GE GRC Implementation User Manual

User Manual
Super User Privilege Management

Business Project Manager Name: Dennis Pederson

IM Project Manager Name:
dPMM Project ID:
Published Date: 2011-07-14
Version: 1.0
Author: Wipro Limited

GRC MCS
GE Energy

g is a registered trademark of the General Electric Company in the United States and other countries.
© 2011General Electric Company. All rights reserved.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 1 of 28
GE GRC Implementation User Manual

Contents
1 Purpose................................................................................................................................................2
2 Prerequisites........................................................................................................................................2
3 Configuration in SUPERUSER PRIVILEGE MANAGEMENT (SPM)..........................................................5
3.1 Firefighter Administrator.............................................................................................................6
3.1.1 ‘Owners’ Tab........................................................................................................................9
3.2 Firefighter Owner.......................................................................................................................12
3.2.1 ‘Firefighters’ Tab.................................................................................................................14
3.2.2 ‘Controllers’ Tab.................................................................................................................15
4 Firefighter Controller.........................................................................................................................17
5 Firefighters.........................................................................................................................................17

GE Proprietary Information For Internal Use Only 4/4/2019

Page 2 of 28
GE GRC Implementation User Manual

1 Purpose
This document discusses about Super User Privilege Management (Fire Fighter)

2 Prerequisites
One should have the authorization to Virsa Firefighting Tool (T-Code  /VIRSA/VFAT). SAP
IDs also needs to be created with appropriate role assignments:

 FIREFIGHTER OWNERS ( e.g. : ZSPM_OWNER)

 FIREFIGHTER CONTROLLER (e.g.: ZSPM_CTRL)
 FIREFIGHTER ID (e.g.: ZSUPERUSER)
 FIREFIGHTER (e.g.: ZENDUSER)

ZSPM_OWNER must have the following Role:

GE Proprietary Information For Internal Use Only 4/4/2019

Page 3 of 28
GE GRC Implementation User Manual

ZSPM_CTRL must have the following Role:

Users Role Names Access

Owners (Business & SAP Support
Personnel)  ZSPM_OWNER
/VIRSA/Z_VFAT_ID_OWNER
Personnel who are decision
makers of situations
requiring the use of
Firefighter IDs for problem
resolution.

Firefighters(SAP Support /VIRSA/Z_VFAT_FIREFIGHTER SAP support personnel with

personnel for Basis & the ability to sign on and
Configuration areas)  complete firefighting
ZENDUSER activities in case of an
emergency.

 [N.B.: ‘Controllers’ have no such dedicated Role. Owners & Controllers may be the
same.]

Firefighter Id ZSUPERUSER has the following profile:

GE Proprietary Information For Internal Use Only 4/4/2019

Page 4 of 28
GE GRC Implementation User Manual

3 Configuration in SUPERUSER PRIVILEGE MANAGEMENT

(SPM)

Super User Privilege Management or Firefighter (SPM) enables users to perform duties not
included in the roles or profiles assigned to their User IDs. This application allows personnel to
take responsibility for tasks outside their normal job function. Firefighting describes the ability to
perform tasks in emergency situations. SUP temporarily redefines the IDs of users when
assigned with solving a problem, giving them provisionally broad, but regulated access. There is
complete visibility and transparency to everything done during the period. It provides a solution
for systematic handling of emergency situations and at the same time managing the risk for the
special access necessary to resolve the issue.

3.1 Firefighter Administrator

GE Proprietary Information For Internal Use Only 4/4/2019

Page 5 of 28
GE GRC Implementation User Manual

If there’s any new Firefighter Owner to be introduced, Firefighter Administrator has to assign
the Owner to FF ID. Administrator (ZSPM_ADMIN) logs into SAP Backend and executes the

T-Code ‘/n/VIRSA/VFAT’ to maintain the tab.

We need to configure SPM in each backend. As the frist step create SPM Administrator user with the
role: /VIRSA/Z_VFAT_ADMINISTRATOR. Here our SPM admistrator user is ZSPM_ADMIN.

