Solved: How to create a "Firefighter" type role when we do...

Former Member · ‎01-06-2011

I am just looking for advice or input on this situation.

Currently my company does not have GRC or any other type of software that will allow for automated Firefighter type access and apparently there are no plans in the near future to purchase anything.

Our current process of creating a very powerful role to sign out to users on a case by case basis for a 24 hour period is not working and is getting out of hand.

I have been tasked with coming up with a better solution and they want me to build multiple roles for emergency access based on business area. Since there are thousands of transaction codes in SAP I find this to be a rather daunting task. My question is this...would it be a really bad idea to build say a Finance emergency role with F* in s_tcode and full access? I realize that there are more Finance codes that do not start with F but I am really just looking for input.

Has anyone else faced this situation and how did you approach it?

If someone out there has done this and could provide me with sample roles, that would be great.

Any help or advice is greatly appreciated.

Thanks

Bobbi

Former Member · ‎01-07-2011

Hi

Adding S_TCODE F* isn't a good solution, as stated - creating good module based FF (SPM) roles is essential. Try assigning these to moudule based reference users which can be assigned to real (dialog) users after the appropriate approvals have been received. You may want to run a trace whilst access has been given if nervous of the additional change access given whilst supporting end users...

Cheers

David

I changed 'assign' to 'try assigning' as, on reflection I was being 'bullish'..there are lots of ways to do things.

Good luck

Edited by: David Berry on Jan 9, 2011 12:42 AM

Former Member · ‎01-06-2011

GRC fire fighter does not supply any FF roles either.

That is application specific (and the hard work). It can become easier if the access only supplies the "delta" access.

The concept behind "super user access" is nothing new and the implementations vary.

It is quite easy to implement technically if you have put a lot of thought into the design... particularly support of the implementation.

I have been looking into this for years and eventually concluded that my own implementation on site is best for the UI's if the design is rock solid in the first place.

Works for me.

Cheers,

Julius

Former Member · ‎01-06-2011

Hi Bobbi

There are couple of ways I did it in my previous customers. I am guessing you need these roles during Go-Live and Production Support

1. Create FF roles by business Process ( OTC, RTR etc) or Module wise. Get hold of the respective Functional people and ask them the nodes in SPRO Tcode what they think should be there for those FF roles. Then create those roles accordingly. Remove the Basis / Security admin tcodes and make 03 where-ever necessary.

2. Another way of doing it is you might already have global roles for different modules / business processes. So identify the roles that are best suited for the FF roles and during Go-Live/ Prod Support. Group them and may be create composite roles for those Global single roles

You might need FF roles for Transactional access and Configuration Access.

Transactional FFID: FFID with change access to business transactions of the stream/function. (Can use the create/change access roles built for end users)

Configuration FFID: FFID for any manual configu2019s to be performed directly in production and cannot/may not be transported (ex: number ranges)

There should be process for giving the FF roles and proper approval. Appropriate role owners should be identified for these roles who will give approval

Hope this helps

Former Member · ‎01-07-2011

Hi