Run User analysis excluding fire fighter roles

Similar Messages

• Fire Fighter Roles

  Hi Gurus,
  I am in the process of designing Fire Fighter ROles for the Production process...
  Can any one please help me with the number of roles and Transactions that we use for the design process...
  How many Fire Fighter roles that we need and What are the Transactions.....?
  Thanks in advance
  Guru

  Hi Guru,
  The roles that need to be created for Firefighter ids are based on requirement from the Business process owners of the respective business modules ( example, SD, MM, PP, FICO ).
  Firefighter tool is designed to help you handle exceptional access requests appropriately.
  This tool is used to deal with emergency access requests. For example, when a Production support person needs to investigate an Urgent issue in Production system but does not have enough access. Then you need to assign the Firefighter id and the appropriate Firefighter role(s) to complete the emergency transactions.
  Virsa Firefighter for SAP enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. The application assigns a temporary ID that grants the super-user broad yet regulated access, and tracks and logs every activity the super-user performs using that temporary ID.
  So you need to consult your BPOs, Internal Audit team, Controllers and come up with the emergency transactions, authorizaton objects, programs, reports, tables and design the roles with appropriate naming conventions.Assign the Firefighter roles to the Firefight IDs in emergency in Production system.

• Virsa Config Logic?: Include Role/Prof mitigating contls in User Analysis

  Hello All, 
  After changing configurations option "26 Include Role/Prof mitigating contls in User analysis(YES/NO)" to YES from NO, I noticed that the mitigation seems to be overextending itself into other roles. Example:
  User with RoleA, RoleB and RoleC has potential conflicts. It turns out that RoleC is not a real problem but RoleA and RoleB are. So, I mitigate one rule against RoleC.
  With the configuration option 26 set to YES, I would expect that The mitigation control would apply only against RoleC and SoD issues against RoleA and RoleB should still be a problem; however, RoleA and RoleB are now also mitigated. Therefore, this means that roles which I had not intended to be mitigated are mitigated.
  How should the logic within Virsa be understood?
  Thanks, Dylan

  Adding details to this subject, here is a test scenario for which anyone can try:
  Build RoleA only with S_TABU_DIS and change/display access to P000 to PZZZ table groups.
  Build RoleB with transactions PC00_M10_CDTC and PC00_M99_CURSET
  Build RoleC also with transactions PC00_M10_CDTC and PC00_M99_CURSET
  Create a dummy user with all three roles assigned and run the SOD report against the user and risk H00600501.
  Afterward create a mitigation for that risk and RoleC combination only.
  Re-run the report. If possible, please also list your Virsa version and support pack level. The customer system I'm on is 4.0 and SP 04.
  Many thanks for any help in this regard. The mitigations configuration option is a really important option under the circumstances and I would like to use it but cannot at the moment considering the results.

• User Analysis at Permission Level - Detail Report (RAR SP12)

  Hello All,
  I have having question regarding the User Level Analysis at Permission level report. Currently, we are on GRC Access control 5.3 SP12.
  Per my understanding when you execute the User level analysis at Action level, you get SOD conflict reports based on T-code level and not on authorization / permission level. But, if you execute the user level analysis at permission level then SOD report is based on the authorization / permission object level.
  But now, when I execute the user level analysis at PERMISSION LEVEL in the Informer tab, in the report I am only able to see "Transaction Code Check at Transaction Start" name in the Permission Object Column and "Transaction Code" name in the Field column.
  Look forward to hear from you all.
  Thanks in advance,
  Regards,
  Angelica

  Hi Angelica,
  This behaviour is ok for those risks in which you have not enabled any Object/Field value. It will pick S_TCODE Object and show you the risk.
  This is useful because -
  1. If you have risks defiend at Tcode level - you can still catch them while running risk analysis at permission level.
  2. If you have Object Values defined in risk and you are running permission level analysis it will show risk only if Object Values meet. In that case permission level risk anlysis will not show risk if there is no actual risk.
  3. Running risk analysis at Action level can show false positives when risk is defined ta Object level. So, it is always better to r
  un alanysis at permission level, it will bring all actual risks skipping false positives.
  4. You can run only one level risk analysis in CUP and ERM and permission level covers all risks.
  If you have risk defined at Object Level and the role/user is not fulfilling all values, it should not show in permission level. In your case, if it is showing only "Transaction code check at start"  and the risk is defined at Object Level, then sure it is a bug.
  Regards,
  Sabita

• What is FIRE FIGHTER ID

  hi folks,
  can anybody tell me what is FIRE FIGHTER ID.

