Usage of Firefighter

Similar Messages

• Approval process after usage of Firefighter ID

  Hello Experts,
  We are implementing SPM 5.3 and have some doubt and confusion regarding the approval process of Firefighter ID usage.
  Here in SPM we have already configured that controller will get a mail of firefighter id usage with log report as attachment, so now my question is there anyway to configure that controller can approve the usage of firefighter id by himself automatically.
  Thanks,
  With Regards,
  Soman

  Hi Soman,
      Sorry to say but there is no automated or even manual way to approve the usage of FF ID. This questions has been asked by so many people and hopefully SAP will add this to the next release. Basically, every customer will have to figure out a process for controller to review/approve the usage of FF ID.
  Regards,
  Alpesh

• Firefighter Implementation Strategy

  Hello All,
  We are implementing Firefighter in our landscape, and we want that all changes in SAP system should be done with Firefighter, but to reduce the usage of Firefighter we would be using our existing normal users for Daily Checks and monitoring without any change.
  To do this, we need role/s which can be used for executing most of the Basis transactions with DISPLAY access only.
  Appreciate if you can share such roles OR recommend whats the best strategy for implementing Firefighter.
  Regards
  Davinder

  Davinder,
  Once again, this really depends on your organisation but especially on their ability to review the logs generated.
  Most people tend to use Firefighter for just temporary elevated access in emergency scenarios. The expecation is that it is only used infrequently and therefore, the logs that are generated are reviewed in detail by the controllers.
  As I'm sure you have noticed, the tool is much more powerful than that but using it as a blanket control for all system changes means that you will be innundating your controllers with logs. This actually weakens the control as they are much more likely to miss critical activities due to the volume of data being sent to them.
  I would assess what you actually think is a critical change and design Firefighter scenarios to fit those. You can then also use that as a mechanism to remove critical access from business as usual roles citing Firefighter as a more controlled approach.
  You can tailor the scenarios to different tiers eg. Emergency and then a subset of sensitive transactions (e.g. SCC4 / SARA with delete) but it must be lead by the business requirements for what is the overall risk to the system.
  Simon

• FF user usage for utility client

  Hi All,
  Could you please let me know a Business scenario where FF ID is required for Utility client (Oil and Gas). the requirement is for business users.
  Regards,
  Praveen

  Dear Praveen,
  there is no pre-defined scenario where you have to use firefighters. Firefighter usage can be defined based on your business requirement.
  Personally I recommend to use firefighter for critical access to have critical activities logged. Others are also using firefighter to avoid SOD violations.
  There are several documents which describe EAM itself and also the process behind.
  Firefighter ID User Assignment Lifecycle
  Firefighter ID Lifecycle
  De-centralized EAM GRC 10.0
  ID-Based Firefighting vs. Role-Based Firefighting
  Hope this helps to understand the concept and usage of firefighting.
  Regards,
  Alessandro

• Role Based FireFighter with GRC 10.0 (CEA)

  Does anyone know how the Role Based functionality of FireFighter exactly works besides putting the application type parameter to Role Based in SPRO?
  The manuals explain that the FF users log in to the remote system with their own users, but how are the FF roles or roles that are enabled for Firefighting assigned to these users and how will the log file know which activity to record?

  Good question, and the answer is not pretty.
  In Role-Based Firefighter Application, the firefighter ID on the target system contains the user's regular access plus his/her firefighter access.
  Reporting turns on when the user runs a transaction in the firefighter role.
  If the transaction is in both the user's regular access and the firefighter role, reporting will turn on because the firefighter role access is in use.
  The reports only track firefighter role usage.  So if a user runs a firefighter transaction but also uses access defined in the user's regular access, the only thing recorded is the transaction.
  If your company is not completely married to the idea of using Role-Based Firefighter Application, I suggest you consider the ID-Based Firefighter Application.  In this, there are separate firefighter IDs on the target system and a firefighter gains access to them by going into GRC and completing a form showing how the firefighter ID will be used, and then the GRC system will let the firefighter into the target system using that firefighter ID.

• Firefighter Logs storage location and size in GRC AC 5.3

  Hello Gurus,
  We are working on Firefighter configuration and are totally confused with following questions, appreciate if someone can show the light here :
  Where does the Firefighter logs stored - in backend or frontend or both? Can we check the size of existing Firefighter logs.
  Is there any mechanism to find out the approximate space requirement for Firefighter usage (based on number of firefighter id and number of transactions executed per day).
  Thanks
  Davinder

  D P,
    The logs are stored in the backend SAP system. I have not seen any space requirement for FF. You can take a look at the sizing guide for AC 5.3 and you may find some useful information.
  Regards,
  Alpesh

• RE:Transaction usage report not updating.

