Solved: Approaching Firefighter

Former Member · ‎01-07-2009

Hello Experts,

we are about to implement SPM 5.2 and we are wondering how the other guys actually are making use of the tool? How do you combine all the requirements coming from audit and security and how does the implementation of the tool affected your authorization role landscape?

Talking about support personnel access we are thinking of cleaning the current roles from sensitive authorities and giving more borader access via roles that would be granted only to FF IDs.

Please share your experience.

Any suggestions are appreciated!

Regards,

Iliya

Former Member · ‎02-19-2009

Hello lliya,

How FFer help in auditing?

Basically Firefighter is designed for emergency access or to be used be Basis people, who have too much access.

The user will have to log into system using FFer and all activities performed by him are recorded by hourly job of FFer.

Apart from that you have option if you want this Log Report or Activities performed by use can be send to Controller of Business may be hourly or once a day depending upon configuration of FFer.

What I do as a part of Auditing is check on daily basis if all the Logs are generated, if anything is missing in FF Log Report, we generate them manually.

Wish to bring to your notice that Per SAP Firefighter is designed for Emergency use only. If used for more thatn 40-50 Firefighter Ids, performance is severly affected. Hardly matters you use those FF ids or not.

Hence before using it for your support team, consult SAP if FFer will work for FF IDs greater than 50.

I know this reason being same way FFer was implemented by Rio Tinto, so I did some custom developemnt for them, which enabled them to use 1000 FF IDs.

Regards,

Surpreet

Former Member · ‎01-07-2009

Iliya,

Not too sure what you may be looking for but addressing the statement of FF ids and what sounds like roles with critical transactions I can tell ou what we do with FF roles

First of all, we have critical roles defined for our end users and include these with their normal access; these are defined in our security controls and are monitored and approved by the users respective managers;

We use FF ids exclusively for our developers who need to support production applications; the developers would have access to specific roles that allow the application functions; any access from these FF ids is logged by FF and emailed to security for review; the activity by these user ids is reviewed by their respective managers who are required to approve the activity; the FF access also requires the user to create or use an existing "change request" to define the need for the FF access; this process works well for us in identifying who is obtaining access beyond their normal authorizations and is acceptable by our external auditors;

For the end users that require "critical transaction access" roles are defined as part of their every day needs; these roles are reviewed annually by the respective managers to determine if the user still requires these roles; we do not use FF ids for users outside of IT

Jerry Synoga

Ryerson,inc.

Former Member · ‎01-08-2009

Thank you Jerry, this is useful to know.

Our situation is a bit different though. In environment with more than 400 support users and tens of thousand business users we are aiming at implementing firefighter only for the support users as a start.

This means all types of support users (developers, administrators, authorizatiors, business support consultants, etc.).

Since you are using FF for the developers I need to ask you a question as I`m uncertain about this.

In my knowledge FF can`t log actons that are done with program run from SA38, also can`t log what is done in debuging mode, or what is changed in the tables via SM30?

Your feedback is appreciated!

Thanx,

Iliya

Former Member · ‎01-12-2009

lliya,

We are similiar (except for the numbers) in that when I said we use FF for the developers, this includes our developers, business analyst and others that may make up the IT area. This would be similiar as you indicated for your "support staff". The transactions we provide for them do not include BASIS or SECURITY level transactions (we do not provide SAP_ALL or SAP_NEW). This way even with FF ids, the support staff still is restricted from BASIS and SECURITY maitained transactions.

I reviewed some of our past logs to identify the use of transactions SM30 and SA38. We have not had anyone use SA38 but I did find FF users that used SE38.

The transactions did show up in the Transaction Usage Report as well as the Log Activity Report. However, in the Log Activity Report, SM30 did not show activity when requesting the 'detail report" but did show up in the summary report. This may be due to the fact that either SM30 is not "logging detail activity" or there were no "changes" related to the SM30 activity. This I am not too knowledgable of and am just offering an opinion at this time.

SE38 did show up on the Log Activity both in the summary and detail reports. The only information to showed was the "report name" which for most of the reports showed "RSABAPPROGRAM"

Like I mentioned, all of our FF user activity is reviewed by their respective managers and mainly review the transactions they were executing and why.