  Hi,
  When a user in a production system needs help from an IT
  superuser, the application assigns a temporary ID that grants
  the superuser broad yet regulated access. The superuser simply
  logs on to the application’s main console, where a new session
  is opened under the Firefighter ID. Because the Firefighter ID is
  preassigned, the superuser never needs to wait for approval
  before solving a critical problem.
  Ideally Firefighter should be used only for superuser access. The reasoning...
  1) When the firefighter role is being used, the user cannot use his normal transactions
  2) Only one user can use a firefighter role at a time
  3) Complete log of firefighter role usage is available for review.
  Many-a-times it is suggested to use firefighter role for performing the duties of the users on holiday. However I think it is not appropriate. Such users should be assigned normal roles for these duties for the limited period
  Hope I had been able to help you. Please assign points.
  Rgds
  Manish

• Running Risk Analysis

  Hi Folks,
     I have installed CC 5.2 and ruleset to ECC are uploaded. Now, when i want to run risk analysis for User/Role from Informer. I dont see any user id from Backend system in User/Role option. I have checked everything,
  SLD is working ine
  JCo connectors are fine.
  RFC destination defined.
  Can someone help me in identifying problem?
  Thanks in acticipation.
  Regards,
  Priyank.

  Hi Priyanka,
  If you have successfully installed Virsa CC5.2 and uploaded Objects ans Rules, the plz follow the following procedure:
  1) Go to Configuration Tab->Background Job
  2)Click on "Schedule Analysis"
  3) In first Pane i.e. Sync Mode select Full Sync
  4)Select *User/Role/Profile Synchronization
  5)Select the system for put ***
  6)Dont select any other thing.
  7)click on Schedule
  8)Give a Valid name to this report.
  9)Click on Immediate
  Please check whether this report is successfully completed under Configuration Tab->Background Job->Search
  click on search
  If completed successfully, then  go to step 1 as above.
  This time select  All Check Boxes  under Batch Risk Analysis Pane and then select  Management Report check box in the last pane.
  Then schedule the job. After that only you'll be able to see the results in Informer Tab
  Reward  Points if it is useful
  Regards,
  Faisal

• Fire Fighter Logs details in /n/virsa/vfat

  Hi,
  When i see the Fire Fighter logs through the Tcode /n/virsa/vfat, i am just able to know what tcode was used by a particular user and at what time and date.
  Now if he has used SE38, i do not get the information of what report or program did he run in SE38. Similarly for SE16n I will not have the information of what table was used and modified.
  So is it possible to know the complete details of the activity that user has done throught the FIreFighter.
  Please help.
  Regards
  Anubhav

  In the case of SE16 you can see the generated selection-screen program for that table being submitted both in STAD if you are fast enough (i.e. before the aggregation takes place) and in the security audit log (SM20N - which is actually the correct tool to rely on). They will show reports from SA38 etc as well.
  However SE16N does not generate and submit report type programs so you cannot know which table was accessed. The only little "skidmark" it will leave behind is the memory id entries of the tabname selection parameter and SQL performance traces, but GRC does not access this data and it is unreasonable to assume that the history of these memory ids has been activated on the server side.
  If worst comes worse you will be able to find out the table though - latest with a thumb-screw or bamboo under the finder nails... 
  Cheers,
  Julius

• Mitigated Risks Still Show up on User Analysis - RAR

  Not sure if you have ever seen this - I'm perplexed. We recently upgraded to AC-RAR 5.3_14.0. When I mitigate a risk for a user for the first time or extend an existing mitigation into the future, the risks will still show up on the next user level risk analysis. I am sure I use correct risk ID (no copy - paste issues). It is as if I never mitigated to begin with. Thanks for any ideas.
  Joerg

  Hi,
  Are you doing User Level mitigation or Role level mitigation? If it is role level mitigation, you need to check 3 places-
  1. RAR>Configuration>Additional Option> Include Role/Profile Mitigating Controls in User Analysis> YES
  2. RAR>Configuration>Default Values> Exclude Mitigated Risks> YES
  3. CUP>Configuration>Risk Analysis--> Consider Mitigation Controls --Checked.
  If you are doing user level mitigation, check for points 2 & 3.
  Regards,
  Sabita

