Overview of Firefighting and Related Procedures: Applies To

Overview of Firefighting and Related Procedures
Applies to:
SAP BusinessObjects Access Control 10.0
Summary
The information in the Application Help for Access Control 10.0 is updated to provide users with the latest information about the application, improve clarity of the information, and correct any errors. The information in this documentation is provided as part of SAP Note 1580393, and supersedes the topics published on the SAP Help Portal for SAP BusinessObjects Access Control 10.0 (SAP Library).
Company: Created on:
Governance, Risk, and Compliance SAP BusinessObjects Division June 2011
Version 1.00
SAP COMMUNITY NETWORK 2011 SAP AG
SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com
Document History
Document Version 1.00 Description Initial version
June 2011
Typographic Conventions
Type Style Example Text Description Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation Example text Emphasized words or phrases in body text, graphic titles, and table titles File and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. User entry texts. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. Keys on the keyboard, for example, F2 or ENTER.
Icons
Icon Description Caution Note or Important Example Recommendation or Tip
Example text
Example text
<Example text>
EXAMPLE TEXT
June 2011
Table of Contents
Overview of Firefighting ............................................................................................................ 1 ID-Based Scenario ............................................................................................................ 1 Role-Based Scenario ........................................................................................................ 2 Owners ....................................................................................................................................... 3 Firefighters ................................................................................................................................ 3 Controllers ................................................................................................................................. 3 Firefighter IDs ............................................................................................................................ 3 Assigning Firefighter IDs to Owners ........................................................................................ 4 Creating a new assignment ............................................................................................... 4 Viewing or Maintaining an Assignment .............................................................................. 4 Assigning Controllers to Firefighter IDs................................................................................... 6 Viewing or Maintaining a Controller Assignment ................................................................ 7 Assigning Firefighter IDs to Firefighters .................................................................................. 9 Viewing or Maintaining a Firefighter ID Assignment ........................................................... 9 Provisioning Firefighter IDs/Roles Using Access Request ................................................... 11
June 2011
Overview of Firefighting
In the Access Control application, a firefighter is a user who is granted temporary, privileged authorization to perform tasks in emergency or extraordinary situations. In the GRC system landscape, the Access Control application serves as a central interface for administrators to manage user access and authorizations across multiple ERP systems. The application allows administrators to manage firefighting privileges and authorizations in two ways: ID Based Role Based
ID-Based Scenario
You can logon to the GRC system and remotely access your ERP systems to perform firefighting activities.
Prerequisites
1. In the ERP system, create a firefighting role, such as ZSAP_GRAC_SMP_FFID, and assign it the authorization for remote logon (S_RFC). 2. In the Customizing activity Maintain Configuration Settings, for the parameter Firefighter ID Role Name, enter the name of the firefighting role. The role is used as a reference by the application to log the firefighting activities. 3. In the ERP system, create firefighter IDs, and then assign them the ZSAP_GRAC_SMP_FFID role. This enables the IDs to have remote logon authorization and for the Firefighter ID's activities to be captured in the firefighter logs. 4. Synchronize the role and authorizations between the ERP system and the GRC system. Use the Customizing activity, Repository Object Synch, under Governance, Risk, and Compliance > Access Control > Synchronization Jobs. 5. Synchronize the users between the ERP and GRC systems. Use the Customizing activity, Repository Object Synch, under Governance, Risk, and Compliance > Access Control > Synchronization Jobs.
Note
There is only one firefighter role. The role is used as a reference by the application to log the firefighting activities. Firefighter IDs are pulled from the IDs on the ERP system that are assigned to the Firefighter ID role. Information is stored in the GRC repository; the Access Control application retrieves the information as needed.
June 2011
Process
You use the following procedures to assign a firefighting role to a user: 1. Assigning Firefighter IDs to Firefighters 2. Assigning Controllers to Firefighter IDs 3. Assigning Firefighter IDs to Firefighters 4. Provisioning Firefighter IDs/Roles Using Access Request The process is the same for ID-based and role-based scenarios.
Role-Based Scenario
You must directly logon onto the relevant ERP systems to perform firefighting activities. The actions performed by roles configured for role-based firefighting are captured in the Firefighter logs.
Note
There can be multiple firefighting roles.
Prerequisites
In the ERP system, create roles for firefighting or designate existing roles for firefighting. Synchronize the roles and authorizations between the ERP system and the GRC system. In the Access Control application, import the roles and set the flag to Enable for Firefighting. Choose Access Management > Role Mass Maintenance > Role Import.
Process
You use the following procedures to assign a firefighting role to a user: 5. Assigning Firefighter IDs to Firefighters 6. Assigning Controllers to Firefighter IDs 7. Assigning Firefighter IDs to Firefighters 8. Provisioning Firefighter IDs/Roles Using Access Request The process is the same for ID-based and role-based scenarios.
June 2011
Owners
You can use the Owners screen to assign firefighter IDs to owners. Firefighter ID owners are responsible for maintaining firefighter, and then assigning them to firefighters. This step is required before you can use the functions on the Access Requests screen to provision firefighter IDs and roles to users.
Firefighters
You can use the functions on the Firefighters screen to find firefighters, view their firefighter ID or role assignments, and make maintenance updates. To open the Firefighter Maintenance screen, navigate to Maintenance Firefighters . Access Management Superuser
Note
Some firefighter assignments are provisioned from Access Request. On Firefighter Maintenance screen, the Comments field displays information explaining alternate point of origin.
Controllers
You can use the Controllers screen to find controllers, view their firefighter ID assignments, and make maintenance updates. Controllers are users who have the responsibility to monitor specific firefighter IDs. To open the Controllers screen, choose Controllers . Access Management Superuser Maintenance
Firefighter IDs
A firefighter ID is a temporary user ID that grants the user exception-based, yet regulated, access. The firefighter ID is created by a system administrator and assigned to users who need to perform tasks in emergency or extraordinary situations. System administrators can designate a new or existing user ID as a firefighter ID. After a user ID is specified as a firefighter ID, the user ID can no longer be used for other logon purposes. System administrators use transaction SU01 to create firefighter IDs on the ERP system, and then synchronize them to the access control application. You can use the functions on the Firefighter IDs screen to maintain firefighter ID assignments. Choose Superuser Assignment Firefighter IDs .
June 2011
Assigning Firefighter IDs to Owners

