cancel
Showing results for 
Search instead for 
Did you mean: 

which is the best way to build Firefighter roles for functional teams

Former Member
0 Kudos

Dear All

pls let me know how to approach a fresh role design for Firefighter access to functional teams.

i don't want to copy SAP_ALL profile or NEW into my role,just want to know the exact set of critical tcodes which needs to be made available in the firefighter roles.

regards

Naveen

Accepted Solutions (1)

Accepted Solutions (1)

sdipanjan
Active Contributor
0 Kudos

Hi,

Very good question !!! and the answer is: You should only need to add those tcodes which are applicable for the functional Team.

Regards,

Dipanjan

Answers (6)

Answers (6)

Former Member
0 Kudos

thank you all for the response.. think that they is going to be lot of disucssions with the functional teams.. i hope they know what they want

Former Member
0 Kudos

Moved to the GRC forum as the question is FireFighter specific.

Former Member
0 Kudos

Hi Naveen,

Yes. I agree with Alex. The requirement should come form the Functional teams. They are the right people to identify the critical tcodes for which access should be restricted thru elevated access.

Regards,

Raghu

Former Member
0 Kudos

Hi,

in PRD box, some access are restricted and should be allowed only via Firefighter.

e.g. PFCG , SM30, SE16 ... so on

you only need to create firefighter roles for this purpose

same goes for functional side also

don't create roles like one for all FI/CO tcode, one for all MM tcodes......

discuss with you business security team leads.......

or check all action level rules for any functional area in RAR rule set.... that will give you pretty good idea which tcodes are critical and conflicting, so you can create roles accordingly.

so basically we allow conflicting tcode in any firefighter role.

regards,

Surpreet

Former Member
0 Kudos

Hi Surpreet,

I don't agree with your statement. FF IDs are not an alternative to your SODs. In such case, you will end up with creating 1000's of FF IDs in your system. Rather, it is the business decision to create specific FF IDs with critical authorizations which impact the system/functional setup. Normally the customization/IMG settings.

Also, the FFIDs will be created for a specific risk such as table maintenance, number range maintenance etc.,

Regards,

Raghu

Former Member
0 Kudos

>

> pls let me know how to approach a fresh role design for Firefighter access to functional teams.

>

Before asking on a forum, speak to your func teams and ask them what they need.

Former Member
0 Kudos

Hi Naveen,

Providing wide access thru FFIDs is not at all recommended and if you copy SAP_ALL, SAP_NEW profiles into a role, it gives more access and will not serve the purpose of creating FFIDs.

My suggestion would be to idenify the functional transaction that you would like to provide thru the elevated access and create a FF role. Ensure that the tcodes that werre added in the FF role are not available thru the general roles, so that your users will have to use the FF IDs.

Hope this helps!!

Regards,

Raghu