• Fire Fighter Mail Notification

  Hi Gurus,
  I have an issue with fire fighter....if i am not wrong...When i add a firefighter id to a user id ...it should send a mail...Fore Fighter controller and owner with a link to approve and then they approve the access...then it will send the user access to the user.The above process is not happening with the fire fighter we using..
  The fire fighter owner and controller are just getting the logs...Please let me know how to config the initial mail notification.
  Thanks in advance
  Guru

  Hello Guru,
  When a user probably a Security Administrator assigns Firefighter ID to a Firefighter User there is no such provision of automated e-mail notification in Access Controls 5.2 - Firefighter SP level 5 with Patch 1. Which is at the moment latest available on SAP service market place.
  But you can take it another way. If you have an Honour of using Access Enforcer then you can create a dedicated workflow for Firefighter ID assignment. Where you can define different stages and approvers for all scenarios. Also this way you can intimate the requestor and approver about the status.
  In role expert, you can automate the default Virsa Firefighter, Owner, Administrator and controller roles for users.
  Still there is no such automated functionality which can let you automatically add users to Virsa Firefighter configuration tables and send an e-mail.
  What you can do is, after the approval of the firefighterID assignment your security guy can manually add users to these considered tables and finish the AE workflow notifying all the approvers and requestor.
  I hope i touched the whole scenario.
  If you still have doubts, let me know.
  Thanks & Regards,
  Amol Bharti

• Fire fighter on GRC10

  Hi,
  We want to use fire fighter and provisioning of access on GRC10 itself.
  I am using ID based FF access and when trying to add role - SAP_GRAC_SPM_FFID to the user on GRC it does not get the role from the delivered roles.
  Do we need to load something? Is there a way we can activate these functions on our GRC10 environment?
  Regards, Melvin

  Hello,
  Like in simple term
  1) Firefighter id are created on backend system.
  2)GRC Systems need to understand whihc are fighterids
  3)GRAC_SPM_FFID or create any role and assign all firefigher ids.
  4)Make sure this role name is maintained in parameter to identify firefightids.
  Parammeter i think 4010..
  Enter the name of the role assigned to the firefighter ID in the target systems. This is identifies to the application that the user who is logging on to the target system is a firefighter ID. The target system makes a call to the GRC Box and reads this configuration to check if the user has this role assigned to them.
  Regards,
  Prasant

• Fire fighter security table download

  Dear Experts,
  After downloading the Fire fighter Security table(/n/virsa/vfat -> Utilities -> Download) this can be opened in excel and see all the passwords. This is a potential risk in Security and authorization. Kindly suggest me is there any note or corrections to get the data downloaded as encrypted itself ?
  Or any other suggestions welcome please.
  Thanks and Regards,
  Shiju

  Hello Shiju,
  Just wanted to ask you what role (s) does the user have, who is downloading and changing the passwords. Are they standard SAP provided or are they custom?
  Role "/VIRSA/VFAT_ROLE_ADMINISTRATOR" has access to "Export" the list and role "/VIRSA/Z_VFAT_ADMINISTRATOR" has access to "change" the password.
  Also, in case you do not want the export function to be available to any user, you may chosse not to use these SAP default roles for Firefighter but create your own roles and assign them to the users, where you can define the table maintenence for "/VIRSA/ZVIRFFPWD" table, not to be available to anyone to restrict this.
  Regards,
  Hersh.

• User analysis at Action level and Permission level

  Hi Gurus,
  I am totally confused by the way our CC is working while using it for User Analysis. I understand that during Risk Analysis for a user with Report Type "Action Level" will give the conflicts at the transaction level for the user and with Report Type "Permission Level" will give the conflicts at the Object level for the user. Also the permission level report includes the results of the action level report as well and hence Permission level report is more detailed & reliable.
  But now when I run the analysis report for a particular user both at Action & Permission level...the user is not getting any conflicts at Action level but it is showing conflicts at the Permission level. For another user the vice versa is happening. Could anyone help me in understanding the above 2 scenarios?
  Regards,
  Lakshmi.