If this is what you are trying to obtain, the information that is available may be sufficient provided you have the proper reviews and okays to use the FF ids. However, if there is a minimum of managers to review the actions of 400 FF users, this could be an issue.

Hope some of this makes sense and provides some information

Jerry Synoga

Ryerson,Inc.

MPGraziano · ‎02-19-2009

Hi Jerry,

I really appreciated reading thru your experience with Firefighter

I have a couple of questions regarding this product. Is it now owned by SAP, and is there an additional cost for purchase. Also , did it take long for you to implement? did you do it on your own or do you require consultant?

We are currently in the process of setting up new security for the HCM module which will migrate ALL Psoft Hr and Time and labour into SAP.

There is a mandate to audit the security which is currently in SAP with that which is coming from PSOFT and the security that IS being set up there.

The next item is exactly what you refered too, is a tool that will alert us when security is updated in production and who is getting what (of course management will review this) I see that firefighter does this for us?

Any information is helpfull!

Regards,

Maria - BASIS

Former Member · ‎02-20-2009

In response to Maria:

SAP owns the Fire Fighter product along with Access Enforcer, Compliance Calibrator and Role Expert

They are all part of the GRC SUPPORT TOOLS

There is an additional charge for these although I do not get involved with that; you can discuss that with your SAP rep

We did have some initial help with contractors but eventually did the next install on our own; BASIS installed the product and I customized it and provide the administration support

Contact me offline if you wish to discuss further as that would be more appropriate for a general discussion on my experience

Jerry Synoga

Ryerson, Inc.

630-758-2021

Former Member · ‎02-19-2009

Hello lliya,

How FFer help in auditing?

Basically Firefighter is designed for emergency access or to be used be Basis people, who have too much access.

The user will have to log into system using FFer and all activities performed by him are recorded by hourly job of FFer.

Apart from that you have option if you want this Log Report or Activities performed by use can be send to Controller of Business may be hourly or once a day depending upon configuration of FFer.

What I do as a part of Auditing is check on daily basis if all the Logs are generated, if anything is missing in FF Log Report, we generate them manually.

Wish to bring to your notice that Per SAP Firefighter is designed for Emergency use only. If used for more thatn 40-50 Firefighter Ids, performance is severly affected. Hardly matters you use those FF ids or not.

Hence before using it for your support team, consult SAP if FFer will work for FF IDs greater than 50.

I know this reason being same way FFer was implemented by Rio Tinto, so I did some custom developemnt for them, which enabled them to use 1000 FF IDs.

Regards,

Surpreet

Former Member · ‎02-20-2009

Thank you Surpreet,

this is very usefull to know. Honestly that is something that might be a problem with our implementation, because in our R/3 system we have a lot of counsultants per each area and we need to ensure everybody has access to available FF ID at any given moment. So you are saying that even if the FF IDs are not used simultaneously, we still might experience performance issues with FF sessions?

Other thing that might be usefull to the audience is that FF does not work as expected for non R/3 systems. Our initial plan was to install it for various applications (CRM, SRM, BW, APO) but apparently it is not working for those. Even for CRM where we have change documents, it is not reporting essential actions like creation of sales order, while you can access this via change documents from the transaction.

Regards,

Iliya

Former Member · ‎02-23-2009

Hello lliya,

There are two type of user in FFer

1. Firefighter ID's

2. Firefighters

FF ID's are used by Firefighters, you can assign one FF ID to as many Firefighters as you wish to.

At a time only one FFer can use a given FF ID. It doesn't matter how many FF ID's are used at same time, that will not effect performance.

Performance if effected by number of FF ID in owner table.

However this performance issue will be resolved by SAP. Decission was taken that custom code done by me for Rio Tinto will be included in one of the support pack. Not sure which one.

So my request is that you create message with SAP under component GRC, that you wish to use 100-200 FF ID's and which support pack will support that.

Thanks and Regards,

Surpreet

Former Member · ‎02-23-2009

Hello Surpreet,

thank you very much for this. I will do that!

best regards,

Iliya

Former Member · ‎04-15-2009

Hi

Has anyone got an example of a Policy Document on the correct use fo Firefighter via GRC?

Many Thanks

R