is assigned to my user is /VIRSA/Z_VFAT_FIREFIGHTER and I removed the RFC destiniation according to note 1143955.
  The configuration of SPM 5.3 looks like this:
  Send Firefighter Login Notification Immediately     YES
  Assign FF Roles Instead of FF IDs                     NO
  Remote Function Call                                                     M03
  Any help for solving this issue is greatly appreciated.
  Thanx,
  Max

  I solved this problem by myself ... the firefighter user was defined as a system user and I changed it do Dialogue user !
  CU
  Max

• Firefighter - assign FF roles Instead of FF IDs

  Hi all, I'm trying to configure SAP FF using Roles instead of FF IDs.
  A problem occurs while defining Firefighters:
  "You are not defined as Owner for the Firefighter Role"
  The problem is that the user is already defined as the owner of the role i'm trying to assign.
  Any help is accepted.
  Regards...

  When I use the report view log as FF admin user I don't see nothing in the spool (sp01)
  attached exsmple spool
                                                                                  FireFightID    Date         Time       Server Name            Transaction Code       Program/Report                                                                               
  -?-         19.06.2008   14:57:03   MTESAP_PRD_01                                 SAPMSYST         
      -?-         19.06.2008   14:57:09   MTESAP_PRD_01                                 Login_Pw                                                                               
  could you help me, please?
  Regards
  Sara

• Firefighter IDs Not Populating in GRC 10

  We're having an issue getting the firefighter IDs to populate in GRC 10.
  We have:
  1) Configured the integration scenario 'SUPMG' in GRC system (SPRO - Governance, Risk and Compliance - Common Component Settings - Integration Framework - Maintain Connection Settings)
  2) Added 'SAP' connection type, 'CL_GRAC_AD_SUPER_USER_RFC' class/interface under 'Scenario-Connection Type Link' for integration scenario 'SUPMG'
  2) Configured the 'Target Connectors' under the 'SUPMG' scenario
  3) Verified that the superuser firefighter role 'SAP_GRAC_SPM_FFID' is configured under parameter 4010 (SPRO - Governance, Risk and Compliance - Access Control - Maintain Configuration Settings)
  4) Verifed that the superuser firefighter role exists in the target system and that full authorizations have been added and generated for 'S_RFC' authorization object
  5) Created a firefighter ID in the target system, setting the user type = 'Service' and assigning the superuser firefighter role to the user ID
  6) Executed the 'GRAC_AUTH_SYNC', 'GRAC_REP_OBJ_SYNC', 'GRAC_ROLEREP_USER_SYNC' and 'GRAC_ROLEREP_ROLE_SYNC' for target system
  I've read that the 'SAP_GRAC_SPM_FFID' (or custom variation) role needs to exist in both the GRC and target system.  It currently exists in the target system but not in the GRC system.  Is this step necessary?
  Other than that, we can't figure out why the firefighter IDs would not be populating in GRC?!?
  Any insight would be appreciated.  Thanks!

  Hi Parag,
  Please check this blog post which gives you clear idea about all the details required for your EAM configuration.
  http://scn.sap.com/community/grc/blog/2014/01/16/de-centralized-eam-grc-100
  Regards,
  Madhu.

• How to create a "Firefighter" type role when we do not have GRC

  I am just looking for advice or input on this situation.
  Currently my company does not have GRC or any other type of software that will allow for automated Firefighter type access and apparently there are no plans in the near future to purchase anything.
  Our current process of creating a very powerful role to sign out to users on a case by case basis for a 24 hour period is not working and is getting out of hand.
  I have been tasked with coming up with a better solution and they want me to build multiple roles for emergency access based on business area. Since there are thousands of transaction codes in SAP I find this to be a rather daunting task. My question is this...would it be a really bad idea to build say a Finance emergency role with F* in s_tcode and full access? I realize that there are more Finance codes that do not start with F but I am really just looking for input.
  Has anyone else faced this situation and how did you approach it?
  If someone out there has done this and could provide me with sample roles, that would be great.
  Any help or advice is greatly appreciated.
  Thanks
  Bobbi

  Hi Bobbi
  There are couple of ways I did it in my previous customers. I am guessing you need these roles during Go-Live and Production Support
  1. Create FF roles by business Process ( OTC, RTR etc) or Module wise. Get hold of the respective Functional people and ask them the nodes in SPRO Tcode what they think should be there for those FF roles. Then create those roles accordingly. Remove the Basis / Security admin tcodes and make 03 where-ever necessary.
  2. Another way of doing it is you might already have global roles for different modules / business processes. So identify the roles that are best suited for the FF roles and during Go-Live/ Prod Support. Group them and may be create composite roles for those Global single roles
  You might need FF roles for Transactional access and Configuration Access.
  Transactional FFID: FFID with change access to business transactions of the stream/function. (Can use the create/change access roles built for end users)
  Configuration FFID: FFID for any manual configu2019s to be performed directly in production and cannot/may not be transported (ex: number ranges)
  There should be process for giving the FF roles and proper approval. Appropriate role owners should be identified for these roles who will give approval
  Hope this helps