GRC AC10 - Fire Fighter ID Question

Similar Messages

• SPM questions(Fire Fighter)

  Hello All,
  I had some questions on SPM(Fire fighter),please help me with this..
  For Critical transactions tab in /n/virsa/vfat--why we used it for,does it show header and footer log details..
  if we do not enter critical transactions will it still pull up critical history in FF logs.
  Second question-->Do we have setting of FF log history,can we pull the history of the user which is year old in FF log?
  Appreciate your responses.

  Hi,
  For Critical transactions tab in /n/virsa/vfat--why we used it for,does it show header and footer log details..
  if we do not enter critical transactions will it still pull up critical history in FF logs.
  The critical transactions that you maintain here will help you to generate a separate report that shows who and when any of the transaction codes were executed (and when they were executed). If you don't want to seperate the critical transactions, you can leave this blank.
  Do we have setting of FF log history,can we pull the history of the user which is year old in FF log?
  The logs will be available until they are archived.
  /VIRSA/ZFFUSERS - Table holds the Change logs (CLOG)
  /VIRSA/ZFFTNSLOG - Transaction Log (TLOG)
  Search in SE16, with /VIRSA/ZFF* to view the list of SPM tables.
  I recommend you to refer SAP Note 1041912 - Firefighter Best Practice Archiving Strategy that gives you the best solution to archive SPM logs.
  Hope this helps!!
  Regards,
  Raghu

• GRC,Fire Fighter

  I'm new to GRC, fire fighter.
  Can any one please guide me with fundamentals or any docs will be helpful.
  Thanks in advance

  Hello Kobby,
  Please check following links
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/90280209-1e57-2b10-009c-d8d800f626c5
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/6050049b-5d59-2b10-e790-8db133c62931
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30e3c0f1-b9b3-2b10-d688-cbc0ce59b5f5
  And you can download the installation n configuration guide from SMP.
  Hope these would give you enough idea about FF/SPM.
  Thanks
  Davinder

• Fire Fighter Logs details in /n/virsa/vfat

  Hi,
  When i see the Fire Fighter logs through the Tcode /n/virsa/vfat, i am just able to know what tcode was used by a particular user and at what time and date.
  Now if he has used SE38, i do not get the information of what report or program did he run in SE38. Similarly for SE16n I will not have the information of what table was used and modified.
  So is it possible to know the complete details of the activity that user has done throught the FIreFighter.
  Please help.
  Regards
  Anubhav

  In the case of SE16 you can see the generated selection-screen program for that table being submitted both in STAD if you are fast enough (i.e. before the aggregation takes place) and in the security audit log (SM20N - which is actually the correct tool to rely on). They will show reports from SA38 etc as well.
  However SE16N does not generate and submit report type programs so you cannot know which table was accessed. The only little "skidmark" it will leave behind is the memory id entries of the tabname selection parameter and SQL performance traces, but GRC does not access this data and it is unreasonable to assume that the history of these memory ids has been activated on the server side.
  If worst comes worse you will be able to find out the table though - latest with a thumb-screw or bamboo under the finder nails... 
  Cheers,
  Julius

• Fire fighter on GRC10

  Hi,
  We want to use fire fighter and provisioning of access on GRC10 itself.
  I am using ID based FF access and when trying to add role - SAP_GRAC_SPM_FFID to the user on GRC it does not get the role from the delivered roles.
  Do we need to load something? Is there a way we can activate these functions on our GRC10 environment?
  Regards, Melvin

  Hello,
  Like in simple term
  1) Firefighter id are created on backend system.
  2)GRC Systems need to understand whihc are fighterids
  3)GRAC_SPM_FFID or create any role and assign all firefigher ids.
  4)Make sure this role name is maintained in parameter to identify firefightids.
  Parammeter i think 4010..
  Enter the name of the role assigned to the firefighter ID in the target systems. This is identifies to the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.
  Regards,
  Prasant

• Fire fighter

  Guys,
  From my understanding the use of fire fighter is for emergency access in PRD. For that we can just create separate ID in sap system with almost sap_all authorization (not sap_all) and access PRD whenever there is a need.But why we need sap VIRSA fire fighter or SAP GRC super user privilege management?.