You can the functions on the Owners screen to assign a firefighter ID to an owner.
Prerequisites
You have already completed the following: For role-based scenarios, you have defined the firefighter roles in the GRC system, and selected the Enable for Firefighting checkbox on the Define Role screen under Access Management Role Management/Role Maintenance . For ID-based scenarios, you have defined a firefighter ID role on the ERP system, and assigned the role the remote logon authorization S_RFC.
Procedure
Creating a new assignment

1. Choose Superuser Assignment Owners . The Firefighter Owner screen displays a table of existing assignments. 2. Choose Assign. The Owner Assignment: New screen appears. 3. Enter relevant data in the required fields. On the screen, required fields are marked with an asterisk (*). 4. Choose Save Close .
Viewing or Maintaining an Assignment

1. Choose Superuser Assignment Owners .
The Firefighter Owner screen displays a table of existing assignments.

2. Select a row and choose Open. The Owner Assignment screen displays the particular assignment. 3. To add an owner assignment, do the following: a. Choose Add. A new line appears in the table. b. Enter relevant information in the required fields. On the screen, relevant fields are marked with an asterisk (*).
June 2011
Overview of Firefighting and Related Procedures c. Choose Save Close . The assignment is completed for the selected owner.
4. To remove the owner assignment, choose Remove. The selected assignment is deleted. 5. Choose Save Close .
June 2011
Assigning Controllers to Firefighter IDs

Administrators and Owners can assign a controller to a firefighter ID. A controller is a person who monitors firefighter usage. You can use the functions on the Controllers screen to assign, add, or remove a controller for a firefighter ID.
Note
Only one administrator or owner can edit the controller assignments for a firefighter ID at a time.
Procedure
1. Choose Superuser Maintenance Controllers . The Controllers screen appears and displays existing controllers, firefighter IDs, and associated systems. 2. Choose Assign. The Controller Assignment: New screen appears. 3. In the Controller ID field, enter the user ID for the person you want to assign as controller. 4. Choose OK. 5. Choose Add, select the firefighter ID from the list, and then choose OK. The System field value is automatically generated after you choose the firefighter ID. Verify that users are assigned a firefighter role that has access to the superuser management functions.
Note
You can copy the following sample delivered roles to your namespace and use the provided authorizations: o o o o SAP_GRAC_SUPER_USER_MGMT_ADMIN SAP_GRAC_SUPER_USER_MGMT_OWNER SAP_GRAC_SUPER_USER_MGMT_CNTLR SAP_GRAC_SUPER_USER_MGMT_USER
Recommendation We recommend that you assign the Controller the SAP_GRAC_SUPER_USER_MGMT_CNTLR role.
June 2011
Overview of Firefighting and Related Procedures 6. In the Notification By column, select from the following options: o E-mail To send a log report to an external e-mail inbox, such as Microsoft Outlook, or to an SAP inbox each time the GRAC_SPM_LOG_SYNC_UPDATE background job runs. You can select from the following options for notification by e-mail: To send logon notifications, set the Send Firefighter Id Login Notification parameter to YES. Logon notification is sent by e-mail only, independent of the Notification By option. To send notification immediately once a firefighter ID logs on to the system, set the Send Firefighter Login Notification Immediately parameter to YES. To send log report notifications, set the Log Report Execution Notification parameter to YES. Log report notification depends on the Notification By field. To receive log report notifications as the logs are updated, set the Send Log Report Execution Notification Immediately parameter to YES. o Workflow To send log report notifications in the form of an SAP Workflow
Note
Users must have Portal authorization to access the work items. o Log Display To view firefighter ID logon events from the Superuser Management Administrator screen. The controller manually generates the log report and views the report in Superuser Management Administrator screen. The system does not send automated notifications. Save Close .
7. Choose
Viewing or Maintaining a Controller Assignment