After you login with this Id you get the below screen:

GE Proprietary Information For Internal Use Only 4/4/2019

Page 6 of 28
GE GRC Implementation User Manual

Goto Tcode /VIRSA/VFAT, the below screen will be displayed.

Click on configuration tab

The below screen will get displayed.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 7 of 28
GE GRC Implementation User Manual

Click on “New Entries” and give the below details.

Here,

Owner Additional Auth. Setting: Ensures that owners can only manage Firefighter IDs they own.

Controler Additional Auth. Setting: Ensures that controllers can only access log reports of Firefighter IDs they were
assigned to.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 8 of 28
GE GRC Implementation User Manual

Click on Save and Back (F3).

3.1.1 ‘Owners’ Tab

Firefighter Administrator assigns the IDs of the Firefighter ID Owners with the Firefighter IDs.

Click on Owners.

Now assign to each Firefighter ID one or Multiple owners. Here, in our case to the we’ve created the
firefight id as ZSUPERUSER and assigned it to the Firefight id Owner named ZSPM_OWNER.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 9 of 28
GE GRC Implementation User Manual

Firefighter ID Mention the Firefighter ID.

Firefighter ID Owner Mention the ID of the Owner.
Description Brief the description.
Comments Mention relevant comments.

Click on Save and Back.

Click on Reason Codes.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 10 of 28
GE GRC Implementation User Manual

Then create reason codes which Firefighters will have to select from upon
activation of Firefighter IDs that were granted to them.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 11 of 28
GE GRC Implementation User Manual

3.2 Firefighter Owner

Firefighter Owner is the person who assigns the Firefighter ID to Firefighters (SAP users) & also

assigns Controllers. Owner (ZSPM_OWNER) logs in & maintains Tab & assigns

corresponding . Controllers can also be assigned by Firefighter Administrator.

Now logon as Owner(ZSPM_OWNER) .

Click on Virsa Firefighting Tool

GE Proprietary Information For Internal Use Only 4/4/2019

Page 12 of 28
GE GRC Implementation User Manual

3.2.1 ‘Firefighters’ Tab

Firefighters are no one but those users, with whom, Firefighter IDs get assigned. Firefighters are
able to perform tasks in emergency situations. Firefighter Owner assigns the Firefighter IDs to
the Firefighters & sets the validity period as required

Click on Firefighters

GE Proprietary Information For Internal Use Only 4/4/2019

Page 13 of 28
GE GRC Implementation User Manual

Assign Firefighter IDs to Firefighters (These are the end users with access to SPN)

GE Proprietary Information For Internal Use Only 4/4/2019

Page 14 of 28
GE GRC Implementation User Manual

Firefighter ID Mention the Firefighter ID.

Firefighter Mention the user id with whom Firefighter ID is to be assigned.
Valid From Mention ‘Valid From’ Date.
Valid To Mention ‘Valid To’ Date.
Comments Mention relevant comments.

Click on Save and Back

3.2.2 ‘Controllers’ Tab

The Controllers tab designates Firefighter users receiving email notification of Firefighter ID
login events. A Controller can be responsible for more than one Firefighter ID. A Firefighter ID
can be assigned to multiple Controllers.

Click on Controllers

Then assign Firefighter IDs to Controllers. This allows Owners to delegate the

Monitoring or auditing of Firefighter activities to Controllers .

GE Proprietary Information For Internal Use Only 4/4/2019

Page 15 of 28
GE GRC Implementation User Manual

Firefighter ID Mention the Firefighter ID

FF ID Controller Mention the Controller ID
Options Select either of  ‘Email’ / ‘Log display’ / ‘Work Flow’.
Comments Mention relevant comments.

Note:

 Choose Work Flow to send log notification and log reports to an appropriate Controller’s
SAP email inbox.
 Choose Log display if the Controller will view Firefighter ID login events from the
Firefighter Cockpit. Choosing Log display means the Controller will manually generate
a Log report and view the report within the Firefighter program.

 Choose Email if the Controller will receive email notifications each time a login event
occurs with a Firefighter ID.

4 Firefighter Controller

A Firefighter Controller is the person who will be constantly monitoring the activities of the
firefighters (SAP Users). Once a firefighter logs in the assigned Firefighter ID, the Controller will
receive the notification for the same. He can view/download the log report through SAP
Backend by executing the following T-Code.