  Virsa Firefighter allows for tracking of who connects where, and what they do while connected. If you assign a generic SAP "super user", you loose these important tracking and auditing features... unless, of course, you create your own tracking system (for instance by activating a user exit upon login, demanding the person who logs in using the "super user" to identify him/herself and store some vital info such as time, date, ip address of the terminal used to connect and so on). Also, you'd need to turn security audit logging on.
  Firefighter gives you all of these security mechanisms in one package, one which tastes good to your auditors, too...
  Trond

• What is FIRE FIGHTER ID

  hi folks,
  can anybody tell me what is FIRE FIGHTER ID.

  Hi,
  When a user in a production system needs help from an IT
  superuser, the application assigns a temporary ID that grants
  the superuser broad yet regulated access. The superuser simply
  logs on to the application’s main console, where a new session
  is opened under the Firefighter ID. Because the Firefighter ID is
  preassigned, the superuser never needs to wait for approval
  before solving a critical problem.
  Ideally Firefighter should be used only for superuser access. The reasoning...
  1) When the firefighter role is being used, the user cannot use his normal transactions
  2) Only one user can use a firefighter role at a time
  3) Complete log of firefighter role usage is available for review.
  Many-a-times it is suggested to use firefighter role for performing the duties of the users on holiday. However I think it is not appropriate. Such users should be assigned normal roles for these duties for the limited period
  Hope I had been able to help you. Please assign points.
  Rgds
  Manish

• Changes History Report in Fire Fighter

  Hi,
  We have assigned FF ID to end user. By using that FF ID,user did some changes.
  Ex: End user has used SU01 transaction and he has assigned SAP_ALL to his own id and some other users via FF ID.
  When we checked the Log Reports in FF 5.3, we are able to the see only transaction details which he has used. But we are unable to find the changes which he has done by using SU01.
  Please check and advice me how me can get that change history report in Fire Fighter.
  Thanks & Regards,
  KKRao.

  Hi Harleen,
  Retrieve Change Log option is already set as YES. But we are unable to get Changes History Report.
  Please advice to me.
  Thanks & Regards,
  KKRao

• Fire Fighter Report

  Hello Experts,
  I think I need some help on the Fire Fighter Reports.
  My ultimate goal is to get the list of Reason and activity used by the users during the months of January2012 and December2011.
  I was trying to execute the report "Reason/Activity Report" in SPM Tool Box in the transaction /n/virsa/vfat by giving the date range 01.01.2012 to 31.01.2012, i get the list but the column Reason Code is empty.
  I tried to view the table /virsa/ffreact in SE16.
  If i give input for FFKEY as 201112(December 2011), the result is "no table entries found for the specified key". But in the FF log report i can see users logged in during that period. Its the same case for the input *201201(January 2012).
  But if i give the input as 201202(February 2012), i get the list.
  Can anyone tell me the reason behind this.
  Best Rgds,
  Jaravuy

  Hi Jaravuy,
  Did you try to update the log?
  /n/virsa/vfat
  -->log information (F5)
  -->update (shift+F1)
  --> Choose a period where you are sure there has been activity
  Once you do this, you can try again.
  Best regards,
                 Félix

• Change History in Fire Fighter Log Report.

  Hi Experts,
  Changes made by fire fighters were not recorded in the fire fighter log reports.I have gone thru a thread in the forum,there was mentioned that the issue had been reported to the SAP.Please let me know, if there is any update on the issue from SAP.
  Thanks,
  Mukesh

  FF Logs can be recorded when the changes done with FF id. Without FF id no Support / IT user should be allowed.
  If you want to change the configuration it has to be done via FireFigher only. Otherwise you get the log from SM20, if its been configured.

• Functions and Permission in GRC AC10.0

  Hi All,
  We are creating the custom functions as a part of custom rule set creation in GRC AC10.0. We have defined the custom function as shown in the below example table(first table) . We uploaded the custome rule set with mass upload transaction and generated it. We noticed that the system is interpreting the values in the condition column differently than we mentioned in the upload files.
  Does any one has idea on this?  How the system evaluates the condition column?
  Below is the one example and we have number of cases like this.
  Uploaded with values
  Fun ction
  Transaction
  Auth object
  Field
  value From
  Value To
  Condition
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  1
  2
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  5
  6
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  22
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  50
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  78
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  PP
  AND
  Values in the system after upload
  Fun ction
  Transaction
  Auth object
  Field
  value From
  Value To
  Condition
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  1
  2
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  5
  6
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  22
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  50
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  78
  OR
  ZXXXX
  SU10
  S_USER_GRP
  ACTVT
  PP
  OR
  Thanks in advance for your help
  Hari