  Hi
  A user to be need to have a action level conflict should have that transansaction code access only ie object s-tcode =  xyz transaction code.
  Similarly for a user to be reported in permission level conflict the user should have access to
  S_tcode = xyz transaction code Plus all other authorisation objects...Or in other words if the user is missing any authorisation object it wont be reported there...
  So just check what authorisation object level check is enabled for that transaction code in the rule architect tab.. Thereafter see whether user have access to all those authorisation object with the values specified...
  Parveen

• How to find out by MDX that the current users is member of a role - Default member issue

  Hi,
  just imagine you have a dimension with a few members (A, B, C...). I defined a role which gives some users only rights to "B". On the other hand the default member for the dimension is set to "A". Now users part of the role get an error
  that the member "A" is not found. So while
  https://msdn.microsoft.com/en-us/library/ms175626.aspx says the default member setting in the role "overrides" the overall default member this is not completely true because first the general default member is selected and after that the role
  specific one.
  So the solution might be that I explicitly define the default member in all roles. This might be possible but there is one issue: you can't define a role specific default member for users part of the adminstrator role. So all admins don't have a default
  member which is quite some restriction for some users...
  So the question is how to solve that problem. An idea would be that I use some MDX to determine the default member in the dimension based on the actual user's role membership. But how to do that? Or any better idea?
  Thanks,
  Thomas Pagel

  Hi Thomas,
  According to your description, you want to have a role-specific default member for different roles. Right?
  In Analysis Services, when granting access to dimension, a connection will fail if a role restricts access to a default measure. As you mentioned, the best solution is specify a default member for each role. But for administrator role(full control),
  it can't set the default member. All tabs except General and Membership are disabled. And the system can determines the default member of current user automatically. It's not supported to get the default member in MDX either.
  However, SSAS has additive design for role security. So in this scenario, we just need to create another role for those members of administrator role and specify a default member for this role. SSAS will take that role-specific default member
  for these users. And it will not effect the administration permission for them.
  Reference:
  Default members, MDX Scripts, Security, KPIs and Perspectives
  The Additive Design of SSAS Role Security
  If you have any question, please feel free to ask.
  Best Regards,
  Simon Hou
  TechNet Community Support

• Users are not removed from role using UME API

  Hello,
  I am using this code to remove users from a batch of roles that I have.
  Everything is running OK, no exception is thrown and at the System.out I see all the actions that needs to be taken correctly. The problem is that if I'll go later to one of the roles the users are still assigned to it. Any idea what I'm doing wrong here?
  try
  IRoleFactory roles = UMFactory.getRoleFactory();
  IUserFactory users = UMFactory.getUserFactory();
  IRoleSearchFilter filter = roles.getRoleSearchFilter();
  filter.setUniqueName("<My_filter>", ISearchAttribute.LIKE_OPERATOR, false);
  ISearchResult sresult = roles.searchRoles(filter);
  if ( sresult.getState() == ISearchResult.SEARCH_RESULT_OK )
       while(sresult.hasNext())
       String id = (String)sresult.next();
       IRole role = UMFactory.getRoleFactory().getMutableRole(id);
       Iterator i = role.getUserMembers(false);
       while (i.hasNext())
                       String uid = (String)i.next();
            IUser user = users.getUser(uid);
            role.removeUserMember(user.getUniqueName());
            System.out.println("Removed user: " + user.getUniqueName() + " from role: " + role.getDisplayName());
       role.save();
       role.commit();
  catch (Exception e)
       manager.reportException(new WDNonFatalException(e), false);

  Solved it!
  It needs the FQDN User ID...

• Changes History Report in Fire Fighter

  Hi,
  We have assigned FF ID to end user. By using that FF ID,user did some changes.
  Ex: End user has used SU01 transaction and he has assigned SAP_ALL to his own id and some other users via FF ID.
  When we checked the Log Reports in FF 5.3, we are able to the see only transaction details which he has used. But we are unable to find the changes which he has done by using SU01.
  Please check and advice me how me can get that change history report in Fire Fighter.
  Thanks & Regards,
  KKRao.

  Hi Harleen,
  Retrieve Change Log option is already set as YES. But we are unable to get Changes History Report.
  Please advice to me.
  Thanks & Regards,
  KKRao