  Hi All,
  I am on 5.2 SP9 and I am facing an issue wherein the transaction usage report is not getting updated by the lateast report. To illustrate, I created a role with transaction PFCG and assigned it to a user. Now, when the user executes the PFCG, the report should be updated and it should show that this user also executed PFCG today, which isn't the case.
  Would like to know if anyone has a clue how to resolve the same. As in, did i miss out on anything which needs to configured/done before running this report.
  Thanks a tonne in advance.
  Regards,
  Hersh.

  Hello Joy,
  Thanks for your reply but the transaction usage reports I am mentioning here are actuallyu the transaction usage reports for "Role Expert" not for "FireFighter".
  Regards,
  Hersh.

• GRC 10 EAM - Unable to assign Firefighter roles to owners

  Greetings SAP gurus,
  I am currently on a new GRC 10 installation and having issues with the Emergency Access Management (EAM) component previously known as FireFighter or SPM.  Note: We are trying to implement the Firefighter ''Role-Based" Approach.
  Issue: We are unable to assign EAM roles to owners within NWBC. Click on 'Assign owners to Firefigher ID's and provision Firefighter ID's to firefighters' via the Access Management Tab within NWBC, option Superuser Assignment. Click on Assign.  We are able to find the owners, but when I search for roles to assign, I get the error, 'No records found for the search criteria entered''.
  We are on SP7.
  Items completed:
  1) All post installation tasks were completed correctly, i.e. BC sets activated, connector groups created and working.
  2) EAM roles created on target system and imported via BRM.
  3) EAM role properties edited for "Firefighting' usage in BRM, role owners defined, functional areas defined, business process and sub process areas defined.
  4) Access control owners (i.e. role owners and controllers) defined.
  5) The ID being used for configuration is currently assigned all GRC_NWBC roles available.
  6) The connector groups are working fine and we are using for the Access risk Analysis component which is working fine.
  7) The post EAM configuration steps has been completed.
  Has anyone else experienced a similar issue?  I look forward to your responses.
  Rgds,
  Prevlin Moodley

  Hello Prevlin,
  Are you using a FF role owner for the assignment. This might be helpful:
  [Note 1289579 - Firefighter Owner additional authorization for Role based FF|https://service.sap.com/sap/support/notes/1289579]
  Cheers,
  Diego.

• Firefighter log report does not show programs executed under SA38/SE38

  We are on version 400_700 of Compliance Calibrator.  When executing the log report, the report name only shows "RFC".  We are testing SA38 & SE38.  I expected the report to display the program name.  Is there something set up wrong or are my expectations too high?  Thanks!

  Hi Vikki,
  I dont think you can see the programs executed under SA38/SE38.
  The functionality of Virsa Firefighter allows you to see the following log reports:
  Firefight log summary
  Reason/Activity report
  Firefight Transaction usage report
  Invalid Firefight ids/Owners/Control
  Log Report
  SOD conflicts in Firefighter
  Hope this helps.
  Thanks,
  Kiran Kandepalli.

• Problem in Transaction Usage report in Virsa toolbox in virsa FF

  We have recently installed virsa firefighter.
  When we run Transaction Usage report in Virsa toolbox,selection by " Transaction",it gives all the transaction run in the particular client till date and not just the tcode for which we want the report.
  For can be the reason for such a result?

  Hi,
  This may be possible if the trace is activated in the TA ST01. But it is not advisable to keep this trace for a prolonged period as it has an adverse effect in the system performance.
  For a smaller user base, u can enable the security log in TA SM19, The report can be pulled from TA SM20.
  Hope this helps.
  Regards,
  Varadharajan M

• Best Practices - Enforcing the review of  Firefighter Logs/Reports

  Hi,
  I am looking for some best practices as it pertains to the review of Firefighter Usage Logs.  How are companies these days reviewing, documenting, and enforcing that system generated FF logs/reports are indeed being reviewed and monitored?  Anything you can share is greatly appreciated.
  I have seached the GRC forum, Firefighter Post, and reviewed the recently released "Super User Access" article, but have only found information on the tool's functionality and technical specs.
  Regards,
  Edited by: jmsreyes on Jul 20, 2009 6:38 PM

  Hi,
    There is no standard or best practices in enforcing the review of FF logs and reports. Every client/company plan their own strategy around this.
  One of my client used to ask every controller to print out and file the printed paper with their signature on it. They were required to keep this for a year or so. Another client asked them to print it to pdf and save it to a secure location which will mean they have reviewed this log. If there is any issue, it will be the responsibility of the particular FF controller.
  Regards,
  Alpesh

• How do you generate Historical Firefighter Logs?