  Hi Colleen,
  Thanks for the reply.
  my doubts got clarified after referring the below notes, but they are related GRC 5.3.
  I hope the same logic will apply to GRC 10.0 also. Please let me know if you have any additional information.
  1330165 - Instructions on how to use Operators AND OR NOT
  1358952 - Rule Architect - logic of the NOT operator
  Cheers
  Hari

• Fire Fighter Table Log

  Hi Gurus,
  I have to give the fire fighter log for the audit....When i look into the fire fighter log table
  Till the first step of firefighting Loggin in as Fire fighter is recordd on the Fire fighter id...But later all the activities has been Encrpted
  ylTCyMUOWnb     
  ylTCyMUOWnb     
  ylTCyMUOWnb     
  ylTCyMUOWnb     
  ylTCyMUOWnb     
  Firefighter                   THis is the first Step as fire fighter later the  field has been encrypted....
  Please let me know ...

  Hi Raghav,
     You can not download FF logs directly from the table as they are encrypeted. There are couple of ways to download FF logs.
  1) You can download FF logs in text format from FF. Go to
  FF -> Administration -> Archive -> Delete/Download Log.
  2) If you have implemented web functionality of FF (SPM), you can download any of the logs directly from web tool.
  Regards,
  Alpesh

• Fire Fighter is missed in the FF log sent to controllers

  Dear Experts,
  We are at SP10, and using role based Fire Fighter.
  We defined a FF role (e.g. FFrole001) and assigned this role to fire fighters.
  We are facing the following problem:
  If two fire fighters do the FF job at the same time, only one of fire fighters activity log will be sent to controllers for review.
  (Please note that the activity log of both fire fighters has been captured, we can find it in the /n/virsa/vfat.)
  Here is the detailed steps:
  1. The FF roles were assigned to two Fire Fighter at the same time
  2. Both of the Fire Fighters had performed some activities in system.
  3. FF activity log report captured the activities performed by the two Fire Fighters.
  4. But in the attachment in the email which was sent to FF controller, only one Fie Fighter was shown.
  Much appriciate if any one can help on this.
  Thanks!

  Hi Tang,
  Did you check the configuration settings for both the FF IDs.
  Also, as a trail and error, to isolate the issue, can you check using only the 2nd FF ID for which the log was not sent. Ensure that the 1st FF ID is not used. This way you can identify whether the issue is with the FF ID or the configuration.
  Regards,
  Raghu

• Fire FIghter Log Issue

  Hi Gurus,
  I have an issue with Fire fighter Log Job...I have Scheduled the Job...ZFATBAK with a period One hour....
  When i tried to look at the Log in Fire Fighter tool...It has the below message...
  BACKGROUND JOB WAS NOT SCHEDULED/LOG & FILE NOT YET GENERATED.
  Please help ...

  Hi,
  Guess I try to help you here. Can you please check the following;
  1.FATBAK job ? ( Via SM37)
  2. Go to the configuration table in the FF (Logon to FF and one of the tabs--)
  Please let meknw the what you see.
  Thanks

• GRC AC10 sync job error

  Hi Experts,
  I am getting error while running sync job. I searched but couldn't find a solution.
  We have two GRC AC10 clients setup, one is for fresh AC10 installation testing and another is for migration testing.
  Both clients talk to two different ECC clients. Issue is that we have setup all SPRO configurations, plug-in settings and stuff which is described in AC10 post -installation and migration documents,
  Sync job for one client is successful, but sync job for another client is giving error -
  Error message -
  Starting authorization sync for connector IE9_600 and language EN
  Error in IE9_600; Reason Error in RFC; 'Function module "/GRCPI/GRIA_AUTH_G
  PFCG authorization sync failed with errors
  I have checked plugin settings, RFC and other settings, it seems ok as it is in another client.
  What could be the cause and solution? Any suggestions are highly appreciated.
  Thanks in advance,
  Regards,
  Sabita

  The issue resolved, RFC was incorrectly pointed to wrong client.
  Regards,
  Sabita