ID-Based Firefighting vs. Role-Based Firefighting
The purpose of Emergency Access Management is to allow users to take responsibility for tasks outside their normal job function. This component allows temporary access for users when assigned with solving a problem, giving them provisionally broad, but regulated access which is monitored and recorded in the application.
SAP GRC 10.0 provides two different types of firefighting which can be used either centralized or decentralized. Following a short description of both types which can be configured in IMG using parameter 4000 (Application Type). Only one type can be configured at a given time.
With ID-Based Firefighter each Firefighter ID has its own user master record with roles assigned directly to the Firefighter ID. The End-user (Firefighter) executes a transaction code and checks out an ID. It is possible for multiple users to check-out each Firefighter ID (which is authorized to the end-user) but only one user can have a Firefighter ID checked out at any time. A reason code and the expected activity must be documented prior to gaining Firefighter access. Relevant changes in SAP are captured in the change history under the Firefighter ID. It is important to highlight that everything is documented with the Firefighter ID and not the user’s normal user ID.
Each role which is defined as Firefighter Role can be assigned directly to a user. This can be done through Access Request Management (ARM) if in place or directly in SU01. To use the Firefighter a user doesn’t have to check out a separate ID. Transactions and change histories are logged with the user’s own ID, which is an advantage in relation with the ID-based Firefighter. The end-user is not aware when he is utilizing emergency / firefighter access as he does not have to check out an ID and uses his own ID all the time.
Concept of ID-Based Firefighting
Concept of Role-Based Firefighting
Steps to set up ID-Based Firefighting
- Create Firefighter ID
- Create a user account in transaction SU01 with user type S (Service) to be used as a firefighter. This can also be done in Access Request Management if in place.
- Assign the Firefighter ID role which is defined in configuration parameter 4010 (Firefighter ID role name) to recognize the service user as a Firefighter ID.
- Assign necessary roles for firefighter access.
- Define Firefighter Owner
- Assign an Owner to the Firefighter ID
- Assign Firefighter Controller
- Assign a Controller to the Firefighter ID. Controllers are responsible for reviewing the log report and can receive email notifications or workflows of Firefighter ID use.
- Firefighter ID Controllers can also be Firefighter ID Owners.
- Assign Firefighter
- Assign a user (must have an existing user ID) to the Firefighter ID.
- The user can access the Firefighter IDs (can be more than one) within the validity dates.
Steps to set up Role-Based Firefighting
- Define Firefighter Role
- Enable a specific role for Firefighting directly in the Business Role Management.
- Define Firefighter Role Owner
- Assign an Owner to the Firefighter Role.
- Create Firefighter Role Controller
- Assign a Controller to the Firefighter Role. Controllers are responsible for reviewing the log report and can receive email notifications or workflows of Firefighter ID use.
- Firefighter Role Controllers can also be Firefighter Role Owners.
- Assign Firefighter
- Assign a user (must have an existing user ID) to the Firefighter Role.
- The user can access the Firefighter Roles (can be more than one) within the validity dates.
Please share your thoughts of both firefighting concepts and participate in upcoming discussions.