Populating Fire Fighter ID Descriptions in User Request Search Screen (FF ID)

Similar Messages

• Run User analysis excluding fire fighter roles

  Compliance Calibrator
  I am trying to run user risk analysis from CC. We have fire fighter already implemented and user mostly have fire fighter roles.
  Every time I run risk analysis, I get conflicts even though some of the transactions are only in fire fighters.
  Let me know if there is way to exclude fire fighter roles from user analysis.
  Or any other method that may work.
  Thanks

  Dear Bindu,
  You can exclude these roles from getting into analysis everytime by Defining these roles as critical in the Rule Architect--> Critical Roles TAB and then setting up the option "Ignore Critical Roles & Profiles " in Config-->Risk Analysis TAB to YES, which would ignore these roles to be taken up during Risk analysis.
  Regards,
  Hersh.

• Fire Fighter Roles

  Hi Gurus,
  I am in the process of designing Fire Fighter ROles for the Production process...
  Can any one please help me with the number of roles and Transactions that we use for the design process...
  How many Fire Fighter roles that we need and What are the Transactions.....?
  Thanks in advance
  Guru

  Hi Guru,
  The roles that need to be created for Firefighter ids are based on requirement from the Business process owners of the respective business modules ( example, SD, MM, PP, FICO ).
  Firefighter tool is designed to help you handle exceptional access requests appropriately.
  This tool is used to deal with emergency access requests. For example, when a Production support person needs to investigate an Urgent issue in Production system but does not have enough access. Then you need to assign the Firefighter id and the appropriate Firefighter role(s) to complete the emergency transactions.
  Virsa Firefighter for SAP enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access, and tracks and logs every activity the super-user performs using that temporary ID.
  So you need to consult your BPOs, Internal Audit team, Controllers and come up with the emergency transactions, authorizaton objects, programs, reports, tables and design the roles with appropriate naming conventions.Assign the Firefighter roles to the Firefight IDs in emergency in Production system.

• Can we control user request w.r.t Memory and CPU utilization in Oracle 10g

  Dear All,
  We are having Production with Oracle 10.2.0.4 (5 Node RAC, 32Gb RAM each) running on RHEL5.2 with 12000 Users. We have some schema say FIN, HRMS, SALES, REPORT and many dedicated users for those schemas. We need to control the user request against these schema with respect to Memory (or CPU utilization)
  Suppose users using FIN schema can use Maximum 40 % of Total Memory, HRMS schema can use Max 20%, SALES can use Max 20% and REPORT can use Max 20%.
  Is it possible to create any Service in Server side to handle this type of scenareo or any existing service which can be customised to fullfil this?
  Please suggest me.......
  Thanks,
  Tusar
  Edited by: gohappy on Jan 27, 2011 5:59 AM
  Edited by: gohappy on Jan 27, 2011 6:00 AM

  JDBC 'applications' quite often don't use persistent connections, and often do not exit gracefully by calling 'exit' or 'disconnect'.
  This means the session will continue to exist.
  It also means, if you don't establish any form of connection pooling and/or dead connection detection, you can throw whatever amount of memory in the server, and you will continue to report
  'Now problems is coming'. Apart from crippled English, the general lesson any DBA should know is how these 'applications' operate, and, contrary to some, you can never ever fight problems caused by applications,
  by throwing memory and cpu at the problem.
  When I read your text, I also assume the application is not using PrepareStatement calls and not using bindvariables, this is why your 'application' is burning the CPU.
  Find those 'application developers', sue them, or better still : Beat them with a whip, and have them fix their 'crapplication'.
  Paraphrasing William Jefferson Clinton: It's the application, stupid!
  Sybrand Bakker
  Senior Oracle DBA

• How to prevent error message for material description in MDG material detail screen, when user click on check action

  Dear Experts,
  I have a requirement for making material description as non mandetory in change request view of mdg material screen.
  I have done that using field usage in get data method of feeder classes, but still message is displaying.
  This message 'Material description is mandatory is displaying with check action only, but not with save or submit after i anhance field property as not mandetory.
  How to prevent error message for material description in MDG material detail screen, when user click on check action.
  Thanks
  Sukumar

  Hello Sukumar
  In IMG activity "Configure Properties of Change Request Step", you can completely deactivate the reuse area checks (but will then loose all other checks of the backend business logic as well).
  You can also set the error severity of the checks from Error to Warning (per CR type, not per check).
  Or you provide a default value for the material description, e.g. by implementing the BAdI USMD_RULE_SERVICE.
  Regards, Ingo Bruß

• What is FIRE FIGHTER ID

  hi folks,
  can anybody tell me what is FIRE FIGHTER ID.

