Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Role-based EAM / assignment of firefighter role

Hello,

I am currently implemeting the role-based approach for GRC 10.0 EAM (SP9)

During implementation some questiions were raised regarding the firefighter role assignment.

1) assignment of  FF role via access request (with request type Superuser Access) works, but requires approval which shouldn't be the case in a EAM scenario:

as the user should be able to FF on his own responsibility, once he was maintained as a user who is allowed to FF, just like the ID-based approach

(workaround >> auto approval process for this request ?) another point is the de-provisioning of this role, when the activites are finished..

2) in the firefighter assignment screen I was able to assign FF roles to users via access requests, but also manually, so I am wondering how thw manual assignment works, as the user doesn't have the FF role assigned in the backend.

>> Does this mean that the user in the backend needs the FF role assigned permanently (via SU01)

3) However the logs works for both assignments, but I see a problem when some T-codes, which are assigned to the user  in the FF role and also in his regular access roles are executed. I assume the FF log will record these entries, but this makes it very difficult to review the FF access.

awaiting your feedback..

regards

Johannes

Tags:
Former Member
replied

Hello Johannes,

Please find the answers for each question below:

1) assignment of  FF role via access request (with request type Superuser Access) works, but requires approval which shouldn't be the case in a EAM scenario:

as the user should be able to FF on his own responsibility, once he was maintained as a user who is allowed to FF, just like the ID-based approach

(workaround >> auto approval process for this request ?) another point is the de-provisioning of this role, when the activites are finished..

Ans: By default in both ID and Role based scenario there is a approval process. The FF role assignment to firefighter should be approved by Owner. But if you want you can customize this for auto approval. Also at later point of time you can create arequest for De-provisioning also.

2) in the firefighter assignment screen I was able to assign FF roles to users via access requests, but also manually, so I am wondering how thw manual assignment works, as the user doesn't have the FF role assigned in the backend.

>> Does this mean that the user in the backend needs the FF role assigned permanently (via SU01)

Ans: Whenever a FF Role is assigned to firefighter it is stored in GRC table. If you manually assign the role then this assignment will not be available in GRC box and it could not be tracked. Also when the user is assigned a FF Role it is automatically assigned in backend, no need to go and again assign it and similarly at time of de-provisioning the role is deleted from the user.

3) However the logs works for both assignments, but I see a problem when some T-codes, which are assigned to the user  in the FF role and also in his regular access roles are executed. I assume the FF log will record these entries, but this makes it very difficult to review the FF access.

Ans: If the firefighter has normal role and a firefighter role then the activities pertaing to the Firefighter Role will only be captured. In case same Tcode is there in FF Role and normal role then that Tcode will be captured pertaing to FF ROle. Similarly if same tcode is there in two FF roles and firefighter is assigned these roles then these tcode will appear twice in report with two roles.

Hope it answerd all your queries.

Thanks & Regards,

Chandani

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question