SAP GRC Access Control 10.x/12.0 – Firefighter ID Controller Log Report Review Workflow
This document focuses on setting up Workflow Notifications for Firefighter Log Review by the Controller, including the notification of a new Work Item. The main advantage Workflow notification provides is that this work item will need to be submitted/approved by the Controller, acknowledging that he/she has reviewed the Firefighter Session log.
During the assignment of a Firefighter ID Controller to a Firefighter ID, you will see three options for “Notification By”:
- Email: will send an email notification to the Controller with a link to the Firefighter Session log
- Workflow: will create a work item in the Controller Work Inbox. This is the one we need to chose for making the submission of logs review available for the Controller.
- Log Display: means the Controller will personally run the report.
Activating Log Report Review Workflow Process
First, you will need to activate and generate the process for “Firefighter Log Report Review Workflow” (SAP_GRAC_FIREFIGHT_LOG_REPORT).
You can enter into the MSMP Workflow Configuration by executing transaction GRFNMW_CONFIGURE_WD, or navigating to IMG -> GRC -> AC -> Workflow for Access Control -> Maintain MSMP Workflows:
Select the row for Process ID SAP_GRAC_FIREFIGHT_LOG_REPORT and make sure you are on Change mode. You can skip to Step 5 – Maintain Paths:
Then, you will need to maintain the details of the Default Stage of the Default Path. Make sure that the Agent ID is “GRAC_SPM_CNTRL_AGENT”, and that the Approval Type is “Any One Approver”. If you set this setting to “All Approvers”, all the Controllers assigned to the Firefighter ID must submit/approve the log before it actually gets submitted.
You can also personalize additional settings by clicking on “Modify Task Settings”.
For instance, I would like to make the Comments Mandatory, for enforcing that acknowledgment I was talking before, and also I will allow the ability to forward the Log Review to another Controller.
Once you have finished, make sure you perform Step 7, Saving and Activating current process version. After that, the Controller will get a new Work Item on his/her Work Inbox for every Firefighter Session. Bare in mind that this workflow will be triggered by program GRAC_SPM_LOG_SYNC_UPDATE, if you set parameter 4007 to YES. If you set parameter 4007 to NO, the Firefighter Session Log will be collected when program GRAC_SPM_LOG_SYNC_UPDATE gets executed, and the Work Item will be generated when GRAC_SPM_WORKFLOW_SYNC program gets executed. Make sure you have these sync programs scheduled on a periodic background job according to your Configuration Settings.
How to trigger the New Work Item e-mail notification
Similar to what we did before, select the row for Process ID SAP_GRAC_FIREFIGHT_LOG_REPORT making sure you are on Change mode, but this time skip to Step 3 – Maintain Agents.
The problem is that in this Workflow Process, the Controller (Agent ID: GRAC_SPM_CNTRL_AGENT) has Agent Purpose Approval. For giving Notification Purpose also, we need to create a duplicated entry (e.g. ZGRAC_SPM_CNTRL_AGENT_N), and give it Agent Purpose “Notification”:
Save your new Agent, then go to Step 5, and on the Default Stage Notification Settings, create a new notification event for event “NEW_WORK_ITEM”, like the one below:
Remember to Save and Activate in Step 7 after creating this notification event.
Once this is complete, the Controller will receive the email notification when a new Work Item gets sent to his/her Work Inbox. Make sure you have maintained an email address in the SU01 of the Controller.
Auditing Log Reviews
You will be able to review the workflow generated Log Reports Review by going into NWBC -> Access Management -> Search Requests (inside Access Request Administration section), selecting “Fire Fighter Log Report Review Workflow”.
Hope this helps, if you need more information do not hesitate to leave a comment.
- AC 10.0 – How to Customize Notification Templates for AC Workflow
- Why the email is not triggering when the firefighter controller asks for more information?
Thanks for sharing a very useful article
Thank you for the great documentation. Its been quick easy to follow your document for the setup. I have a question about log review, is it possible to trigger the review workflow on consolidated use of FF ids for a specific period for a Controller? Basically, instead of triggering each usage as a review work item, I would like to trigger all FF ids used on a system for a period of time (for a week), to be sent as one work item to controller.
I don’t think that is possible without code customizing. By design, GRC will generate a log per session, which is quite important from the auditor’s perspective, as each session might have different reason codes and different activities associated. Having different sessions in the same log report would add complexity to the auditing task. GRC will also create a separate email for each Firefighter session.
Please check AC 10.1 Configuration Settings for further undertanding on parameter 4007:
Can you suggest how to setup escalation to controller's manager or alternate approver if the FF logs are not reviewed for certain day say 7 days.
is it possible for controller to approve the FF log over email link
in notification template we provide the LINK_APPROVE_REJECT and once the controller clicks on the link should be able to retrieve the log and approve ?