  Hi,
  When a user in a production system needs help from an IT
  superuser, the application assigns a temporary ID that grants
  the superuser broad yet regulated access. The superuser simply
  logs on to the application’s main console, where a new session
  is opened under the Firefighter ID. Because the Firefighter ID is
  preassigned, the superuser never needs to wait for approval
  before solving a critical problem.
  Ideally Firefighter should be used only for superuser access. The reasoning...
  1) When the firefighter role is being used, the user cannot use his normal transactions
  2) Only one user can use a firefighter role at a time
  3) Complete log of firefighter role usage is available for review.
  Many-a-times it is suggested to use firefighter role for performing the duties of the users on holiday. However I think it is not appropriate. Such users should be assigned normal roles for these duties for the limited period
  Hope I had been able to help you. Please assign points.
  Rgds
  Manish

• Changes History Report in Fire Fighter

  Hi,
  We have assigned FF ID to end user. By using that FF ID,user did some changes.
  Ex: End user has used SU01 transaction and he has assigned SAP_ALL to his own id and some other users via FF ID.
  When we checked the Log Reports in FF 5.3, we are able to the see only transaction details which he has used. But we are unable to find the changes which he has done by using SU01.
  Please check and advice me how me can get that change history report in Fire Fighter.
  Thanks & Regards,
  KKRao.

  Hi Harleen,
  Retrieve Change Log option is already set as YES. But we are unable to get Changes History Report.
  Please advice to me.
  Thanks & Regards,
  KKRao

• Fire Fighter Report

  Hello Experts,
  I think I need some help on the Fire Fighter Reports.
  My ultimate goal is to get the list of Reason and activity used by the users during the months of January2012 and December2011.
  I was trying to execute the report "Reason/Activity Report" in SPM Tool Box in the transaction /n/virsa/vfat by giving the date range 01.01.2012 to 31.01.2012, i get the list but the column Reason Code is empty.
  I tried to view the table /virsa/ffreact in SE16.
  If i give input for FFKEY as 201112(December 2011), the result is "no table entries found for the specified key". But in the FF log report i can see users logged in during that period. Its the same case for the input *201201(January 2012).
  But if i give the input as 201202(February 2012), i get the list.
  Can anyone tell me the reason behind this.
  Best Rgds,
  Jaravuy

  Hi Jaravuy,
  Did you try to update the log?
  /n/virsa/vfat
  -->log information (F5)
  -->update (shift+F1)
  --> Choose a period where you are sure there has been activity
  Once you do this, you can try again.
  Best regards,
                 Félix

• Change History in Fire Fighter Log Report.

  Hi Experts,
  Changes made by fire fighters were not recorded in the fire fighter log reports.I have gone thru a thread in the forum,there was mentioned that the issue had been reported to the SAP.Please let me know, if there is any update on the issue from SAP.
  Thanks,
  Mukesh

  FF Logs can be recorded when the changes done with FF id. Without FF id no Support / IT user should be allowed.
  If you want to change the configuration it has to be done via FireFigher only. Otherwise you get the log from SM20, if its been configured.

• Fire Fighter Logs details in /n/virsa/vfat

  Hi,
  When i see the Fire Fighter logs through the Tcode /n/virsa/vfat, i am just able to know what tcode was used by a particular user and at what time and date.
  Now if he has used SE38, i do not get the information of what report or program did he run in SE38. Similarly for SE16n I will not have the information of what table was used and modified.
  So is it possible to know the complete details of the activity that user has done throught the FIreFighter.
  Please help.
  Regards
  Anubhav

  In the case of SE16 you can see the generated selection-screen program for that table being submitted both in STAD if you are fast enough (i.e. before the aggregation takes place) and in the security audit log (SM20N - which is actually the correct tool to rely on). They will show reports from SA38 etc as well.
  However SE16N does not generate and submit report type programs so you cannot know which table was accessed. The only little "skidmark" it will leave behind is the memory id entries of the tabname selection parameter and SQL performance traces, but GRC does not access this data and it is unreasonable to assume that the history of these memory ids has been activated on the server side.
  If worst comes worse you will be able to find out the table though - latest with a thumb-screw or bamboo under the finder nails... 
  Cheers,
  Julius

• Ending a Session of a Fire Fighter ID

  Hi,
  One of my user has used the fire fighter yesterday and logged off.
  Now if he logs in to fire fighter using /n/virsa/vfat, the fire fighter id still shows that its being used by the same user ID.
  I have checked SM04 to end the users session.
  I can see the user ID logged in, but i cannot see the Fire Fighter ID in SM04.
  I clicked on the user ID and then clicked on the sessions, to find the transactions to end. But the transaction /n/virsa/vfat is not there.
  Then i tried in AL08 and it shows that the fire fighter ID is still active.
  And also there are not logs in SM12 for both user ID's
  But how can i end the fire fighter ID's session now.
  Best Rgds,
  jaravuy
  Edited by: jaravuy on Feb 17, 2012 3:09 PM

