Solved: Use Firefighter for OSS support access

Former Member · ‎07-18-2011

Hello experts,

We are developing a process to support OSS remote access for SAP. We would like to use Firefighter (SPM) so that we can control remote access and log all activity in the production system(s).

Could anyone advise if this approach has been used by other customers? If, so , what pros and cons can you share?

One question we have is whether SAP OSS Support has any isues with going through FF

We're on GRC AC 5.3 SP16.

Thanks,

Glen

Former Member · ‎07-22-2011

Hi Glen,

This is the good practice and there is no drabacks to use the Fire Fighter. i have implimented same concept in the one of my big client.

please following the below steps;

1. First create the Dailog id with assigned default role only, that role should have the /n/virsa/vfat t-code.

2. Next Create the one Fire Fighter id and assigned the corresponding Fire fighter roles.

3. And mapped the normail dailogid to Fire fighter id in the Virsa table with validity.

4. Finally maintained the login credentials in secure area of the service market place and communicate to SAP.

and suugest to SAP, Use the fire fighter access after login to the system with Dailog id by executing /n/virsa/vfat.

Regards,

Arjuna.

Former Member · ‎07-18-2011

Hi Glen,

SAP Support should not have any problems in going via firefighter, After all it is their own tool :). I know a few clients who use this process for SAP support and there have been no problems with it, i can not think of a dis advantage of doing so.

Regards,

Chinmaya

Former Member · ‎07-18-2011

Hi,

This is ofcourse a recommended solution by auditors. I had implemented this solution with couple of clients, and their internal and external auditors were extremely happy since even SAP OSS access is executed in a controlled environment.

Debugger, table maintenance accesses are few examples where we consider them as critical that can be controlled in an audited environment now

I don't see any disadvantages with this.

Regards,

Raghu

Former Member · ‎07-20-2011

Hi, same could be applied for other services. Just create a special FFID for SAP (e.g. FF_SAP_Support) as you will now be able to search directly for it.

Instead of giving "SAP_All", you might also remove some authoritations e.g. user maintenance.

Regards,

Andreas

simon_persin4 · ‎07-20-2011

I've also implemented this approach in numerous clients.

It satisfies audit and SAP are happy to progress with it.

The only slightly unfortunate thing is that you will need to have a generic id in the SAP system with minimal access (SPM User access only) so that you can get the SPM Id associated to it.

You can then put the SPM user credentials in the OSS message and have the SPM ID setup with whatever you want them to access.

Former Member · ‎07-22-2011

As other users have mentioned, we do not have a problem logging in to our customers systems using the Firefighter/Emergency Access product

In the GRC area, we will know how to do this, other components you may have to tell the engineer to run the FF transaction and which FFID to use. All product areas have been informed of the FF product, but not all SAP support engineers have used it.

Ramelyn Paredes

SAP Active Global Support

Former Member · ‎07-22-2011

Hi Glen,

This is the good practice and there is no drabacks to use the Fire Fighter. i have implimented same concept in the one of my big client.

please following the below steps;

1. First create the Dailog id with assigned default role only, that role should have the /n/virsa/vfat t-code.

2. Next Create the one Fire Fighter id and assigned the corresponding Fire fighter roles.

3. And mapped the normail dailogid to Fire fighter id in the Virsa table with validity.

4. Finally maintained the login credentials in secure area of the service market place and communicate to SAP.

and suugest to SAP, Use the fire fighter access after login to the system with Dailog id by executing /n/virsa/vfat.

Regards,

Arjuna.