cancel
Showing results for 
Search instead for 
Did you mean: 

Firefighter Approval Workflow

Former Member
0 Kudos

Dear board,

I am looking for possibilites to implemente a FF approval workflow. What are your suggestions how to realize such a requirement?

I haven't seen anything like that in SAP material so far. Does anybody have information that this may be incorporated in GRC Access Controls?

Kind regards and many thanks,

Richard

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi there,

many thanks for your answer. The drawback I do see is one you have already mentioned. One requirements we do have is to distinguish between activities executed as "Firefighter" and as "Normal" user.

I think of changing the validity date of the other assigned roles during the firefighter session to the past to distinguish between. Is this feasible within the AE standard? Any other ideas you have?

Kind regards and many thanks,

Richard

Former Member
0 Kudos

You may want to try and switch the configuration option - FFROLE to Yes.

Benefits are:

FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.

FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provided the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24 / 7 master data set up in the original Firefighter process.

When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role based Firefighter, all activities are performed and recorded under the user's normal user ID.

The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.

The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.