  I can see the user ID logged in, but i cannot see the Fire Fighter ID in SM04.
  Then i tried in AL08 and it shows that the fire fighter ID is still active.
  SM04 will show the list of users in the application server you are logged in. Check the application server in AL08 where the user is logged in. Then in SM51 you change your application server. Then in SM04 you will find the FF user. Here you need to kick off this user.
  Regards,
  Arpan Paik

• Fire Fighter Mail Notification

  Hi Gurus,
  I have an issue with fire fighter....if i am not wrong...When i add a firefighter id to a user id ...it should send a mail...Fore Fighter controller and owner with a link to approve and then they approve the access...then it will send the user access to the user.The above process is not happening with the fire fighter we using..
  The fire fighter owner and controller are just getting the logs...Please let me know how to config the initial mail notification.
  Thanks in advance
  Guru

  Hello Guru,
  When a user probably a Security Administrator assigns Firefighter ID to a Firefighter User there is no such provision of automated e-mail notification in Access Controls 5.2 - Firefighter SP level 5 with Patch 1. Which is at the moment latest available on SAP service market place.
  But you can take it another way. If you have an Honour of using Access Enforcer then you can create a dedicated workflow for Firefighter ID assignment. Where you can define different stages and approvers for all scenarios. Also this way you can intimate the requestor and approver about the status.
  In role expert, you can automate the default Virsa Firefighter, Owner, Administrator and controller roles for users.
  Still there is no such automated functionality which can let you automatically add users to Virsa Firefighter configuration tables and send an e-mail.
  What you can do is, after the approval of the firefighterID assignment your security guy can manually add users to these considered tables and finish the AE workflow notifying all the approvers and requestor.
  I hope i touched the whole scenario.
  If you still have doubts, let me know.
  Thanks & Regards,
  Amol Bharti

• Fire fighter on GRC10

  Hi,
  We want to use fire fighter and provisioning of access on GRC10 itself.
  I am using ID based FF access and when trying to add role - SAP_GRAC_SPM_FFID to the user on GRC it does not get the role from the delivered roles.
  Do we need to load something? Is there a way we can activate these functions on our GRC10 environment?
  Regards, Melvin

  Hello,
  Like in simple term
  1) Firefighter id are created on backend system.
  2)GRC Systems need to understand whihc are fighterids
  3)GRAC_SPM_FFID or create any role and assign all firefigher ids.
  4)Make sure this role name is maintained in parameter to identify firefightids.
  Parammeter i think 4010..
  Enter the name of the role assigned to the firefighter ID in the target systems. This is identifies to the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.
  Regards,
  Prasant

• Fire fighter

  Guys,
  From my understanding the use of fire fighter is for emergency access in PRD. For that we can just create separate ID in sap system with almost sap_all authorization (not sap_all) and access PRD whenever there is a need.But why we need sap VIRSA fire fighter or SAP GRC super user privilege management?.

  Virsa Firefighter allows for tracking of who connects where, and what they do while connected. If you assign a generic SAP "super user", you loose these important tracking and auditing features... unless, of course, you create your own tracking system (for instance by activating a user exit upon login, demanding the person who logs in using the "super user" to identify him/herself and store some vital info such as time, date, ip address of the terminal used to connect and so on). Also, you'd need to turn security audit logging on.
  Firefighter gives you all of these security mechanisms in one package, one which tastes good to your auditors, too...
  Trond

• SPM questions(Fire Fighter)

  Hello All,
  I had some questions on SPM(Fire fighter),please help me with this..
  For Critical transactions tab in /n/virsa/vfat--why we used it for,does it show header and footer log details..
  if we do not enter critical transactions will it still pull up critical history in FF logs.
  Second question-->Do we have setting of FF log history,can we pull the history of the user which is year old in FF log?
  Appreciate your responses.

  Hi,
  For Critical transactions tab in /n/virsa/vfat--why we used it for,does it show header and footer log details..
  if we do not enter critical transactions will it still pull up critical history in FF logs.
  The critical transactions that you maintain here will help you to generate a separate report that shows who and when any of the transaction codes were executed (and when they were executed). If you don't want to seperate the critical transactions, you can leave this blank.
  Do we have setting of FF log history,can we pull the history of the user which is year old in FF log?
  The logs will be available until they are archived.
  /VIRSA/ZFFUSERS - Table holds the Change logs (CLOG)
  /VIRSA/ZFFTNSLOG - Transaction Log (TLOG)
  Search in SE16, with /VIRSA/ZFF* to view the list of SPM tables.
  I recommend you to refer SAP Note 1041912 - Firefighter Best Practice Archiving Strategy that gives you the best solution to archive SPM logs.
  Hope this helps!!
  Regards,
  Raghu