  We have implemented SAP GRC Firefighter 5.1 application and between security issues and other things, the firefighter usage logs had not been generated for each day since inception.  I understand when I click on the "Update Firefighter Log" that the "/VIRSA/ZVFATBAK" batch job is kicked off, however, this only updates entries within the current day's range.  I have tested running the batch job via SE38 and in the foreground see a screen to select another day / time for this program to run against.  However, when I provide a historical day / time I still do not receive any information for these missing day's activities.  Any suggestions, we are considering modifying the existing FF code to allow for a variant for such an event, but this seems crazy that SAP has not already considered this issue.  Any ideas would be greatly appreciated.

  We had to not only schedule the hourly background job "/VIRSA/ZVFATBAK". We also had to schedule a second "/VIRSA/ZVFATBAK" job running once every 8 hours with a variant to make it read 8hrs back. There is a problem where the hourly job does not always log everything. This second job will catch what the first job missed
  Dave Wood

• Firefighter Best Practices

  What are Firefighter best practices? In terms of logging activities, are there any transaction activities that are not logged when using Firefighter ID?

  Dear Patrick,
  <b>Track super-user activities:</b> 
  When a user in a production system needs help, the application assigns a temporary ID that grants the user privileged yet regulated access. The application tracks, monitors, and logs every activity each super user performs under the privileged user ID. Web-based reporting provides business owners and auditors with detailed multisystem usage reports across their SAP software landscape. Activity logs track input down to the field-value level and enable easy filtering, sorting, and downloading of input information.
  Virsa Firefighter application for SAP Privileged-user access control solution:
  The privileged-user access management functionality of SAP GRC Access Control is enabled by the Virsa FireFighter application for SAP.
  Reward points if this is helpful.
  Regards,
  Naveen.

• Firefighter Email notification - can it be modified?

  When Firefighter is used, an email is sent out to the controller from the email address of the user to whom the Firefighter ID has been assigned.
  I have a request from my management to insert a read receipt, or an embedded form into the email that the recipient will have to respond to, so that we have an audit log that the recipient actually read the email. 
  Have any of you had to do something like that before?
  Thanks,
  Santosh

  Santosh,
  FF mails are send via SCOT / SOST if
  1. Usage flag of controller is EMAIL
  2. email id is maintained in SU01
  the magnitude of Z program is very high (too complex), however if only function module related to email is touched then I don't see any issue
  reason being in 5.X version separate program is created for that. (pls check user guide)
  And yes you can get mails on you SAP inbox also, if you set Controller Flag Usage to WORKFLOW
  hope this help
  regards,
  Surpreet

• Firefighter sends report to incorrect controller

  In our production box, Firefighter has been setup and has been working properly for quite some time now.  Today, a few folks emailed me saying that they received reports for Firefighter usage that should actually have gone to someone else.  To figure this out, I checked the following:
  1. Checked with the firefighter user to ensure that they actually used firefighter at the time the report specified.  YES - they did.
  2. Checked with the firefighter to confirm the system and verified that the report was sent from that system specified.
  3. Checked the owner, controller and firefighter table config from within Firefighter and noted that the individuals who received the reports were not the ones associated with the firefighter IDs used
  4. Checked those Firefighter ID owners and controllers SU01 user master and found that there was no error in the email address
  At this point, I'm not sure why the wrong people are getting those reports, as everything seems to be configured as it had be, and as it should be.
  Your input is appreciated.
  Thanks,
  Santosh

  Hi Everyone,
  I checked the SU01 email address - no issues.
  Latest is someone who hasn't EVER been associated with any Firefighter ID, and currently isn't, and she got an FF report.  This person has an SAP ID, but has nothing to do with Firefighter, or Compliance Calibrator.
  Have any of you experienced such an issue?  The more I see this issue, the more I think it's probably extremely simple to solve and isn't a Firefighter issue at all ... but I have yet to find the answer.
  Thanks,
  Santosh