1. On the Controller screen, select a row and choose Open. The Controller Assignment screen appears and displays the particular assignment. 2. To add a firefighter assignment, choose Add. A new row appears in the table. 3. Enter the relevant information in the required fields and select a notification method from the dropdown menu in the Notification By column. 4. To remove a firefighter assignment, choose Remove.
June 2011
Overview of Firefighting and Related Procedures The selected assignment is deleted. 5. Choose Save Close .
June 2011
Assigning Firefighter IDs to Firefighters

Administrators and Owners can assign a firefighter ID to firefighters. A firefighter is a user who has been granted temporary privileges to perform tasks in an emergency situation. You can use the functions on the Firefighter ID screen to assign, add, or remove a user from a firefighter ID.
Note
Only one administrator or owner can edit a firefighter at a time.
Prerequisites
You have already assigned the role SAP_GRAC_SPM_FFID to the firefighter ID, or created the role in the client system containing the S_RFC authorization object. For more information, see the SAP Business Objects Access Control 10.0 Security Guide.
Procedure
1. Choose Access Management Superuser Assignment The Firefighter IDs screen appears. Firefighter IDs .
Note
If you are using the standalone version of Access Control, use this path: Superuser Assignment Firefighter IDs . 2. Choose Assign. The Firefighter ID Assignment: New screen appears. 3. Enter the firefighter ID. The application automatically fills the System field. 4. In the Criticality field, choose the dropdown list, and select a criticality level. 5. On the Firefighter tab page, enter the relevant information in the required fields. On the screen, the required fields are marked with an asterisk (*). 6. Choose the Controller tab page and add a controller assignment. 7. Choose Save Close . Setup
Viewing or Maintaining a Firefighter ID Assignment

1. Choose Superuser Assignment Firefighter IDs The Firefighter IDs screen appears. .
June 2011
Overview of Firefighting and Related Procedures 2. Select a row and choose Open. The Firefighter ID Assignment screen displays the particular assignment. 3. To add a firefighter ID assignment, choose Add. A new row appears in the table. 4. Enter the relevant information in the required fields. On the screen, the required fields are marked with an asterisk (*). 5. To remove a firefighter ID assignment, choose Remove. The selected assignment is deleted. 6. Choose Save Close .
June 2011
10
Provisioning Firefighter IDs/Roles Using Access Request

You can use the functions on the Access Request screen to provision firefighter IDs and roles to users.
Prerequisites
You have completed the tasks in the Customizing activity Define Request Types under Governance, Risks, and Compliance Access Control Superuser Access , and have enabled the following actions for superuser access: o o o Create User Assign Object, Super User Access
For provisioning firefighter IDs, you have: o o Created a firefighter ID role in the ERP system, and have assigned the role the remote logon authorization S_RFC Assigned the firefighter ID role to the user
For provisioning firefighter roles, you have o Enabled the role for firefighting For more information, see Defining Roles. Assigned the firefighter role to the owner
Procedure
1. Choose Access Management Access Request Creation The Access Request screen appears. Access Request .
2. Choose Add and select Firefighter ID from the dropdown menu. The Search Firefighter ID screen appears and shows a list of existing firefighter IDs and their related systems. 3. From the Request Type dropdown menu, select Superuser Access. 4. Enter the relevant information for the required fields. On the screen, the required fields are marked with an asterisk (*). 5. Choose Add, and select the following from the dropdown menu: o o To provision firefighter IDs, select Firefighter ID To provision firefighter roles, select Firefighter Roles
6. Select the relevant firefighter ID or role from the list and choose OK.
June 2011
11
Overview of Firefighting and Related Procedures 7. Select the User Details tab page, and enter the relevant information in the required fields. 8. Choose Submit Close .
More Information
Creating Access Requests
June 2011
12
Copyright
2011 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation. Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company. Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the
Overview of Firefighting and Related Procedures materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Overview of Firefighting and Related Procedures: Applies To

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Overview of Firefighting and Related Procedures: Applies To

Transféré par

Droits d'auteur :

Formats disponibles

Overview of Firefighting and Related Procedures

Company: Created on:

Governance, Risk, and Compliance SAP BusinessObjects Division June 2011

SAP COMMUNITY NETWORK 2011 SAP AG

SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com