09-17-2016 11:34 AM
Hi,
I need to configure Fire fighter user mechanism in ECC system and need relevant document or links for reference.
I tried searching and could find only GRC related info but we are not using GRC in our landscape at present.
Kindly help to get the relevant document or links for the same
Thanks & Regards
Nikhil
09-20-2016 4:31 PM
Nikhil,
FireFighter access is provided to carry out business critical activity while the logs of the activity performed will be logged and audited either immediately or at a later stage.
Can you please elaborate on your requirement on accomplishing it without GRC.
Best regards,
Arun
09-21-2016 9:50 PM
Hi Arun,
Yes, its for same purpose but we don't have GRC in scope.
So wanted to understand an alternative way of firefighter setup
Regards,
Nikhil
09-21-2016 10:09 PM
Nikhil,
It is certainly possible to do a custom firefighter solution, but it is a lot of custom coding and monitoring. There is a reason why most SAP customers who want a firefighting capability use EAM in SAP GRC Access Control. You would need a program that will monitor/ log the activity of all the IDs that are assigned a role with *FIRE* in the name, if you are going with a role-based firefighter, then that activity log has to be reviewed and approved by someone, perhaps sent by email to the manager of the Firefighter user, and s/he has to return an approval, and all of *that* activity has to be logged and reported on, so you need programs for all of that. Really, configuring EAM in SAP GRC is much easier than maintaining all of that custom code. I used to work at an SAP customer that created a custom firefighting solution, and it took a lot of hand holding.
Gretchen
09-22-2016 8:39 AM
Hello,
our fire fighter fighter solution is "homebrew".
We have firefighter users who are locked.
If you need one (first level support can not help, last level sees the use of fixing a table etc), you get a ticket.
This one you send to the basis guys who unlocked the user and create two password parts. Two people get the password parts. If you use this user for fixing tables protocollation is turned on and off.
After fixing the problem the user will be locked. The business will also have a look on the protocol file.
So you have a documentation in your ticket system and you have two times "4 eyes".
Works well in daily life.
And it is true what Gretchen has said: You have to build some one stuff: A SM30 variant who turns table protocollation on / off for etc...
Regards
09-22-2016 8:48 AM
Hello,
same for us. And an additional and important task, set audit configuration too.
Best regards,
Andy