T- Code: - /n/VIRSA/VFAT_01
GE Proprietary Information For Internal Use Only 4/4/2019
Page 16 of 28
GE GRC Implementation User Manual

Controller can execute the report by either of the Input parameters or by combination of the
same

5 Firefighters

Firefighters are basically the SAP Users who’ll be using the Firefighter IDs assigned to them to
perform tasks in emergency situations. For using the Firefighter ID, the Firefighter (SAP User)
has to log into SAP Backend through his/her normal SAP ID.

Logon as Firefighter(ZENDUSER) .

Click on Virsa Fire fighting tool.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 17 of 28
GE GRC Implementation User Manual

Click on Logon button. See the status is in Green color i.e login allowed and no one has logged to
FireFighter id: ZSUPERUSER.

Below follows the steps to access the Firefighter ID

Firefighter (SAP user): ZENDUSER

Firefighter ID assigned: ZSUPERUSER

Firefighter ID Owner: ZSPM_OWNER

Firefighter (ZENDUSER) will log in to SAP Backend & will have to execute the T-Code
/n/VIRSA/VFAT. The following screen will appear where he can view the Firefighter ID assigned
to him & whether the Firefighter ID is available for his use:

GE Proprietary Information For Internal Use Only 4/4/2019

Page 18 of 28
GE GRC Implementation User Manual

There after, the Firefighter will have to click on the button, to access the Firefighter ID and the following
screen will pop-up, where, the firefighter has to select the appropriate reason code, the reason for using the access &
actions anticipating to perform as shown below:

Click on ok

GE Proprietary Information For Internal Use Only 4/4/2019

Page 19 of 28
GE GRC Implementation User Manual

A new widow will open for user id : ZSUPERUSER.

User can execute the Required Transactions and all the actions will logged.

After completion of execution of required Transactions log off from ZSUPERUSER.

See the Status is in Red Color. At this stage the SPM does not allow any other users to login to the
FireFighter Id: ZSUPERUSER.

[N.B.: The Firefighter ID is available if the Status is green. Once the firefighter logs into the
Firefighter ID, the status will become red which indicates that the Firefighter ID is in use. At a
time, a single Firefighter ID can be used by a single firefighter only]

GE Proprietary Information For Internal Use Only 4/4/2019

Page 20 of 28
GE GRC Implementation User Manual

For E.g. Logon as another Firefighter i.e. ZENDUSER2,

GE Proprietary Information For Internal Use Only 4/4/2019

Page 21 of 28
GE GRC Implementation User Manual

Now since the firefighting userid ZSUPERUSER is being already used by the fire fighter ZENDUSER , we
see the status in red .And if we try to logon now with other Firefighter ID’s then the below screen will
appear:

GE Proprietary Information For Internal Use Only 4/4/2019

Page 22 of 28
GE GRC Implementation User Manual

Click on Log Symbol to view log of actions performed.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 23 of 28
GE GRC Implementation User Manual

A Background job by the name /VIRSA/ZVFATBAK scheduled periodically (hourly) to prepare reports
from transaction usage logs.

And these reports can be viewed by the controllers in back-end systems and SPM users in java front-end
reports.

After you made your selection the log report appears. It should list all relevant details as displayed below:
Firefighter, Firefighter ID, logon time stamp, transaction or report name and details of change documents,
if created by SAP system.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 24 of 28
GE GRC Implementation User Manual

6. SPM FRONTEND

GE Proprietary Information For Internal Use Only 4/4/2019

Page 25 of 28
GE GRC Implementation User Manual

Login to the GRC frontend and with ff_admin and click on Superuser Privilege Management. You
get the below screen. This is the SPM frontend screen.

GE Proprietary Information For Internal Use Only 4/4/2019

Page 26 of 28
GE GRC Implementation User Manual

GE Proprietary Information For Internal Use Only 4/4/2019

Page 27 of 28
GE GRC Implementation User Manual

GE Proprietary Information For Internal Use Only 4/4/2019

Page 28 of 28